decode jwt with rs256 algorithm in golang-jwt / jwt

[chaotic98]

the documentation only has parsing and validate with Hmac
https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac
is there any way to decode in rs256 ?

[dfath]

Try using ParseUnverified, it useful if you want to extract values without validate.

jwt/parser_test.go

Line 430 in 148d710

func TestParser_ParseUnverified(t *testing.T) {

[oxisto]

Please do NOT use ParseUnverified unless you REALLY know what you are doing.

We really need to supply an appropriate example using asymmetric keys. Basically it works the same way as for HMAC, but instead of supplying a []byte key, you need to supply a *rsa.PublicKey in the keyfunc. Something like

var myPublicKey *rsa.PublicKey

// Load key from file
myPublicKey = /*...*/

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
	// Don't forget to validate the alg is what you expect:
	if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
		return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
	}

	return myPublicKey, nil
})