DEV Community: Darsh Ayde The latest articles on DEV Community by Darsh Ayde (@pixie2468). https://dev.to/pixie2468 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2991081%2Fa8555d2f-813f-49e2-afa0-3d3b177c22c7.png DEV Community: Darsh Ayde https://dev.to/pixie2468 en Stop Trusting Every JWT: How I Handle OIDC Claims in My Go Gateway Darsh Ayde Thu, 11 Jun 2026 10:06:22 +0000 https://dev.to/pixie2468/stop-trusting-every-jwt-how-i-handle-oidc-claims-in-my-go-gateway-1kf1 https://dev.to/pixie2468/stop-trusting-every-jwt-how-i-handle-oidc-claims-in-my-go-gateway-1kf1 <h2> Building a Secure OIDC Verification Layer in Go </h2> <p>Authentication is one of those things every backend engineer eventually has to build—and secretly dreads getting wrong. When I started architecting the auth layer for my Go API gateway, I naturally reached for OpenID Connect (OIDC). It’s the industry standard, so how hard could it be?</p> <p>As it turns out, parsing a JWT is trivial. <em>Trusting</em> a JWT is where the trapdoors hide. If you blindly decode a token and trust the payload, you are exactly one spoofed signature away from a major security incident. I needed a way to dynamically discover my identity provider’s keys, cryptographically verify incoming requests, and strictly enforce the claims my backend actually cares about (like ensuring a user <em>actually</em> owns the email address they claim to).</p> <p>In this post, I’ll walk you through how I built the OIDC verification layer for my gateway. We won't just look at the happy path; we’ll look at why I used interfaces to keep the auth logic mockable, how to avoid network traps during startup, and why an unassuming <code>email_verified</code> pointer is your gateway’s best friend.</p> <h3> High-Level Flow </h3> <p>Before we dive into the Go code, here is the basic verification flow this architecture follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client | | ID Token (JWT) v API Gateway | | 1. Discover OIDC provider metadata | 2. Verify JWT signature (via JWKS) | 3. Validate issuer and audience | 4. Extract strongly-typed claims | 5. Enforce application-specific rules (e.g., email verification) v Authenticated User </code></pre> </div> <p><em>(Note: The complete source code for this example is available on my GitHub: <a href="https://github.com/Pixie2468/dearai-backend" rel="noopener noreferrer">dearai-backend</a>)</em></p> <h3> Breaking Down the Implementation </h3> <p>Let's look at how this breaks down in Go, starting from the core domain types and moving into runtime validation.</p> <h4> 1. Designing for Testability </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">auth</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"errors"</span> <span class="s">"fmt"</span> <span class="s">"github.com/coreos/go-oidc/v3/oidc"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">TokenVerifier</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Verify</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">tokenString</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">ExternalClaims</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Notice that the package exports a <code>TokenVerifier</code> interface rather than forcing consumers to use a concrete struct. This is classic dependency inversion.</p> <p>When you're writing unit tests for your HTTP handlers or middleware, you really don't want them making live network calls to Google, Okta, or Auth0. By depending on this interface, you can easily inject a mock verifier that simply returns dummy claims for testing, keeping your test suite fast, offline, and deterministic.</p> <h4> 2. Defining Expected Claims </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">ExternalClaims</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Subject</span> <span class="kt">string</span> <span class="s">`json:"sub"`</span> <span class="n">Email</span> <span class="kt">string</span> <span class="s">`json:"email"`</span> <span class="n">EmailVerified</span> <span class="o">*</span><span class="kt">bool</span> <span class="s">`json:"email_verified"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">OIDCVerifier</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">verifier</span> <span class="o">*</span><span class="n">oidc</span><span class="o">.</span><span class="n">IDTokenVerifier</span> <span class="p">}</span> </code></pre> </div> <p>We map the JWT payload into an <code>ExternalClaims</code> struct. The <code>sub</code> (subject) claim should always be treated as your primary user identifier. It is immutable and stable, making it the perfect key to link to your internal user records. While it's tempting to use the user's <code>email</code> as a unique identifier, emails change, which can break data relationships later.</p> <p>You'll also notice <code>EmailVerified</code> is defined as a <code>*bool</code> (a pointer to a boolean) rather than a primitive <code>bool</code>. This is a deliberate choice. It allows us to differentiate between a claim that is explicitly set to <code>false</code> and a claim that is completely missing from the token payload (which evaluates to <code>nil</code>). Both scenarios should result in a rejected token, and a pointer allows us to catch both cleanly.</p> <h4> 3. Discovery and the Network Trap </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">NewOIDCVerifier</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">issuer</span><span class="p">,</span> <span class="n">clientID</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">TokenVerifier</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">issuer</span> <span class="o">==</span> <span class="s">""</span> <span class="o">||</span> <span class="n">clientID</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"issuer and clientID are required"</span><span class="p">)</span> <span class="p">}</span> <span class="n">provider</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">oidc</span><span class="o">.</span><span class="n">NewProvider</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">issuer</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to discover OIDC configuration: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">OIDCVerifier</span><span class="p">{</span> <span class="n">verifier</span><span class="o">:</span> <span class="n">provider</span><span class="o">.</span><span class="n">Verifier</span><span class="p">(</span><span class="o">&amp;</span><span class="n">oidc</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span><span class="n">ClientID</span><span class="o">:</span> <span class="n">clientID</span><span class="p">}),</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Before any network activity occurs, the constructor validates its inputs to fail fast. Then, we call <code>oidc.NewProvider</code>. This is where OIDC discovery happens. The library hits the issuer's <code>.well-known/openid-configuration</code> endpoint to fetch metadata, including the JWKS (JSON Web Key Set) URL which contains the public keys needed to verify token signatures.</p> <p>This is the only place in the setup phase where network I/O occurs. Because of this, it is critical to pass a <code>context.Context</code> with a reasonable timeout into this function. If the identity provider goes down during a deployment and you don't have a timeout, your application startup will block indefinitely.</p> <h4> 4. The Verification Pipeline </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">v</span> <span class="o">*</span><span class="n">OIDCVerifier</span><span class="p">)</span> <span class="n">Verify</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">tokenString</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">ExternalClaims</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">idToken</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">v</span><span class="o">.</span><span class="n">verifier</span><span class="o">.</span><span class="n">Verify</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">tokenString</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"cryptographic token verification failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">claims</span> <span class="n">ExternalClaims</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">idToken</span><span class="o">.</span><span class="n">Claims</span><span class="p">(</span><span class="o">&amp;</span><span class="n">claims</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to unmarshal token claims: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">claims</span><span class="o">.</span><span class="n">Subject</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"invalid token: missing 'sub' claim"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">claims</span><span class="o">.</span><span class="n">Email</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"invalid token: missing 'email' claim"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">claims</span><span class="o">.</span><span class="n">EmailVerified</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="o">!*</span><span class="n">claims</span><span class="o">.</span><span class="n">EmailVerified</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"invalid token: email address is unverified"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">claims</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The <code>Verify</code> method acts as our gatekeeper, enforcing rules in a very specific order.</p> <p>First, we establish <strong>cryptographic trust</strong> by passing the raw token to <code>v.verifier.Verify()</code>. This leverages the provider's public keys to ensure the signature is mathematically valid, checks that the token hasn't expired, and verifies that the <code>ClientID</code> (Audience) matches your app. This last part is crucial—it prevents your gateway from accepting valid tokens that were actually minted for an entirely different application.</p> <p>Once we trust the signature, we unmarshal the payload into our <code>ExternalClaims</code> struct to get strongly-typed Go values. Finally, we enforce our <strong>business logic trust</strong>. We ensure the <code>sub</code> and <code>email</code> aren't blank, and we evaluate that <code>*bool</code> to guarantee the identity provider has verified the user's email. If a token fails any of these steps, execution halts immediately and the request is dropped.</p> <h3> A Quick Note on Token Types </h3> <p>It’s worth mentioning that this specific implementation is designed to verify OIDC <strong>ID tokens</strong>, which are meant to communicate identity information (who the user is). <strong>Access tokens</strong>, on the other hand, are meant for API authorization (what the user can do) and often follow different validation rules depending on the provider. Make sure you are verifying the right token for your specific architecture.</p> <h3> Wrapping Up </h3> <p>Verifying an OIDC token requires a lot more rigor than just base64-decoding a JSON payload. By leveraging OIDC discovery and the <code>go-oidc</code> library, we get automatic key rotation handling and cryptographic certainty. Combine that with strictly typed claims and interface-driven design, and you end up with an auth layer that is secure, resilient, and highly testable.</p> <h3> Further Reading </h3> <p>If you'd like to see how this fits into the broader API gateway, or if you want to follow along with my future backend engineering articles:</p> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/Pixie2468" rel="noopener noreferrer">github.com/Pixie2468</a> </li> <li> <strong>LinkedIn:</strong> <a href="https://www.linkedin.com/in/darsh-ayde/" rel="noopener noreferrer">linkedin.com/in/darsh-ayde/</a> </li> </ul> go security webdev architecture