CustomClaims with multiple audiences cannot be unmarshalled

[arawden]

Description

I believe this is an isssue with the underlying jwt-go code, but I've been spending a lot of time struggling to make progress with this. I've updated my go modules and I'm currently on v1 of the jwt-middleware and v3.2.2 of the form3tech-oss/jwt-go packages

When presented with an audience which is an array, the library cannot unmarshal into the CustomClaims object and gives:
json: cannot unmarshal string into Go struct field CustomClaims.aud of type []string

Provide a clear and concise description of the issue, including what you expected to happen.

I believe the core issue lies in ParseWithClaims, but I can't say for sure

Reproduction

I'm mostly going off of the Auth0 Go Quickstart, and my code looks like this:
Middleware:

func (api API) SetupJWTMiddleware() *jwtmiddleware.JWTMiddleware {
	authJWTMiddleware := jwtmiddleware.New(jwtmiddleware.Options{
		ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
			checkAudience := token.Claims.(jwt.MapClaims).VerifyAudience(api.AuthConfig.Audience, false)
			if !checkAudience {
				return token, errors.New("could not verify token audience")
			}

			checkIssuer := token.Claims.(jwt.MapClaims).VerifyIssuer(api.AuthConfig.Issuer, false)
			if !checkIssuer {
				return token, errors.New("could not verify token issuer")
			}

			cert, err := api.getPemCert(token)
			if err != nil {
				panic(err)
			}

			result, _ := jwt.ParseRSAPublicKeyFromPEM([]byte(cert))

			return result, nil
		},
		SigningMethod: jwt.SigningMethodRS256,
	})

	return authJWTMiddleware
}

Authenticated request handler:

func (api API) AuthedEndpoint(apiEndpoint http.HandlerFunc) http.HandlerFunc {
	return func(response http.ResponseWriter, request *http.Request) {
		err := api.AuthMiddleware.CheckJWT(response, request)
		if err != nil {
			return // CheckJWT writes to response for us
		}

		token, err := jwtmiddleware.FromAuthHeader(request)

		if err != nil {
			http.Error(response, err.Error(), http.StatusForbidden)

			return
		}

		hasScope := api.checkScope("some-scope", token)
		if !hasScope {
			http.Error(response, "insufficient scope to access endpoint", http.StatusForbidden)

			return
		}

		apiEndpoint(response, request)
	}
}

checkScope:

func (api API) checkScope(scope string, tokenString string) bool {
	token, err := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func(token *jwt.Token) (interface{}, error) {
		cert, err := api.getPemCert(token)

		if err != nil {
			return nil, err
		}

		result, _ := jwt.ParseRSAPublicKeyFromPEM([]byte(cert))

		return result, nil
	})

	if err != nil {
		fmt.Printf(err.Error())
	}

	claims, ok := token.Claims.(*CustomClaims)

	hasScope := false

	if ok && token.Valid {
		scopes := strings.Split(claims.Scope, " ")
		for index := range scopes {
			if scopes[index] == scope {
				hasScope = true
			}
		}
	}

	return hasScope
}

I ran into this issue when trying to hit authenticated endpoints with a token generated with the React useAuth0 hook, specifically getAccessTokenSilently, which gives me a token with:

 "aud": [
    "my.project.domain/api/",
    "https://project.us.auth0.com/userinfo"
  ],

[arawden]

I was unable to reproduce this issue this morning, so feel free to close this.

[grounded042]

Hey @arawden. This sounds similar to #72. Any chance that issue gives any insight into the one you are having?

[arawden]

Hey @grounded042, it definitely looks to be equivalent.

To expand a little bit, I have an integration test which creates a token and then tries to make a request to an endpoint wrapped with the AuthedEndpoint middleware I posted. I've checked the token that gets passed to the endpoint in the jwt.io decoder, and it looks fine to me. It is the same token, roughly, as the one passed from my frontend, except it is missing the userinfo audience (I assume because the token is generated programatically), so there's only the string and no array.

With that said, I get similar behavior. If i catch the error on the token, err := jwt.ParseWithClaims(tokenString, &CustomClaims{}, func(token *jwt.Token) (interface{}, error), I get the error specified in the original bug report. As a result, when the ParseWithClaims call returns, the token struct's Valid field is set to false.

In total, both my integration tests and requests from my frontend to the endpoint wrapped with the middleware fail. In the first case, the token is considered not valid (if ok && token.Valid { fails, however the audience is fine because it is not an array), and in the second case, the CheckJWT call in the AuthedEndpoint middleware fails because the audience cannot be verified

I see there is a solution which involves converting the types in the call to VerifyAudience, however, I believe this solution would not work for me because I would need to implement a similar solution to the ParseWithClaims function.

I also see that @aaronprice00 posted a modified version of the go-jwt-middleware, however, given that my project is not dependent on authorization to move forward, I'm happy to wait for a more permanent solution.

Please let me know if you need any further information for this ticket, and I'll keep an eye on the issue you linked and try to contribute there if I can.

[grounded042]

Thanks @arawden. I just dropped a comment over in #72 if you could take a look when you get a chance: #72 (comment)

[sergiught]

We just released the v2.0.0-beta 🥳 !

You can start testing it by running go get github.com/auth0/go-jwt-middleware/v2@v2.0.0-beta.

In case of issues fetching the v2 you might want to try go clean --modcache first before doing go get.

I'm closing this issue as now this is part of v2, but feel free to reopen if needed.