JWT – Token Based Authentication using GO


Token-based authentication, relies on Token for determine whether the request is authorized or not. And JWT is one of token-based authentication.

Sharing is caring!

Introduction

It’s been a while since my last post in this blog. Well, I trapped in my daily routines, tight deadline and could not get away to find my free time to write an article. Now I have a little freedom and try to write again. Therefore, this one is going to be short one.

In this article I would like to address about token based authentication. This type of authentication emerged in concurrent with the booming of mobile applications. Further, this type of authentication is corroborated by micro services architectures lately. And one of the mechanism to implement token-based authentication is JSON Web-Token (JWT).

If you have no idea what JWT is all about, you can visit this page. The introduction is very concise and informative. Also very helpful for a starter.

Use Case

The use case is very common. I will create an endpoint (or service) for authentication purpose. User then will have to send username and password to authentication service. Whenever the authentication success, the service will return a token, in JWT format, as part of response header.

It seems trivial doesn’t it? To make thing matter, I would like to add a little complexity in this case. After the authentication service generates token for each request, the service will assign a unique ID for each token. Then I will store this unique ID into database with one additional column which contains username and its associated roles. Next, every request has to look up to the ID in the database, to acknowledge whether the ID is valid or not. Moreover, by looking up the associated ID in the database, every request can gather username and roles. This is very useful as part of authorization process (authorization by roles) and logging purpose. Lastly, whenever the user logout from the ecosystem, I will remove his unique ID from the database.

I use this approach with two major considerations:

  1. By putting only token unique ID in the payload body, I could make the JWT shorter. This could be significant because every request needs to pass the token as part of request header. Furthermore, this approach could resolve some security issue, such as expose the username as part of token payload.
  2. Even though JWT already has the expiry date, there would be some use case when you want to force the user to logout from the ecosystem. By the lookup ID for every request mechanism, we can force logout by removing the ID from the database. So, if the request do not find the ID, then I will return 401.

Step by Step

For this example, there are several libraries or tools to support the use case:

  1. SermoDigital for JWT (https://github.com/SermoDigital/jose)
  2. UUID generator (https://github.com/leonelquinteros/gorand)
  3. Go-kit
  4. Key Value Database using Consul

I only show part of the code, which are the security part. I used the similar structure like in my previous post.

Step 1: security.go

First, define the signatures for JWT.

Next create endpoint, named it JwtEndpoint. JwtEndpoint function will retrieve consulAddress and consulPort to assign the ID and its associate payload into Consul KV database.

Step 2: transport.go

This one is similar as the previous sample, but only small additional changes to assign the token into response header. The field name for this associated token is X-TOKEN-GEN.

Step 3: main.go

Just a snippet in the main function to include JwtEndpoint as part of request/response.

Step 4: Execute

Running consul:

Running authentication service:

Make a request:

Response:

Notice X-Token-Gen header in the response header.

Consul KV:

Consul KV

 

 

 

Conclusion

Whenever we want to implement token-based authentication, one thing we can consider is JWT. And implementing JWT via Golang is not a big deal. Thanks to SermoDigital for providing the library. It is quite simple and straight forward.

Also, the KV database from Consul is a great choice as well. Because what we need is only a memory database, with only two columns. So it fits nicely for this purpose.

So far, I talked about authentication process by using token-based process. But authentication will come with another functionality, which is authentication. So I will talk about authorization in my next post. Hopefully :).

You can see the full source code under my repository, under sub-folder auth.

Author: ru rocker

I am a professional software developer with more than 10 years experiences. I am a certified Java Developer (SCJP and SCWCD). However, In the recent months, I have more interest in DevOps and start to become a polyglot developer. Python and Go-lang become my favorite programming languages besides Java.

1 thought on “JWT – Token Based Authentication using GO”

Leave a Reply

Your email address will not be published. Required fields are marked *