A simple tutorial of JWT authentication using Go, echo, and GraphQL

Manato Kuroda

Dec 14, 2019·3 min read

I’ve introduced how to build Go API with GraphQL in the previous post. This post will highlight an authentication of GraphQL API.

Example Repo

Here is a link to the codebase in full for reference:

Pre-requisites

To quickly start off, you can set up GraphQL API by following the post:

In case you are not familiar with JWTs, you can check the introduction before starting.

Dependencies

jwt-go allow us to use JWTs in Go. Then install:

go get github.com/dgrijalva/jwt-go

Generate RSA key

JSON Web Tokens offer a simple way to generate tokens for any APIs and these tokens include a payload that should be cryptographically signed. The Popular way of signatures is using HS256 signing which needs the secret key when generating and validating tokens both. For microservices, it means that the secret key needs to be accessible in multiple locations and that it increases the risk of it being compromised.

Public-Key Signatures is a better way of storing the signing key safely in one service and only used to generate keys, while other services can verify the tokens without having access to the key. In this article, we take advantage of it.

Generate RSA key in the root project:

$ ssh-keygen -t rsa -m PEM

Enter your project path:

Generating public/private rsa key pair.
Enter file in which to save the key:${Your project root path}/id.rsa

Parse PEM encoded PKCS8 public key by following the docs:

ssh-keygen -f id_rsa.pub -e -m pkcs8 > id_rsa.pub.pkcs8

Sign-in

Let’s suppose that we have a sign-in page and the user will submit username and password and after that user will get the access token.

Create a handler for sign-in page in handler/handler.go :

Create auth/auth.go :

Add routing signIn in main.go :

Post it with username and password:

curl -X POST -d 'username=you' -d 'password=passed' localhost:3000/signIn

You’ll get the generated token:

{
  "token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....
}

This token will be used when adding an HTTP Header later on.

Restricting GraphQL

In the previous post, we’ve made a GraphQL server responding to users. We want to restrict the access by verifying the token.

Now that we can access users data in GraphiQL at http://localhost/graphql:

Let’s restrict it in main.go :

echo provides a JWT authentication middleware JWTWithConfig which automatically verifies the traffic by grouping routes. In this case, we group graphql which means that all of the accesses will be validated under http://localhost/graphql path.

And create a GetRSAPublicKey in auth/auth.go :

Let’s check to see if it works in GraphiQL:

As you can see, the server responds to unauthorized error.

In order to verify the access, add the token to HTTP Header.

Click Edit HTTP Headers :

Add Header name and Header value:

• Header name: Authorization
• Header value: Bearer {token}

Click Save and check to see it again:

It works fine!

Conclusion

That’s it. I hope this post will help you.

The final codebase is here.