From jwt.io, creating a JSON Web Token is pretty straightforward. However, using jwt-go from Dave Grijalva feels more of an an exercise in operations than as an exercise in development. When reading a documentation, you want a complete example, not a code snippet that forces you to understand the code. A library is supposed to be a black box with a fully-documented interface and with a tested running example.
Coming from a NodeJS background using jsonwebtoken from Auth0, I expect creating a token using HMAC with just a plain string as key. I do not question jwt.go’s design since this is subjective but consider its example:
// Create the token
token := jwt.New(jwt.SigningMethodHS256)
// Set some claims
token.Claims[“foo”] = “bar”
token.Claims[“exp”] = time.Now().Add(time.Hour * 72).Unix()
// Sign and get the complete encoded token as a string
tokenString, err := token.SignedString(mySigningKey)
What is that mySigningKey?
You have no choice but to understand the underlying code. It turns out the key must be PEM-encoded. At least, jwt-go could have written a helper function like GenerateKey() or the like.
Using RSA for signing the token is straightforward. I stumbled upon keycrypt just to do that.
1) keycrypt create priv.key
2) openssl pkcs8 -in priv.key -out priv.pem
As I like to say,
If you don’t like something, build your own.
Based on reading jwt-go and the simplicity of jsonwebtoken, I have come to write a keep-it-simple JWT library although just a subset of the specifications. Here are some features (or lack thereof):
– HMAC only algorithm
– No “kid” implementation
– “none” algorithm in JWT header is an error
– optional encryption of claims
– helper functions to set expiry in claims
– just 4 API calls (Sign, Verify, GenerateKey and Expires helper functions)
I want a dev-friendly JWT library without too much hassle of RSA keys.
Go get it at https://github.com/ibmendoza/jwt
If you want an even simpler alternative to JWT with always-encryption of claims, then try salt at https://github.com/ibmendoza/salt