Decoding Claims in Go

kb_dropfeed · October 15, 2024, 1:37pm

Not sure, what I missed in the various hints?

I have an action:

It is triggered:

In the Action Details it is logged:

But there are no Claims when I decode the token in go?

func (app *application) CallbackHandler(w http.ResponseWriter, r *http.Request) {
	// Retrieve the authorization code from the URL
	code := r.URL.Query().Get("code")
	if code == "" {
		http.Error(w, "Authorization code not found", http.StatusBadRequest)
		return
	}

	// Exchange the authorization code for an OAuth2 token
	token, err := app.authenticator.Exchange(context.Background(), code)
	if err != nil {
		http.Error(w, "Failed to exchange authorization code for token", http.StatusUnauthorized)
		return
	}

	// Verify the ID token to ensure its validity
	idToken, err := app.authenticator.VerifyIDToken(context.Background(), token)
	if err != nil {
		http.Error(w, "Failed to verify ID token", http.StatusInternalServerError)
		return
	}

	// Extract all claims from the ID token, including custom claims
	var claims map[string]interface{}
	if err := idToken.Claims(&claims); err != nil {
		http.Error(w, "Failed to parse token claims: "+err.Error(), http.StatusInternalServerError)
		return
	}

	// Marshal the claims to JSON for debugging purposes
	claimsJSON, err := json.MarshalIndent(claims, "", "  ")
	if err != nil {
		http.Error(w, "Error marshaling claims to JSON", http.StatusInternalServerError)
		return
	}

	// Log all claims, including custom claims
	log.Printf("All claims: %s\n", string(claimsJSON))

	// For debug purposes, you can also print specific custom claims if needed
	// For example, if you have a custom claim like "https://example.com/roles"
	if roles, ok := claims["https://example.com/roles"].([]interface{}); ok {
		log.Printf("Custom roles claim: %v\n", roles)
	}

	// URL-encode the JSON string before storing it in the cookie
	encodedClaims := url.QueryEscape(string(claimsJSON))

	// Set the profile as a URL-encoded JSON string in a cookie
	http.SetCookie(w, &http.Cookie{
		Name:  "profile",
		Value: encodedClaims,
		Path:  "/",
	})

	// Set the access token in a cookie (not URL-encoded, assuming no special chars)
	http.SetCookie(w, &http.Cookie{
		Name:  "access_token",
		Value: token.AccessToken,
		Path:  "/",
	})

	// Redirect the user to the /user page
	http.Redirect(w, r, "/user", http.StatusSeeOther)
}

kb_dropfeed · October 15, 2024, 1:51pm

This is my debugging output:

2024/10/15 15:47:13 All token claims: map[aud:TDYhP3biGOpoIOPzmpcZJecfiILUPxWb exp:1.729036033e+09 iat:1.729000033e+09 iss:https://dropfeed.eu.auth0.com/ name:kb@v01.io nickname:kb picture:https://s.gravatar.com/avatar/bfe95aac9fc1da8664b2c8780927e381?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fkb.png sid:5CVgEjd67DXlXvNHfSLCeN1uF2C3zR4t sub:auth0|6708260ee90e2ada4ea5f232 updated_at:2024-10-15T13:47:12.126Z]
time=2024-10-15T15:47:13.324+02:00 level=INFO msg="ID Token claims:" !BADKEY="map[aud:TDYhP3biGOpoIOPzmpcZJecfiILUPxWb exp:1.729036033e+09 iat:1.729000033e+09 iss:https://dropfeed.eu.auth0.com/ name:kb@v01.io nickname:kb picture:https://s.gravatar.com/avatar/bfe95aac9fc1da8664b2c8780927e381?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fkb.png sid:5CVgEjd67DXlXvNHfSLCeN1uF2C3zR4t sub:auth0|6708260ee90e2ada4ea5f232 updated_at:2024-10-15T13:47:12.126Z]"

dawid.matuszczyk · October 15, 2024, 2:00pm

Hi @kb_dropfeed

Welcome to the Auth0 Community!

Can you check if you can see the JWT claims → https://jwt.io/

Thanks
Dawid

kb_dropfeed · October 15, 2024, 3:48pm

Good Idea to debug this!

Sadly: no, it is not.

{
  "nickname": "kb",
  "name": "kb@v01.io",
  "picture": "https://s.gravatar.com/avatar/bfe95aac9fc1da8664b2c8780927e381?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fkb.png",
  "updated_at": "2024-10-15T15:47:03.079Z",
  "iss": "https://dropfeed.eu.auth0.com/",
  "aud": "TDYhP3biGOpoIOPzmpcZJecfiILUPxWb",
  "iat": 1729007223,
  "exp": 1729043223,
  "sub": "auth0|6708260ee90e2ada4ea5f232",
  "sid": "Ioisqk7m598R_V8ZTuOD8UuJSqKtGc1H"
}

dawid.matuszczyk · October 16, 2024, 9:59am

Hi @kb_dropfeed

The clue of an issue can be that you are checking the Id_token but adding custom claims to the access token.

Add this line above the line 10

api.idToken.setCustomClaim('custom_email_claim', event.user.email)

You should see claims for both the ID and access token right now.

ID Token vs Access Token

Thanks
Dawid

kb_dropfeed · October 16, 2024, 11:42am

Got it. I was adding the claims to the access token, but I was using the idtoken in my code.

I fixed it by adding the claims to the idtoken!

Thank you very much!

system · October 30, 2024, 11:43am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble decoding credentials token for connection string claim Help auth0 , client-credentials-g	3	4006	December 10, 2018
Getting User Information Using Go API Authorization Help jwt , go	3	4192	February 22, 2022
Claim Mapping for OIDC Connections Help connections , oidc-enterprise-connection	2	1505	August 17, 2023
Cannot get custom claim via C# JWT.io jwt , login , actions	2	1068	August 14, 2023
How do I encode custom claims in the access token JWT returned from the oauth 2.0 flow? Help user-management , user-password-management	6	1753	January 25, 2023

Decoding Claims in Go

Related topics