Integer precision loss when decoding JWT payload JSON

[chenxuyuan1997]

When decoding a JWT with large integer values in the payload, precision may be lost due to how encoding/json parses numbers by default (as float64). I noticed that the JWT library already provides an option to avoid this issue via the jwt.WithJSONNumber() parser option.
https://github.com/golang-jwt/jwt/blob/main/parser_option.go#L23.

[chenxuyuan1997]

Would it be possible to support configuration to enable WithJSONNumber behavior?

[agilezebra]

Sure @chenxuyuan1997 I'll add this in tonight. Do you have an example payload (just the JSON of the JWT will be fine) that you can paste here so I can do a before and after to check I've addressed your issue?

[chenxuyuan1997]

Thanks @agilezebra ! 🙏 Here’s a example

package main

import (
	"encoding/json"
	"fmt"

	"github.com/golang-jwt/jwt/v5"
)

func main() {
	tokenString := createTokenWithBigInt()

	parser := jwt.NewParser()
	// parser := jwt.NewParser(jwt.WithJSONNumber())
	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
	if err != nil {
		panic(err)
	}

	if claims, ok := token.Claims.(jwt.MapClaims); ok {
		b, err := json.Marshal(claims)
		if err != nil {
			panic(err)
		}
		// want 1147953659032899584，but got 1147953659032899600
		fmt.Println(string(b))
	}
}

func createTokenWithBigInt() string {
	claims := jwt.MapClaims{
		"user_id": 1147953659032899584,
		"name":    "Alice",
	}

	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)
	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
	return tokenString
}

[agilezebra]

Hi @chenxuyuan1997 I've release https://github.com/agilezebra/jwt-middleware/releases/tag/v1.2.19 with your suggestion.
Let me know if it addresses your issue - and please do give the repo a star if it's helpful.
thanks, Graham

[chenxuyuan1997]

Hi @agilezebra ,
Thanks a lot for the quick update and for implementing the suggestion! I’ve tested the new release, and it works perfectly.
Really appreciate your work — I’ve starred the repo as well. 👍