Let’s cover how to use Azure Active Directory (for authentication) and JSON Web Tokens (for authorizing) your enterprise users in Go!
By the way this is not your classic How to use Go with JWT (search golang jwt
on Google, or any other search engine for that) this is more focused on using specifically the actual Azure Active Directory
service for getting the JSON Web Token and then using that to authorize your API.
Prerequisites
- You understand what JSON Web Tokens and OpenID Connect are.
- If you don’t have an Azure account, then register!, next make sure you activate the free account to properly have access to using Active Directory, don’t forget to de-active it in 30 days or you will spend moneys!
- Register your application with your Active Directory tenant, for the Application type use Web app / API; make sure you read that link completely to understand the rationale behind the final Go example.
If this is your first time using Azure Active Directory, a few really important things to know:
- The Sign-on URL is supposed to be the endpoint used for authorization, you can always change it.
- The Tenant is the
xyz.onmicrosoft.com
name, you get that by going to Azure Active Directory, it’s on the Overview tab.
- To enable returning Security Groups information in the claims you have to edit the Manifest and replace the value of
groupMembershipClaims
withSecurityGroup
, basically this:
- For testing purposes create a few users and a few groups (use
Security
type), add some users to the groups, make sure you write down those Object IDs, those will be used as parameters for our Go program.
Conclusion
Take a look at the existing repository, the important bits are the following:
- Getting the OpenID Connect Document from Azure, we will be using the result of that document when decoding the JWT.
- Parsing the JWT using the JSON Web Key Set defined already in OpenID Connect document.
- This parsed JWT will give us the actual groups the user has access to, which then we can use to authorize the specific endpoint.