How to build 'entire' token? #356

michael-wang · 2021-03-24T08:02:43Z

michael-wang
Mar 24, 2021

I can new a token:
t := jwt.New()
set subject:
t.Set(jwt.SubjectKey, ...)
then sign with my private key:
jwt.Sign(t, jwa.RS256, privKey)
Then I got a long string ("xxx") aka the token.

But according to jwt.io, a JWT token has 3 segments: "header.payload.signature"
the "xxx" I got from jwt.Sign seems to be the "signature" part (?)

So my question is:

Do I need to build entire token (with 3 segments) for client so I can claim we are using JWT?
If yes, is there simple way in jwx package that I can get entire token ("header.payload.signature")?

Thanks for any help!

Answered by lestrrat

Mar 24, 2021

Assuming you are doing everything correctly, you should get a proper JWS with three segments. I think you are just not catching the "."'s

package main

import (
  "crypto/rand"
  "crypto/rsa"
  "fmt"

  "github.com/lestrrat-go/jwx/jwa"
  "github.com/lestrrat-go/jwx/jwt"
)

func main() {
  privKey, _ := rsa.GenerateKey(rand.Reader, 2048)
  tok := jwt.New()
  tok.Set(jwt.SubjectKey, "Hello, World")
  signed, err := jwt.Sign(tok, jwa.RS256, privKey)
  if err != nil {
    panic(err)
  }
  fmt.Printf("%s", signed)
}

Code like above will output something like the following (the output will always change because the key changes every run)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJIZWxsbywg…

View full answer

lestrrat · 2021-03-24T23:35:07Z

lestrrat
Mar 24, 2021
Maintainer

Assuming you are doing everything correctly, you should get a proper JWS with three segments. I think you are just not catching the "."'s

package main

import (
  "crypto/rand"
  "crypto/rsa"
  "fmt"

  "github.com/lestrrat-go/jwx/jwa"
  "github.com/lestrrat-go/jwx/jwt"
)

func main() {
  privKey, _ := rsa.GenerateKey(rand.Reader, 2048)
  tok := jwt.New()
  tok.Set(jwt.SubjectKey, "Hello, World")
  signed, err := jwt.Sign(tok, jwa.RS256, privKey)
  if err != nil {
    panic(err)
  }
  fmt.Printf("%s", signed)
}

Code like above will output something like the following (the output will always change because the key changes every run)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJIZWxsbywgV29ybGQifQ.DfxxWTYFRtdGnwCmtwiAlA1e2eR4-ley9uoDIp_vE_JUC2OxNwQFyKFOEzPbUJgVlK3CXX5boIfRHFm9omBWxrP_tRfCvisvKfhGlGB3V2yHT92T-S38iK3oKg5WHLgQCx9NidbWgJ98ff-lrBAT6FpTa_8fPyY37CjjfeR02AroP05nYSU3rfyS-5bruukDYRf5JTZsbaC4OLwFsUZ2hyXk6dh5xU81QZ2ugSqFnahlQF6A9WSdH8LqHY7npQKTGLrllVhzZHzldJwxHGP4yGhX9OCloD8bECl1UVkKatCksJ1-qpR3u3PgZbb4w0YxGX3dwBIorL6_pNcYw-F_7w

If you look closely you will notice the dots, and see that you have three segments

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.    # <--- HERE
eyJzdWIiOiJIZWxsbywgV29ybGQifQ. # <--- HERE
DfxxWTYFRtdGnwCmtwiAlA1e2eR4-ley9uoDIp_vE_JUC2OxNwQFyKFOEzPbUJgVlK3CXX5boIfRHFm9omBWxrP_tRfCvisvKfhGlGB3V2yHT92T-S38iK3oKg5WHLgQCx9NidbWgJ98ff-lrBAT6FpTa_8fPyY37CjjfeR02AroP05nYSU3rfyS-5bruukDYRf5JTZsbaC4OLwFsUZ2hyXk6dh5xU81QZ2ugSqFnahlQF6A9WSdH8LqHY7npQKTGLrllVhzZHzldJwxHGP4yGhX9OCloD8bECl1UVkKatCksJ1-qpR3u3PgZbb4w0YxGX3dwBIorL6_pNcYw-F_7w # <-- and HERE

1 reply

michael-wang Mar 26, 2021
Author

Yes, you are right!

I check the signed string from client (testing with grpcurl) which should be base64 encoded, that's why I don't see the dot!

When I log the signed string from server side, I saw all three segments separated by dot.

Apology for waste of your time, and thank you for your detailed answer!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to build 'entire' token? #356

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

How to build 'entire' token? #356

michael-wang Mar 24, 2021

Replies: 1 comment · 1 reply

lestrrat Mar 24, 2021 Maintainer

michael-wang Mar 26, 2021 Author

michael-wang
Mar 24, 2021

Replies: 1 comment 1 reply

lestrrat
Mar 24, 2021
Maintainer

michael-wang Mar 26, 2021
Author