Decode encrypted appSession cookie in go middleware

Get Help
,
1

Ready to post? :mag: First, try searching for your answer.
I have a application that has a NextJs web app backed by a Go (Echo server) backend service.

From the UI/Browser if the API call goes from Browser → NextJS web app → Go Backend service. In this case I can extract the access_token and id_token from session in the web app and pass it as Authorization header when making the call to my go backend service. This works fine.

But, when from UI/Browser the API call goes directly to my go backend service, Browser → Go Backend service, in the backend service it doesn’t get the Authorization header and instead gets a encrypted Cookie that has “appSession” property. Something like this
[Next-Locale=en appSession=eyJhbGciOiJkaXIi<……>YxN30…gYfzF8D6fWw<……>k2zimuwvUg.VmXY<….>unzw]

My question is how do I decrypt/parse (or somehow use) this cookie to get access_token and id_token or use this cookie somehow to call /userinfo or /oauth/token endpoints in Auth0

2

I tried something in Go to try and decrypt the cookie trying to reverse engineer the way I think this gets encrypted in nextjs-auth0 library.

// Define your initial keying material (IKM) and salt
	ikm := []byte("XXX") // XXX is the AUTH0_SECRET from my .env file. Based on how they suggest to setup AUTH0_SECRET here https://auth0.com/docs/quickstart/webapp/nextjs/01-login#configure-the-sdk 
	salt := []byte("")

	// Create a new HKDF instance with SHA-256 as the hash function
	hkdfReader := hkdf.New(sha256.New, ikm, salt, []byte("JWE CKE"))

	// Derive a key of length 32 bytes
	key := make([]byte, 32)
	if _, err := io.ReadFull(hkdfReader, key); err != nil {
		panic(err)
	}

	fmt.Printf("Derived key: %x\n", key)

	jweRaw := "eyJhbGciOiJkaXIi<……>YxN30…gYfzF8D6fWw<...>k2zimuwvUg.VmXY<….>unzw" // appSession value from Cookie
	jwe, err1 := jose.ParseEncrypted(jweRaw)
	if err1 != nil {
		fmt.Printf("Error Failed to parse jweRaw")
	}
	//fmt.Printf(jwe.KeyID)
	decrypted, err := jwe.Decrypt(key)
	if err != nil {
		panic(err)
	}
	fmt.Printf(string(decrypted))

But with this I get an error saying when trying to “Decrypt”

panic: go-jose/go-jose: error in cryptographic primitive
3

Hi, could someone from Auth0 support pls help take a look at this. Thanks

4

Hi @auth_learner,

Welcome to the Auth0 Community.

You can try this Go API SDK Quickstart. It should put you on the right track.

If you have any other question feel free to reach out.

Have a good one,
Vlad

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.