Go Authorization: Scoped API not working

mattwatson · December 31, 2020, 8:29am

I have been working through the Authorization documentation for Go (Auth0 Go API SDK Quickstarts: Authorization) as I would like to have a set of private Go APIs and integrate this with Vue SPA. It is necessary that these APIs are scoped and when I got to this section within the documentation, this is where things stopped working.

In the code the checkScope function is called

token, error := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func (token *jwt.Token) (interface{}, error) {

An error is returned:

json: cannot unmarshal array into Go struct field CustomClaims.aud of type string

This seems to be caused, because it expects a string instead of an array for ‘aud’.
So the questions I have are:

Is there always an array returned?
How is it possible to get this to work?
Is it just a bug within the jwt-go module? If so, what other approach should be used? (Documentation update?)

Thanks in advance

dan.woda · December 31, 2020, 5:36pm

Hi @mattwatson,

Welcome to the Community!

Can you look at the aud claim and tell us what it is (or an example)?

mattwatson · January 4, 2021, 11:58am

Hi Dan,

Thanks for responding.

So here’s part of the token with aud as an array with some additional information about scope.

map[aud:[https://xxxxxxx.xxxx.xxx https://xxxxxx.us.auth0.com/userinfo] iss:https://xxxxxx.us.auth0.com/ permissions:[read:totals] scope:openid profile email read:totals]

From what I’ve read online, the unmarshal error arises from ParseWithClaims expecting a string value for aud which is part of the jwt-go module (ParseWithClaims: getting json error when processing JWT that has multiple values for audience · Issue #348 · dgrijalva/jwt-go · GitHub). Unfortunately there is no official release to fix this problem and so this complicates matters unless we move to more “up-to-date” forks of the module (GitHub - form3tech-oss/jwt-go: ARCHIVED Golang implementation of JSON Web Tokens (JWT). This project is now being maintained at: https://github.com/golang-jwt/jwt).

Thanks

dan.woda · January 4, 2021, 11:20pm

I’m not sure there is much we can do on our side if that is the case. It seems to be more on the side of the module. Let us know if there is anything else we can do.

mattwatson · January 5, 2021, 8:12am

As a bare minimum, it would be helpful to update the documentation to warn those about the problem. However, surely this is a fairly normal use case (SPA with private API)? I guess there aren’t as many people using golang as their backend API

dan.woda · January 5, 2021, 8:40pm

It looks like you submitted an issue to the quickstart on github, which is perfect. The SDK team should handle it from there. Their response might have been a bit delayed because of the holidays, but they should reach out soon. If they don’t let me know and I will ping them.

system · January 20, 2021, 8:40pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.