Audience Check Should Not Be Mandatory
Closed this issue · 4 comments
Checklist
- I have looked into the README and have not found a suitable solution or answer.
- I have looked into the documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have upgraded to the latest version of this SDK and the issue still persists.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
While creating validator for jwt middleware using New function Audience is required but according to JWT RFC it should not be mandatory.
Audience should be optional check.
func New(
keyFunc func(context.Context) (interface{}, error),
signatureAlgorithm SignatureAlgorithm,
issuerURL string,
audience []string,
opts ...Option,
)
Link to RFC: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
Reproduction
- Want to add jwt token verification middleware to project.
- For creating Validator New Function is used.
- But it required to pass Audience.
Go JWT Middleware version
2.1.0
Go version
1.20.6
Hey @Devkahar,
As this library is focused on protecting APIs using access tokens, and not strictly validation of JWTs, we feel that the requirement for an audience is fair as without this it would allow any access token associated with the issuer to be used rather than those specifically authorized for the resource.
At the time of creation there was no standard definition for this process (although there is now RFC 9068 that the validation in this library is close to) so this library followed the documented Auth0 recommendation.
Do you have a specific use case where an IdP issues a valid access token for accessing a resource with no audience set?
Hi...this is Naresh from Dev's team.
We understand the RFC you are referring as the specs for this middleware implementation.
We do not use any IdP yet and have a home grown SSO implementation based on JWT.
So far we have built microservices using Kotlin (KTOR web framework) where we use the middleware/intercepter from auth0 and that middleware is aligning with the expectations laid down in RFC 7519.
We are now starting to write a few microservices using GOLANG and use GIN framework.
We wanted to introduce a middleware with the same expectations and hence attempted to integrate this library.
At this point we are not sure what is the right approach. The middleware that we are using in the kotlin world relies on java-jwt - https://github.com/auth0/java-jwt/blob/master/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
Hey @nkhalasi,
Given that java-jwt is a JWT parsing library it doesn't have the same requirements as this library and isn't necessarily a middleware library, for example in Java we provide a auth0-spring-security-api that uses java-jwt and is focused on securing APIs with JWTs and matches the same audience requirement as this library.
If possible I would recommending introducing an aud claim into your JWTs which would allow using this library, or if that isn't possible you could either fork this library and remove the check or build some middleware around a JWT parsing library such as https://github.com/go-jose/go-jose (what this library uses).
I'm going to close this issue as I believe it should be answered with my previous comment.