How to validate custom claims with _arbitrary_ additional claims?

[johakoch]

The ClaimsValidator interface provides a way to have a claims implementation that has its own (additional) claims validation. The examples I see in code are all using the jwt.RegisteredClaims as a base, extending by a specific claim.

What about the case where you have arbitrary additional claims, the expected values of which (to be validated against) you only know at run time because they are e.g. read from a configuration?

Currently I use jwt.MapClaims as input to ParseWithClaims() and then validate the claims after parsing. How could I do it during parsing with the ClaimsValidator interface?

[oxisto]

There are basically two options:

1. If the claims are arbitrary, but still limited to an overall set of X claims, you can still extend jwt.RegisteredClaims with your own and have a list of claims in there which are all optional, i.e., they use pointers instead of the raw data type. Something like:

type MyClaims struct {
  jwt.RegisteredClaims
  This *string
  That *string
  TheOther *int
}

and then check for the existence in Validate using a nil-check.

2. If it has to be completely arbitrary and only decided during runtime, you still should be a able to use the ClaimsValidator by either extending or embedding the jwt.MapClaims.

type MyClaims jwt.MapClaims

func (m MyClaims) Validate error() {
   // Just use the map here
   value, ok := m["my claim"]
}

You might need to explicitly cast MyClaims to a map, not 100 % sure now, since I am typing this from memory ;)

Update: no cast needed, you can just directly access the map values this way.

[johakoch]

Hi @oxisto,

yes it has to be completely arbitrary.

I tried your example in (2.) (see https://go.dev/play/p/zMENmFtojrz):

import (
	"fmt"

	"github.com/golang-jwt/jwt/v5"
)

type MyClaims jwt.MapClaims

func (m MyClaims) Validate() error {
	_, ok := m["my_claim"]
	if !ok {
		return fmt.Errorf("missing my_claim")
	}
	return nil
}

func main() {
	p := jwt.NewParser()
	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"aud": "peter",
		"a":   1,
	})
	keyBytes := []byte("mySecretK3y")
	token, _ := tok.SignedString(keyBytes)
	claims := MyClaims{}
	// claims := jwt.MapClaims{}
	p.ParseWithClaims(token, claims, func(_ *jwt.Token) (interface{}, error) {
		return keyBytes, nil
	})
	fmt.Printf("claims = %#v\n", claims)
}

cannot use claims (variable of type MyClaims) as jwt.Claims value in argument to p.ParseWithClaims: MyClaims does not implement jwt.Claims (missing method GetAudience)

However I probably need to also pass the expected claim values as a map[string]interface{} to MyClaims in order to use them in Validate().

[oxisto]

This is probably specific to your implementation, but you could store the expected claims in a global variable in the package or something like this. Thinking about future APIs, it would probably good to have some Context variable which could be dragged along the parser to the validator.

[equalsgibson]

Hi @johakoch, I've put together a proof of concept based on the code provided above. This has not been fully tested, and may not be fully performant, but I believe it does what you require for now;

package main

import (
	"encoding/json"
	"fmt"
	"log"

	"github.com/golang-jwt/jwt/v5"
)

// Embed the jwt.MapClaims type to ensure the methods are available to
// satisfy the jwt.Claims and jwt.ClaimsValidator interfaces.
type MyClaims struct {
	jwt.MapClaims
        // This could potentially be extended to include expected values.
        // ExpectedClaims map[string]any.... 
        // You could also define an "expectedclaim" type, with properties for
        // 'expected', 'required/optional' etc.
}

// Custom validation done in this function
func (m MyClaims) Validate() error {
	_, ok := m.MapClaims["my_claim"]
	if !ok {
		return fmt.Errorf("missing my_claim")
	}

	return nil
}

// Implement a custom unmarshal function for this type, to ensure that the claims
// are copied to MyClaims.MapClaims
func (m *MyClaims) UnmarshalJSON(b []byte) error {
	t := new(map[string]any)
	if err := json.Unmarshal(b, t); err != nil {
		return err
	}

	if m.MapClaims == nil {
		m.MapClaims = jwt.MapClaims{}
	}

	for claim, value := range *t {
		m.MapClaims[claim] = value
	}

	return nil
}

func main() {
        // Validate that the supported, existing ParserOptions still function as intended.
	p := jwt.NewParser(jwt.WithIssuer("acme"))
	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"aud": "peter",
		"a":   1,
		"iss": "not_acme",
	})
	keyBytes := []byte("mySecretK3y")
	token, _ := tok.SignedString(keyBytes)
	claims := MyClaims{jwt.MapClaims{}}

	// Expected output:
	//   '2009/11/10 23:00:00 token has invalid claims: token has invalid issuer, missing my_claim'
	parsedToken, err := p.ParseWithClaims(token, &claims, func(_ *jwt.Token) (interface{}, error) {
		return keyBytes, nil
	})
	if err != nil {
		log.Fatal(err)
	}

	log.Printf("This is my token: %+v", parsedToken)
}

Does this answer your question / partially solve your use case?