feat: merge the verifier types (#336)

BREAKING CHANGE: - The various verifier types are merged into a oidc.Verifir. - oidc.Verfier became a struct with exported fields * use type aliases for oidc.Verifier this binds the correct contstructor to each verifier usecase. * fix: handle the zero cases for oidc.Time * add unit tests to oidc verifier * fix: correct returned field for JWTTokenRequest JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field. This change corrects that by returning IssuedAt instead.
2023-03-22 19:18:41 +02:00 · 2023-03-22 19:18:41 +02:00 · 33c716ddcf
commit 33c716ddcf
parent c8cf15e266
29 changed files with 948 additions and 351 deletions
--- a/internal/testutil/token.go
+++ b/internal/testutil/token.go
@ -8,6 +8,7 @@ import (
 	"errors"
 	"time"

+	"github.com/muhlemmer/gu"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"gopkg.in/square/go-jose.v2"
 )
@ -17,7 +18,7 @@ type KeySet struct{}

 // VerifySignature implments op.KeySet.
 func (KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
-	if ctx.Err() != nil {
+	if err = ctx.Err(); err != nil {
 		return nil, err
 	}

@ -45,6 +46,16 @@ func init() {
 	}
 }

+type JWTProfileKeyStorage struct{}
+
+func (JWTProfileKeyStorage) GetKeyByIDAndClientID(ctx context.Context, keyID string, clientID string) (*jose.JSONWebKey, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+
+	return gu.Ptr(WebKey.Public()), nil
+}
+
 func signEncodeTokenClaims(claims any) string {
 	payload, err := json.Marshal(claims)
 	if err != nil {
@ -106,6 +117,25 @@ func NewAccessToken(issuer, subject string, audience []string, expiration time.T
 	return NewAccessTokenCustom(issuer, subject, audience, expiration, jwtid, clientID, skew, nil)
 }

+func NewJWTProfileAssertion(issuer, clientID string, audience []string, issuedAt, expiration time.Time) (string, *oidc.JWTTokenRequest) {
+	req := &oidc.JWTTokenRequest{
+		Issuer:    issuer,
+		Subject:   clientID,
+		Audience:  audience,
+		ExpiresAt: oidc.FromTime(expiration),
+		IssuedAt:  oidc.FromTime(issuedAt),
+	}
+	// make sure the private claim map is set correctly
+	data, err := json.Marshal(req)
+	if err != nil {
+		panic(err)
+	}
+	if err = json.Unmarshal(data, req); err != nil {
+		panic(err)
+	}
+	return signEncodeTokenClaims(req), req
+}
+
 const InvalidSignatureToken = `eyJhbGciOiJQUzUxMiJ9.eyJpc3MiOiJsb2NhbC5jb20iLCJzdWIiOiJ0aW1AbG9jYWwuY29tIiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImV4cCI6MTY3Nzg0MDQzMSwiaWF0IjoxNjc3ODQwMzcwLCJhdXRoX3RpbWUiOjE2Nzc4NDAzMTAsIm5vbmNlIjoiMTIzNDUiLCJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF6cCI6IjU1NTY2NiJ9.DtZmvVkuE4Hw48ijBMhRJbxEWCr_WEYuPQBMY73J9TP6MmfeNFkjVJf4nh4omjB9gVLnQ-xhEkNOe62FS5P0BB2VOxPuHZUj34dNspCgG3h98fGxyiMb5vlIYAHDF9T-w_LntlYItohv63MmdYR-hPpAqjXE7KOfErf-wUDGE9R3bfiQ4HpTdyFJB1nsToYrZ9lhP2mzjTCTs58ckZfQ28DFHn_lfHWpR4rJBgvLx7IH4rMrUayr09Ap-PxQLbv0lYMtmgG1z3JK8MXnuYR0UJdZnEIezOzUTlThhCXB-nvuAXYjYxZZTR0FtlgZUHhIpYK0V2abf_Q_Or36akNCUg`

 // These variables always result in a valid token
@ -137,6 +167,10 @@ func ValidAccessToken() (string, *oidc.AccessTokenClaims) {
 	return NewAccessToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidJWTID, ValidClientID, ValidSkew)
 }

+func ValidJWTProfileAssertion() (string, *oidc.JWTTokenRequest) {
+	return NewJWTProfileAssertion(ValidClientID, ValidClientID, []string{ValidIssuer}, time.Now(), ValidExpiration)
+}
+
 // ACRVerify is a oidc.ACRVerifier func.
 func ACRVerify(acr string) error {
 	if acr != ValidACR {