I'm trying to use GitHub App and I need to generate a JWT for authenticating (https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#generating-a-private-key)
I'm trying to do that using Goland.
How can I generate a JWT from PEM private key in Go??
The jwt-go library has all the tools you need, and is fairly well documented. You can find it at https://github.com/golang-jwt/jwt.
Assuming you understand what JWTs are and how they're structured, and that you can get that PEM key as a []byte, the process is roughly:
Add "github.com/golang-jwt/jwt/v4" to your imports.
Create a set of claims, which can include the RegisteredClaims type and any custom claims you may need.
Create the token with jwt.NewWithClaims() - you'll need to provide the appropriate signing method. I've primarily used RS256.
Create the JWT string from the token with token.SignedString().
In practice, it will look something like this:
imports "github.com/golang-jwt/jwt/v4"
type MyCustomClaims struct {
*jwt.RegisteredClaims
FooClaim int
BarClaim string
}
func CreateJWT(pemKey []byte) string {
// expires in 60 minutes
expiration := time.Now().Add(time.Second * 3600)
claims := MyCustomClaims{
RegisteredClaims: &jwt.RegisteredClaims{
Issuer: "Example Code Inc.",
ExpiresAt: jwt.NewNumericDate(expiration),
Subject: "JWT Creation",
},
FooClaim: 123,
BarClaim: "bar",
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
privateKey, _ := jwt.ParseRSAPrivateKeyFromPEM(pemKey)
myJWT, _ := jwt.SignedString(privateKey)
return myJWT
}
I suggest reading code from this repository:
https://github.com/bradleyfalzon/ghinstallation
I don't know why, but the code in the answer from #JesseB above didn't work for me - it always throws: 401 Unauthorized. Although this repository does use golang-jwt package internally
Related
I am trying to get repo list from gitlab using OAuth token.
My code looks something like this ... ("github.com/xanzy/go-gitlab")
repositories := []string{}
client, _ := gitlab.NewClient(gitRepoRequest.Token, gitlab.WithBaseURL("https://gitlab.com/api/v4"))
fmt.Println("client...", client.ContainerRegistry)
projects, _, projectListErr := client.Projects.ListProjects(&gitlab.ListProjectsOptions{})
for _, project := range projects {
fmt.Println("ID===", project.ID)
fmt.Println("NAME===", project.Name)
}
if projectListErr != nil {
// return err
}
I am not able to get the project list.. the "projectListErr" says ...
GET https://gitlab.com/api/v4/projects: 401 {message: 401 Unauthorized}
I am confident about the token value because I am getting list of all branches for a repo using the same token, that code looks like ... ("github.com/go-git/go-git/v5")
rem := git.NewRemote(gitMemory.NewStorage(), &gitConfig.RemoteConfig{
Name: "origin",
URLs: []string{gitBranchesRequest.Repository},
})
refs, listErr := rem.List(&git.ListOptions{
Auth: &gitHttp.BasicAuth{Username: gitUserName, Password: gitBranchesRequest.Token},
})
Does that mean there is an issue with the library that I am using ? github.com/xanzy/go-gitlab
It depends on the type of token you are using.
For instance, a project access token might very well give you access to the list of all branches for a repository (for that project).
But for using the /projects API, 401 means the authentication information is not valid or is missing.
So make sure to use a PAT (Personal Access Token), linked to a user, not a project.
The OP Keval Bhogayata adds in the comments:
I have found the issue.
The library I am using ("xanzy/go-gitlab"), has different client creation functions for different tokens.
I have been using the function that supports personal access token. Instead I was supposed to use "NewOAuthClient" !
// NewOAuthClient returns a new GitLab API client. To use API methods which
// require authentication, provide a valid oauth token.
func NewOAuthClient(token string, options ...ClientOptionFunc) (*Client, error)
My use case looks like I know the public certificates of my clients and only want to allow them. I have a go server based on gin and a TLS configuration in which I have assigned a method to the property "VerifyPeerCertificate".
The function looks like
func customVerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if len(verifiedChains) < 1 {
return errors.New("Verified certificate chains is empty.")
}
if len(verifiedChains[0]) < 1 {
return errors.New("No certificates in certificate chains.")
}
if len(verifiedChains[0][0].Subject.CommonName) < 1 {
return errors.New("Common name can not be empty.")
}
fmt.Println(verifiedChains[0][0].Raw)
publicKeyDer, _ := x509.MarshalPKIXPublicKey(verifiedChains[0][0].PublicKey)
publicKeyBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: publicKeyDer,
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
}
The problem is, however, that the string in the variable "publicKeyPem" does not look like the client public certificate I used to send the request to the server, it's also shorter in length.
A certificate is more than its public key. The entire x509.Certificate object represents the certificate presented by the client, the public key field is only the actual value of the public key.
If you want to compare certificates for strict equality, you should use the rawCerts [][]byte argument passed to your callback. This is mentioned in the tls.Config comments for VerifyPeerCertificate:
VerifyPeerCertificate, if not nil, is called after normal
certificate verification by either a TLS client or server. It
receives the raw ASN.1 certificates provided by the peer and also
any verified chains that normal processing found. If it returns a
non-nil error, the handshake is aborted and that error results.
Thanks to Marc, I know that I used the wrong variable. To convert the certificate as a string, as used by the client, use the following code
publicKeyBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: rawCerts[0],
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
I am using the excellent goa package to generate my API in Go.
However, I am having an issue with its security middleware and when I submit a bearer token to my controllers, I get "authorization failed" because of "scopes:null". I am using Auth0 for authentication and it is generating the bearer token. The exact error in Postman is:
{"id":"xOUR882s","code":"jwt_security_error","status":401,"detail":"authorization failed: required 'scopes' not present in JWT claim","meta":{"required":["read:meta"],"scopes":null}}
However, my token does include the required scope read:meta. jwt.io gives back the following decoded bearer:
{
"iss": "https://learnlogic.au.auth0.com/",
"sub": "exJMkK7hXX56lrLwoTqna3s0jh7Gq67e#clients",
"aud": "https://api.learn-logic.com",
"exp": 1494855336,
"iat": 1494768936,
"scopes": "read:meta"
}
I am hoping someone can help me workout why, as I don't really understand what is going on in middleware/jwt.go in the goa project which may be found here. My only thought is that something about the Auth0 formatted bearer is not compatible with the parseClaimScopes function in middleware/jwt.go, but I don't know what.
I have the following main.go code:
b, err := ioutil.ReadFile("util/jwt.key")
if err != nil {
return
}
block, _ := pem.Decode([]byte(b))
var cert *x509.Certificate
cert, _ = x509.ParseCertificate(block.Bytes)
rsaPublicKey := cert.PublicKey.(*rsa.PublicKey)
fmt.Println(rsaPublicKey.N)
fmt.Println(rsaPublicKey.E)
fmt.Println(cert)
var keyx = []jwt.Key{rsaPublicKey}
var jwtResolver = jwt.NewSimpleResolver(keyx)
app.UseJWTMiddleware(service, jwt.New(jwtResolver, nil, app.NewJWTSecurity()))
The certificate I am reading in is the same one used in jwt.io to decode the bearer token.
Any help is much appreciated.
According to this ticket https://github.com/goadesign/goa/issues/1228, the problem was due to the fact there was only a support for a claim with a singular name "scope" and not the plural "scopes". This PR https://github.com/goadesign/goa/pull/1399, added the plural version.
I'm trying to use the new Firebase Realtime Database for a simple logging application. All interraction with the database will be from my server, so I only need one account that can read/write anything.
As far as I can tell (the documentation is awful - there's plenty of it but it contradicts itself and half of it is for the 'old' Firebase, and often it is in some random language that you aren't using), I need to create a service account and then create a JWT token using OAuth. Fortunately Go has some nice built in libraries for this. Here is my code:
const firebasePostUrl = "https://my-product-logging.firebaseio.com/tests.json"
// Obtained from the Google Cloud API Console
var firebaseServiceAccount map[string]string = map[string]string{
"type": "service_account",
"project_id": "my-product-logging",
"private_key_id": "1c35ac0c501617b8f1610113c492a5d3321f4318",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoblahblahhwWlteuRDrsxmRq+8\ncDGMKcXyDHl3nWdIrWqJcDw=\n-----END PRIVATE KEY-----\n",
"client_email": "log-user#my-product-logging.iam.gserviceaccount.com",
"client_id": "101403085113430683797",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/log-user%40my-product-logging.iam.gserviceaccount.com",
}
func firebaseClient() *http.Client {
jwtConfig := jwt.Config{
// Email is the OAuth client identifier used when communicating with
// the configured OAuth provider.
Email: firebaseServiceAccount["client_email"],
// PrivateKey contains the contents of an RSA private key or the
// contents of a PEM file that contains a private key. The provided
// private key is used to sign JWT payloads.
// PEM containers with a passphrase are not supported.
// Use the following command to convert a PKCS 12 file into a PEM.
//
// $ openssl pkcs12 -in key.p12 -out key.pem -nodes
//
PrivateKey: []byte(firebaseServiceAccount["private_key"]),
// PrivateKeyID contains an optional hint indicating which key is being
// used.
PrivateKeyID: firebaseServiceAccount["private_key_id"],
// Subject is the optional user to impersonate.
Subject: "",
// Scopes optionally specifies a list of requested permission scopes.
Scopes: []string{
"https://www.googleapis.com/auth/devstorage.readonly",
},
// TokenURL is the endpoint required to complete the 2-legged JWT flow.
TokenURL: firebaseServiceAccount["token_uri"],
// Expires optionally specifies how long the token is valid for.
Expires: 0,
}
ctx := context.Background()
return jwtConfig.Client(ctx)
}
func firebaseFunc() {
authedClient := firebaseClient()
msg := map[string]string{
"hello": "there",
"every": "one",
}
data, err := json.Marshal(msg)
if err != nil {
log.Fatal("JSON Marshall Error: ", err)
continue
}
resp, err := authedClient.Post(firebasePostUrl, "application/json", bytes.NewReader(data))
if err != nil {
log.Fatal("Firebase Error: ", err)
continue
}
log.Print("Firebase Response Code: ", resp.StatusCode)
}
The problem is, I always get this error:
{
"error" : "invalid_scope",
"error_description" : "https://www.googleapis.com/auth/devstorage.readonly is not a valid audience string."
}
I assume it is a type that the error is invalid_scope, and the description says it is an invalid audience (I assume the JWT aud parameter).
What do I use as my scope to allow me to read/write the Firebase Database (using the default "auth != null" rules)?
Edit: I found the answer here finally:
https://www.googleapis.com/auth/firebase
However now it gives me a 403 response when actually doing the post.
{
"error" : "Permission denied."
}
Ugh, I found the undocumented answer here. Currently you also need this scope:
https://www.googleapis.com/auth/userinfo.email
I have a SMTP account that does not use encrypted connection. I can use the same account to send emails from C# and Python without problems but with Go I get the error:
unencrypted connection
This is the code I am using:
package main
import (
"log"
"net/smtp"
)
func main() {
// Set up authentication information.
auth := smtp.PlainAuth(
"",
"user#example.com",
"password",
"mail.example.com",
)
// Connect to the server, authenticate, set the sender and recipient,
// and send the email all in one step.
err := smtp.SendMail(
"mail.example.com:25",
auth,
"sender#example.org",
[]string{"recipient#example.net"},
[]byte("This is the email body."),
)
if err != nil {
log.Fatal(err)
}
}
The issue here is that smtp.PlainAuth refuses to send your password over an unencrypted connection. This is for your own protection. Something like smtp.CRAMMD5Auth would be a much better choice. When using CRAM-MD5, even over an unencrypted connection, your password is not exposed.
If you want to use plain authentication anyways, you would need to make your own version of smtp.PlainAuth. Luckily, this is a very easy thing to do. Just copy the 20 lines or so from the standard library and remove:
if !server.TLS {
return "", nil, errors.New("unencrypted connection")
}
http://golang.org/src/pkg/net/smtp/auth.go?s=1820:1882#L41 contains the code.
If you do not wish to copy code, you can reuse the standard library implementation by wrapping the smtp.Auth returned by the function in your own type. This way you intercept the *smtp.ServerInfo and trick the actual Auth mechanism (from the standard library) that there is an encrypted connection. Make sure to heavily comment to make it clear why you are doing what you are doing. Something like this (untested):
type unencryptedAuth struct {
smtp.Auth
}
func (a unencryptedAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
s := *server
s.TLS = true
return a.Auth.Start(&s)
}
auth := unencryptedAuth {
smtp.PlainAuth(
"",
"user#example.com",
"password",
"mail.example.com",
),
}