I’ve been using the golang chi router in one of my projects recently and for the most part it’s been great. I’ve just a simple router with a few routes so I’ve not pushed it to any advanced use cases but it seems simple enough and extensible enough it should get a long way there.
The latest project I’ve needed to do was add Authentication using JWT to two routes. This seemed simple and straightforward as they provide a default JWT middleware implementation called github.com/go-chi/jwtauth. It’s simple and straightforward so easy to get going and I was able to get it working accepting a single token relatively easily.
However as I said above, I needed to accept multiple tokens. Maybe the library could be modified in some way to accept multiple tokens but it doesn’t make it easy and to me did not look possible for the work it would require. This is especially unfortunate as there is a thing in JSON Web land called JSON Web Key Sets which allow you to accept multiple tokens. There is a PR to accept JWK Sets but this has had no activity lately so it’s not clear if it’ll happen any time soon: https://github.com/go-chi/jwtauth/pull/71
Instead in the end I created my own middleware to read a JWK Set using the same underlying library as jwtauth: github.com/lestrrat-go/jwx. As I said above, chi makes it easy to create middleware and the lestrrat-go library makes it easy to accept JWT Sets.
This can be done in a two step process. The first is to parse the JWK Set and the second is check JWT against the JWK Set
set, err := jwk.Parse(keys)
parsedToken, err := jwt.ParseString(token, jwt.WithKeySet(set))