Custom claims not decoded
jpmeijers opened this issue · 4 comments
Describe the problem
Decoded access token does not contain custom claims.
What was the expected behavior?
I want to see the custom claims that were added by the auth0 actions.
Reproduction
I have an access token that looks like this:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdOU1ZEMHpoMnJmSG9JWjM3YjBqWiJ9.eyJodHRwczovL2F1dGguZWJ1Zy5jby56YS9lbWFpbCI6ImpwbWVpamVyc0Bob21lYnVnLmNvLnphIiwiaHR0cHM6Ly9hdXRoLmVidWcuY28uemEvZW1haWxfdmVyaWZpZWQiOnRydWUsImlzcyI6Imh0dHBzOi8vYXV0aC5lYnVnLmNvLnphLyIsInN1YiI6ImF1dGgwfDEyMTEiLCJhdWQiOiJodHRwczovL2FwaS5lYnVnLmNvLnphIiwiaWF0IjoxNjU0MDE0MDM2LCJleHAiOjE2NTQxMDA0MzYsImF6cCI6InFyZGJkeGllZGtTQVBtbHhVckw0OTJVSjR3WHRWajVBIiwic2NvcGUiOiJlbWFpbCIsImd0eSI6InBhc3N3b3JkIiwicGVybWlzc2lvbnMiOltdfQ.MvKzvEbmmZRgOOGvG35npCkS3FfDmEJt1dpc_uRey5MZLvuO_a2Z8L-Z7TizVBkWhIHWL8mxopzjI9PLx_VzeexL8XKt7mrg0eiabu6sLlky29pXGjfh1SDDMhV4MTWMc_G94riNs-LfSZ7sevZMOn2TyCGEcSwJf5uW-xbcBQLeHIDMIhm1vAqFvJj_qsE68KFO2O0g1JZbSjakRBUq_aL0CsSpOScKXKk9Bi19L0U_mjYeUxYD24sMyZ6wbOot5_OPgIV3ouBUEuLR8RA0itGj7n22flRdzTR6inAB-KJdQZ7reFcP7YrKzTyrKA5p3nb245sJhvGPGmYIaZSBvw
I call the golang API which prints out the json marshalled claims:
func TestUserAuthedRoute(w http.ResponseWriter, r *http.Request) {
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
log.Println(claims.RegisteredClaims.Subject)
payload, err := json.Marshal(claims)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write(payload)
}
The result is:
{
"CustomClaims": {
"scope": "email"
},
"RegisteredClaims": {
"iss": "https://auth.ebug.co.za/",
"sub": "auth0|1211",
"aud": [
"https://api.ebug.co.za"
],
"exp": 1654100251,
"iat": 1654013851
}
}
I am expecting to see the custom claims, like jwt.io shows when decoding this same access token:
{
"https://auth.ebug.co.za/email": "jpmeijers@homebug.co.za",
"https://auth.ebug.co.za/email_verified": true,
"iss": "https://auth.ebug.co.za/",
"sub": "auth0|1211",
"aud": "https://api.ebug.co.za",
"iat": 1654014036,
"exp": 1654100436,
"azp": "qrdbdxiedkSAPmlxUrL492UJ4wXtVj5A",
"scope": "email",
"gty": "password",
"permissions": []
}
Environment
- Version of
go-jwt-middlewareused: github.com/auth0/go-jwt-middleware/v2 v2.0.1 - Other modules/plugins/libraries that might be involved:
Hey @jpmeijers. Have you followed the example which shows custom claims? https://github.com/auth0/go-jwt-middleware/blob/master/examples/http-example/main.go Note that you need to have a struct pre-defined which the custom claims can map to.
Thanks, I wasn't aware of that example. Maybe we should note something about this in the README.
Is there a way to parse all the custom claims, without having to pre-define them? Like we would have unmarshalled unknown json to an interface{}.
Hey @jpmeijers sorry for the late reply - I was out on vacation for a bit. Yes, you could get all claims by doing something like the following:
type AllClaims map[string]json.RawMessage
func (a *AllClaims) Validate(ctx context.Context) error {
// do validation
return nil
}
customClaims := func() validator.CustomClaims {
return &AllClaims{}
}
// Set up the validator.
jwtValidator, err := validator.New(
keyFunc,
validator.HS256,
"go-jwt-middleware-example",
[]string{"audience-example"},
validator.WithCustomClaims(customClaims),
validator.WithAllowedClockSkew(30*time.Second),
)
Ah great. Thanks a lot for the example.