Skip to content

Parsing and Validating a JWT

Keyfunc

With Options

Option Name
Arguments
Description
WithValidMethods methods as []string Supplies a list of signing methods that the parser will check against the algorithm on the token. Only the supplied methods will be considered valid. It is heavily encouraged to use this option in order to prevent "none" algorithm attacks.1
WithJSONNumber - Configures the underlying JSON parser to use the UseNumber function, which decodes numeric JSON values into the json.Number type instead of float64. This type can then be used to convert the value into either a floating type or integer type.
WithIssuer issuer as string Configures the validator to require the specified issuer in the "iss"2 claim. Validation will fail if a different issuer is specified in the token or the "iss" claim is missing.
WithSubject subject as string Configures the validator to require the specified subject in the "sub"3 claim. Validation will fail if a different subject is specified in the token or the "sub" claim is missing.
WithAudience audience as string Configures the validator to require the specified audience in the "aud"4 claim. Validation will fail if the audience is not listed in the token or the "aud" claim is missing. The contents of the audience string is application specific, but often contains the URI of the service that consumes the token.
WithLeeway leeway as time.Duration According to the RFC, a certain time window (leeway) is allowed when verifying time based claims, such as expiration time. This is due to the fact that there is no perfect clock synchronization on distributed systems such as the internet. While we do not enforce any restriction on the amount of leeway, it should generally not exceed more than a few minutes.5
WithIssuedAt - Enables a sanity check of the "iat"6 claim. More specifically, when turning this option on, the validator will check if the issued-at time is not in the future.
Danger Zone