1## JWT with net/http
2
3Integrating this library with net/http is simple. In this example, we will assume that you are using a `Server` object that is defined as follows:
4
5```go
6type Server struct {
7 alg jwa.SignatureAlgorithm
8 signKey jwk.Key
9 verifyKey jwk.Key
10}
11```
12
13The first step is to decide on the signature algorithm. Here we will show examples for using `jwa.HS256` and `jwa.RS256`. Choose the appropriate signature for your particular use case. You can find the full list of supported signature algorithms in the documentation or the source code for the [`jwa`](../jwa) package (remember tha there are some [optional algorithms](./global-settings.md#enabling-pptional-signature-methods).
14
15
16### Using HS256
17
18`jwa.HS256` is a symmetric algorithm, therefore the signing key should be exactly the same as the verifying key.
19
20```go
21s.alg = jwa.HS256
22s.signKey = jwk.New([]byte("Hello, World!"))
23s.verifyKey = s.signKey
24```
25
26### Using RS256
27
28In this example we assume that your keys are stored in PEM-encoded files `private-key.pem` and `public-key.pem.
29
30```go
31s.alg = jwa.RS256
32
33{
34 v, err := jwk.ReadFile(`private-key.pem`, jwk.WithPEM(true))
35 if err != nil {
36 // handle error
37 }
38 s.signKey = v
39}
40
41{
42 v, err := jwk.ReadFile(`public-key.pem`, jwk.WithPEM(true))
43 if err != nil {
44 // handle error
45 }
46 s.verifyKey = v
47}
48```
49
50### Reading JWT
51
52JWTs can be stored in HTTP headers, form values, etc, and you need to decide where to fetch the JWT payload from.
53
54The `jwt` package provides several ways to retrieve JWT data from an HTTP request.
55`jwt.ParseRequest` is the most generic front end, and the user will be able to dynamically change where to fetch the data from. By default the "Authorization" header is checked. If you want to check for more places, you can specify it as additional options. Please read the manual for `jwt.ParseRequest` for more details.
56
57The option `jwt.WithVerify` is added to validate the JWS message. You will need to execute `jwt.Validate` to validate the content of the JWT message. You can control what gets validated by passing options to `jwt.Validate`. Please read the manual for `jwt.Validate` for more details.
58
59```go
60func (s *Server) HandleFoo(w http.ResponseWriter, req *http.Request) {
61 token, err := jwt.ParseRequest(req, jwt.WithVerify(s.alg, s.verifyKey))
62 if err != nil {
63 // handle error
64 }
65
66 if err := jwt.Validate(token); err != nil {
67 // handle error
68 }
69
70 // ... additional code ...
71}
72```
73
74### Writing JWT
75
76In this example we are writing the token to the response body of the response.
77
78```go
79func (s *Server) HandleBar(w http.ResponseWriter, req *http.Request) {
80 var token jwt.Token
81
82 signed, err := jwt.Sign(token, s.alg, s.signKey)
83 if err != nil {
84 // handle errors
85 }
86
87 w.WriteHeader(http.StatusOK)
88 w.Write(signed)
89}
90```
91
92## JWT with Echo
93
94There is no official middleware, but [a simple port can be found here](https://github.com/lestrrat-go/echo-middleware-jwx)
View as plain text