feat: support multiple issuer:audience combinations by introducing an option for the expectedClaims. WithExpectedClaims can be called with multiple jwt.Expected parameters to allow different Issuer:Audience combinations to validate tokens

feat: support multiple issuers in a provider using WithAdditionalIssuers option

Every effort has been made to ensure backwards compatibility. Some error messages will be different due to the wrapping of errors when multiple jwt.Expected are set. When validating the jwt, if an error is encountered, instead of returning immediately, the current error is wrapped. This is good and bad. Good because all verification failure causes are captured in a single wrapped error; Bad because all verification failure causes are captured in a single monolithic wrapped error. Unwrapping the error can be tedious if many jwt.Expected are included. There is likely a better way but this suits my purposes.

A few more test cases will likely be needed in order to achieve true confidence in this change

Author: cmmoran

README.md

@@ -43,7 +43,6 @@ import (
 	"log"
 	"net/http"
 
-	"github.com/auth0/go-jwt-middleware/v2"
 	"github.com/auth0/go-jwt-middleware/v2/validator"
 	jwtmiddleware "github.com/auth0/go-jwt-middleware/v2"
 )

examples/echo-example/README.md

@@ -10,3 +10,4 @@ To try this out:
 * Run `go run .` to start the app.
 * Use [jwt.io](https://jwt.io/) to generate a JWT signed with the HS256 algorithm and `secret`.
 * Call `http://localhost:3000` with the JWT to get a response back.
+* see `main.go` for example tokens

examples/echo-example/go.mod

@@ -12,6 +12,7 @@ require (
 replace github.com/auth0/go-jwt-middleware/v2 => ./../../
 
 require (
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

examples/echo-example/main.go

@@ -11,9 +11,9 @@ import (
 
 // Try it out with:
 //
-// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyJ9.XFhrzWzntyINkgoRt2mb8dES84dJcuOoORdzKfwUX70
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyJ9.DSY4NlpZZ2mOqaKuXvJkOrgZA3nD5HuGaf1wB9-0OVw
 //
-// which is signed with 'secret' and has the data:
+// which is signed with 'abcdefghijklmnopqrstuvwxyz012345' and has the data:
 //
 //	{
 //	  "iss": "go-jwt-middleware-example",
@@ -26,9 +26,9 @@ import (
 //
 // You can also try out the custom validation with:
 //
-// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyIsInNob3VsZFJlamVjdCI6dHJ1ZX0.Jf13PY_Oyu2x3Gx1JQ0jXRiWaCOb5T2RbKOrTPBNHJA
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyIsInNob3VsZFJlamVjdCI6dHJ1ZX0.qjjJBgKNomlbEQrCobpEU9ASgvSpLQhQBryRkp6-RQc
 //
-// which is signed with 'secret' and has the data:
+// which is signed with 'abcdefghijklmnopqrstuvwxyz012345' and has the data:
 //
 //	{
 //	  "iss": "go-jwt-middleware-example",

examples/echo-example/middleware.go

@@ -13,7 +13,7 @@ import (
 
 var (
 	// The signing key for the token.
-	signingKey = []byte("secret")
+	signingKey = []byte("abcdefghijklmnopqrstuvwxyz012345")
 
 	// The issuer of our token.
 	issuer = "go-jwt-middleware-example"

examples/gin-example/README.md

@@ -10,3 +10,4 @@ To try this out:
 *  Run `go run .` to start the app.
 * Use [jwt.io](https://jwt.io/) to generate a JWT signed with the HS256 algorithm and `secret`.
 * Call `http://localhost:3000` with the JWT to get a response back.
+* see `main.go` for example tokens

examples/gin-example/go.mod

@@ -4,7 +4,8 @@ go 1.23.0
 
 require (
 	github.com/auth0/go-jwt-middleware/v2 v2.2.2
-	github.com/gin-gonic/gin v1.9.1
+	github.com/gin-gonic/gin v1.10.0
+	github.com/go-jose/go-jose/v4 v4.0.4
 )
 
 replace github.com/auth0/go-jwt-middleware/v2 => ./../../

examples/gin-example/main.go

@@ -11,9 +11,9 @@ import (
 
 // Try it out with:
 //
-// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyJ9.XFhrzWzntyINkgoRt2mb8dES84dJcuOoORdzKfwUX70
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyJ9.DSY4NlpZZ2mOqaKuXvJkOrgZA3nD5HuGaf1wB9-0OVw
 //
-// which is signed with 'secret' and has the data:
+// which is signed with 'abcdefghijklmnopqrstuvwxyz012345' and has the data:
 //
 //	{
 //	  "iss": "go-jwt-middleware-example",
@@ -26,9 +26,9 @@ import (
 //
 // You can also try out the custom validation with:
 //
-// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyIsInNob3VsZFJlamVjdCI6dHJ1ZX0.Jf13PY_Oyu2x3Gx1JQ0jXRiWaCOb5T2RbKOrTPBNHJA
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyIsInNob3VsZFJlamVjdCI6dHJ1ZX0.qjjJBgKNomlbEQrCobpEU9ASgvSpLQhQBryRkp6-RQc
 //
-// which is signed with 'secret' and has the data:
+// which is signed with 'abcdefghijklmnopqrstuvwxyz012345' and has the data:
 //
 //	{
 //	  "iss": "go-jwt-middleware-example",
@@ -39,9 +39,29 @@ import (
 //	  "username": "user123",
 //	  "shouldReject": true
 //	}
+//
+// You can also try out the /multiple endpoint. This endpoint accepts tokens signed by multiple issuers. Try the
+// token below which has a different issuer:
+//
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnby1qd3QtbWlkZGxld2FyZS1tdWx0aXBsZS1leGFtcGxlIiwiYXVkIjoiYXVkaWVuY2UtbXVsdGlwbGUtZXhhbXBsZSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsInVzZXJuYW1lIjoidXNlcjEyMyJ9.d0BmhdqVZ9IdqQNId3XI2kbTegwW5NYe9P4xQCOjQ1Y
+//
+// which is signed with 'abcdefghijklmnopqrstuvwxyz012345' and has the data:
+//
+//	{
+//		"iss": "go-jwt-middleware-multiple-example",
+//		"aud": "audience-multiple-example",
+//		"sub": "1234567890",
+//		"name": "John Doe",
+//		"iat": 1516239022,
+//		"username": "user123"
+//	}
+//
+// You can also try the previous tokens with the /multiple endpoint. The first token will be valid the second will fail because
+// the custom validator rejects it (shouldReject: true)
 
 func main() {
 	router := gin.Default()
+
 	router.GET("/", checkJWT(), func(ctx *gin.Context) {
 		claims, ok := ctx.Request.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
 		if !ok {
@@ -52,7 +72,37 @@ func main() {
 			return
 		}
 
-		customClaims, ok := claims.CustomClaims.(*CustomClaimsExample)
+		localCustomClaims, ok := claims.CustomClaims.(*CustomClaimsExample)
+		if !ok {
+			ctx.AbortWithStatusJSON(
+				http.StatusInternalServerError,
+				map[string]string{"message": "Failed to cast custom JWT claims to specific type."},
+			)
+			return
+		}
+
+		if len(localCustomClaims.Username) == 0 {
+			ctx.AbortWithStatusJSON(
+				http.StatusBadRequest,
+				map[string]string{"message": "Username in JWT claims was empty."},
+			)
+			return
+		}
+
+		ctx.JSON(http.StatusOK, claims)
+	})
+
+	router.GET("/multiple", checkJWTMultiple(), func(ctx *gin.Context) {
+		claims, ok := ctx.Request.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
+		if !ok {
+			ctx.AbortWithStatusJSON(
+				http.StatusInternalServerError,
+				map[string]string{"message": "Failed to get validated JWT claims."},
+			)
+			return
+		}
+
+		localCustomClaims, ok := claims.CustomClaims.(*CustomClaimsExample)
 		if !ok {
 			ctx.AbortWithStatusJSON(
 				http.StatusInternalServerError,
@@ -61,7 +111,7 @@ func main() {
 			return
 		}
 
-		if len(customClaims.Username) == 0 {
+		if len(localCustomClaims.Username) == 0 {
 			ctx.AbortWithStatusJSON(
 				http.StatusBadRequest,
 				map[string]string{"message": "Username in JWT claims was empty."},

examples/gin-example/middleware.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"log"
 	"net/http"
 	"time"
@@ -13,13 +14,15 @@ import (
 
 var (
 	// The signing key for the token.
-	signingKey = []byte("secret")
+	signingKey = []byte("abcdefghijklmnopqrstuvwxyz012345")
 
 	// The issuer of our token.
-	issuer = "go-jwt-middleware-example"
+	issuer    = "go-jwt-middleware-example"
+	issuerTwo = "go-jwt-middleware-multiple-example"
 
 	// The audience of our token.
-	audience = []string{"audience-example"}
+	audience    = []string{"audience-example"}
+	audienceTwo = []string{"audience-multiple-example"}
 
 	// Our token must be signed using this data.
 	keyFunc = func(ctx context.Context) (interface{}, error) {
@@ -76,3 +79,50 @@ func checkJWT() gin.HandlerFunc {
 		}
 	}
 }
+
+func checkJWTMultiple() gin.HandlerFunc {
+	// Set up the validator.
+	jwtValidator, err := validator.NewValidator(
+		keyFunc,
+		validator.HS256,
+		validator.WithCustomClaims(customClaims),
+		validator.WithAllowedClockSkew(30*time.Second),
+		validator.WithExpectedClaims(jwt.Expected{
+			Issuer:      issuer,
+			AnyAudience: audience,
+		}, jwt.Expected{
+			Issuer:      issuerTwo,
+			AnyAudience: audienceTwo,
+		}),
+	)
+	if err != nil {
+		log.Fatalf("failed to set up the validator: %v", err)
+	}
+
+	errorHandler := func(w http.ResponseWriter, r *http.Request, err error) {
+		log.Printf("Encountered error while validating JWT: %v", err)
+	}
+
+	middleware := jwtmiddleware.New(
+		jwtValidator.ValidateToken,
+		jwtmiddleware.WithErrorHandler(errorHandler),
+	)
+
+	return func(ctx *gin.Context) {
+		encounteredError := true
+		var handler http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
+			encounteredError = false
+			ctx.Request = r
+			ctx.Next()
+		}
+
+		middleware.CheckJWT(handler).ServeHTTP(ctx.Writer, ctx.Request)
+
+		if encounteredError {
+			ctx.AbortWithStatusJSON(
+				http.StatusUnauthorized,
+				map[string]string{"message": "JWT is invalid."},
+			)
+		}
+	}
+}

examples/http-example/README.md

@@ -10,3 +10,4 @@ To try this out:
 * Run `go run main.go` to start the app.
 * Use [jwt.io](https://jwt.io/) to generate a JWT signed with the HS256 algorithm and `secret`.
 * Call `http://localhost:3000` with the JWT to get a response back.
+* see `main.go` for example tokens