Go Authorization: Scoped API not working

I have been working through the Authorization documentation for Go (https://auth0.com/docs/quickstart/backend/golang/01-authorization) as I would like to have a set of private Go APIs and integrate this with Vue SPA. It is necessary that these APIs are scoped and when I got to this section within the documentation, this is where things stopped working.

In the code the checkScope function is called

token, error := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func (token *jwt.Token) (interface{}, error) {

An error is returned:

json: cannot unmarshal array into Go struct field CustomClaims.aud of type string

This seems to be caused, because it expects a string instead of an array for ‘aud’.
So the questions I have are:

  1. Is there always an array returned?
  2. How is it possible to get this to work?
  3. Is it just a bug within the jwt-go module? If so, what other approach should be used? (Documentation update?)

Thanks in advance

Hi @mattwatson,

Welcome to the Community!

Can you look at the aud claim and tell us what it is (or an example)?

Hi Dan,

Thanks for responding.

So here’s part of the token with aud as an array with some additional information about scope.

map[aud:[https://xxxxxxx.xxxx.xxx https://xxxxxx.us.auth0.com/userinfo] iss:https://xxxxxx.us.auth0.com/ permissions:[read:totals] scope:openid profile email read:totals]

From what I’ve read online, the unmarshal error arises from ParseWithClaims expecting a string value for aud which is part of the jwt-go module (https://github.com/dgrijalva/jwt-go/issues/348). Unfortunately there is no official release to fix this problem and so this complicates matters unless we move to more “up-to-date” forks of the module (https://github.com/form3tech-oss/jwt-go).

Thanks

I’m not sure there is much we can do on our side if that is the case. It seems to be more on the side of the module. Let us know if there is anything else we can do.

As a bare minimum, it would be helpful to update the documentation to warn those about the problem. However, surely this is a fairly normal use case (SPA with private API)? I guess there aren’t as many people using golang as their backend API

It looks like you submitted an issue to the quickstart on github, which is perfect. The SDK team should handle it from there. Their response might have been a bit delayed because of the holidays, but they should reach out soon. If they don’t let me know and I will ping them.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.