JWT and NaCl Tokens


From jwt.io, creating a JSON Web Token is pretty straightforward. However, using jwt-go from Dave Grijalva feels more of an an exercise in operations than as an exercise in development.  When reading a documentation, you want a complete example, not a code snippet that forces you to understand the code. A library is supposed to be a black box with a fully-documented interface and with a tested running example.

Coming from a NodeJS background using jsonwebtoken from Auth0, I expect creating a token using HMAC with just a plain string as key. I do not question jwt.go’s design since this is subjective but consider its example:

// Create the token
token := jwt.New(jwt.SigningMethodHS256)
// Set some claims
token.Claims[“foo”] = “bar”
token.Claims[“exp”] = time.Now().Add(time.Hour * 72).Unix()
// Sign and get the complete encoded token as a string
tokenString, err := token.SignedString(mySigningKey)

What is that mySigningKey?

You have no choice but to understand the underlying code. It turns out the key must be PEM-encoded. At least, jwt-go could have written a helper function like GenerateKey() or the like.

Using RSA for signing the token is straightforward. I stumbled upon keycrypt just to do that.

1) keycrypt create priv.key

2) openssl pkcs8 -in priv.key -out priv.pem

As I like to say,

If you don’t like something, build your own.

Based on reading jwt-go and the simplicity of jsonwebtoken, I have come to write a keep-it-simple JWT library although just a subset of the specifications. Here are some features (or lack thereof):

– HMAC only algorithm

– No “kid” implementation

– “none” algorithm in JWT header is an error

– optional encryption of claims

– helper functions to set expiry in claims

– just 4 API calls (Sign, Verify, GenerateKey and Expires helper functions)

I want a dev-friendly JWT library without too much hassle of RSA keys.

Go get it at https://github.com/ibmendoza/jwt

If you want an even simpler alternative to JWT with always-encryption of claims, then try salt at https://github.com/ibmendoza/salt



Subjectivity aside, leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s