JWT authentication in Go

Use the golang-jwt/jwt library to parse and verify JWT tokens against a public key derived from your X.509 certificate. Decode the PEM certificate, parse it with x509.ParseCertificate, extract the public key, and pass it to jwt.Parse with the RS256 signing method.

import (
	"crypto/x509"
	"encoding/pem"
	"github.com/golang-jwt/jwt/v5"
)

func verifyJWT(tokenString string, certPEM string) (*jwt.Token, error) {
	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		return nil, fmt.Errorf("failed to decode PEM")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, err
	}

	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return cert.PublicKey, nil
	})
}

JWT authentication in Go involves checking a digital signature on a data packet (the token) using a public key. You load your X.509 certificate, extract the public key from it, and use a library to verify that the token was signed by the matching private key. It's like checking a wax seal on a letter to ensure it hasn't been tampered with and came from the expected sender.