Parsing and Validating a JWT
Keyfunc
With Options
Option Name |
Arguments |
Description |
---|---|---|
WithValidMethods |
methods as []string |
Supplies a list of signing methods that the parser will check against the algorithm on the token. Only the supplied methods will be considered valid. It is heavily encouraged to use this option in order to prevent "none" algorithm attacks.1 |
WithJSONNumber |
- | Configures the underlying JSON parser to use the UseNumber function, which decodes numeric JSON values into the json.Number type instead of float64 . This type can then be used to convert the value into either a floating type or integer type. |
WithIssuer |
issuer as string |
Configures the validator to require the specified issuer in the "iss" 2 claim. Validation will fail if a different issuer is specified in the token or the "iss" claim is missing. |
WithSubject |
subject as string |
Configures the validator to require the specified subject in the "sub" 3 claim. Validation will fail if a different subject is specified in the token or the "sub" claim is missing. |
WithAudience |
audience as string |
Configures the validator to require the specified audience in the "aud" 4 claim. Validation will fail if the audience is not listed in the token or the "aud" claim is missing. The contents of the audience string is application specific, but often contains the URI of the service that consumes the token. |
WithLeeway |
leeway as time.Duration |
According to the RFC, a certain time window (leeway) is allowed when verifying time based claims, such as expiration time. This is due to the fact that a there is not perfect clock synchronization on the a distributed system such as the internet. While we do not enforce any restriction on the amount of leeway, it should generally not exceed more than a few minutes.5 |
WithIssuedAt |
- | Enables a sanity check of the "iat" 6 claim. More specifically, when turning this option on, the validator will check if the issued-at time is not in the future. |
Danger Zone |