google app engine - Confusion relating to public and private keys and JWT -
i'm trying out jwt (json web tokens) in go web service. here's i've done far:
package jwt import( "fmt" "net/http" "github.com/gorilla/mux" "github.com/dgrijalva/jwt-go" "io/ioutil" ) var privatekey []byte var publickey []byte func jsonwebtokenshandler(w http.responsewriter, r * http.request){ // create token encodetoken := jwt.new(jwt.signingmethodhs256) // set claims encodetoken.claims["latitude"] = "25.000" encodetoken.claims["longitude"] = "27.000" // sign , complete encoded token string tokenstring, err := encodetoken.signedstring(privatekey) decodetoken, err := jwt.parse(tokenstring, func(token *jwt.token) (interface{}, error) { if _, ok := token.method.(*jwt.signingmethodhmac); !ok { return nil, fmt.errorf("unexpected signing method: %v", token.header["alg"]) } return publickey,nil }) if decodetoken.valid { fmt.fprintf(w,"lat: %s, lng: %s",decodetoken.claims["latitude"],decodetoken.claims["longitude"]) } else { fmt.fprintf(w,"couldn't handle token: %s", err) } } func init(){ privatekey,_ = ioutil.readfile("demo.rsa") publickey,_ = ioutil.readfile("demo.rsa.pub") r := mux.newrouter() r.handlefunc("/jwt",jsonwebtokenshandler).methods("get") http.handle("/", r) }
now if understanding correct, token encoded using private key can decoded using public key. i've presumed in code above when run code error:
couldn't handle token: signature invalid
if use same key encoding , decoding, code works.
what i'd know is, there wrong understanding or in code?
the jwt isn't signed using asymmetric cipher rsa. uses hmac, uses single, secret key. indeed, point here not prove else signed token. it's prove signed it, , forbid doesn't have secret key modify token.
Comments
Post a Comment