Decode JWT without validation and find scope

Question

I need to decode my JWT token and check if the scope is a "Doctor".

I know very little about GO, but I just need to write a tiny snippet in my application to extend an existing application so it needs to be written in GO.

This was my attempt at decoding the token and checking if "Doctor" was in the decoded token as I wasn't able to access the scope exclusively.

for k, v := range props {
        token_value := fmt.Sprint(v)
        token_key := fmt.Sprint(cfg.AuthKey)
        if (k == "custom_token_header") && strings.Contains(token_value, token_key) {
            if token, _ := jwt.Parse(token_value, nil); token != nil {
                parsed_token := fmt.Sprint(token)
                log.Infof("Parsed token: " ,parsed_token)
                if strings.Contains(parsed_token, "Doctor")  {
                    log.Infof("user is a Doctor, perform checks...")
                    loc, _ := time.LoadLocation("GMT")
                    now := time.Now().In(loc)
                    hr, _, _ := now.Clock()
                    if hr >= 9 && hr < 5 {
                        log.Infof("success, inside of work hours!!")
                        return &v1beta1.CheckResult{
                            Status: status.OK,
                        }, nil
                    }
                    log.Infof("failure; outside of work hours!!")
                    return &v1beta1.CheckResult{
                        Status: status.WithPermissionDenied("Unauthorized..."),
                    }, nil
                }
            }
            log.Infof("success, as you're not a doctor!!")
            return &v1beta1.CheckResult{
                Status: status.OK,
            }, nil
        }
    }

It's working fine outside of my app, but when run inside my app it's being strange and giving back this <nil> map[] <nil> false for where the claims would be, but when run outside the app it gives me

map[alg:RS256 kid:NUVGODIxQThBQkY2NjExQjgzMEJEMjVBQTc3QThBNTY4QTY3MzhEMA typ:JWT] map[aud:https://rba.com/doctor azp:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh exp:1.55546266e+09 gty:client-credentials iat:1.55537626e+09 iss:https://jor2.eu.auth0.com/ scope:Doctor sub:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh@clients]  false

Thanks to devdotlog I was able to get this working with this change:

for k, v := range props {
        tokenString := fmt.Sprint(v)
        tokenKey := fmt.Sprint(cfg.AuthKey)
        if (k == "custom_token_header") && strings.Contains(tokenString, tokenKey) {
            tokenString = strings.Replace(tokenString, "Bearer ", "", -1)
            token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
            if err != nil {
                fmt.Println(err)
                return nil, nil
            }
            if claims, ok := token.Claims.(jwt.MapClaims); ok {
                tokenScope := fmt.Sprint(claims["scope"])
                log.Infof("Scope: ", tokenScope)
                if tokenScope == "Doctor" {
                    log.Infof("user is a Doctor, perform checks...")
                    loc, _ := time.LoadLocation("GMT")
                    now := time.Now().In(loc)
                    hr, _, _ := now.Clock()
                    if hr >= 9 && hr < 5 {
                        log.Infof("success, inside of work hours!!")
                        return &v1beta1.CheckResult{
                            Status: status.OK,
                        }, nil
                    }
                    log.Infof("failure; outside of work hours!!")
                    return &v1beta1.CheckResult{
                        Status: status.WithPermissionDenied("Unauthorized..."),
                    }, nil
                }
                fmt.Println(claims["scope"])
            } else {
                fmt.Println(err)
            }
            log.Infof("success, as you're not a doctor!!")
            return &v1beta1.CheckResult{
                Status: status.OK,
            }, nil
        }
    }

so, what's the problem? any errors or just looking for optimisations? — Ewan, Apr 16 '19 at 00:50

score 16 · Accepted Answer · edited Jun 20 '20 at 09:12

You use github.com/dgrijalva/jwt-go. That's right?

You use ParseUnverified(https://godoc.org/github.com/dgrijalva/jwt-go#Parser.ParseUnverified) without validation.

Below code is ParseUnverified()' example.

package main

import (
    "fmt"

    "github.com/dgrijalva/jwt-go"
)

func main() {
    // This token is expired
    var tokenString = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"

    token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
    if err != nil {
        fmt.Println(err)
        return
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        fmt.Println(claims["foo"], claims["exp"])
    } else {
        fmt.Println(err)
    }
}

ParseUnverified() only use for debug.

WARNING: Don't use this method unless you know what you're doing

This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.

Yes, that is correct. It's working fine outside of my app, but when run inside my app it's being strange and giving back this ` map[] false` for where the claims would be, but when run outside the app it gives me `map[alg:RS256 kid:NUVGODIxQThBQkY2NjExQjgzMEJEMjVBQTc3QThBNTY4QTY3MzhEMA typ:JWT] map[aud:https://rba.com/doctor azp:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh exp:1.55546266e+09 gty:client-credentials iat:1.55537626e+09 iss:https://jor2.eu.auth0.com/ scope:Doctor sub:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh@clients] false`.I will give your approach a go now, thanks. — jor2, Apr 16 '19 at 01:29

Decode JWT without validation and find scope

1 Answers1