cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge c5c849a93c into d6e37fa741

Browse source
This commit is contained in:
Brian Joerger 2025-06-17 09:52:03 -07:00 committed by GitHub
commit 71a7092d68
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

27
pkg/client/rp/verifier.go
View file

@ -10,15 +10,18 @@ import (
"github.com/zitadel/oidc/v3/pkg/oidc" "github.com/zitadel/oidc/v3/pkg/oidc"
) )
// VerifyTokenFn is a custom verification function for use in [VerifyIDToken]
type VerifyTokenFn func(claims oidc.Claims, v *IDTokenVerifier) error
// VerifyTokens implement the Token Response Validation as defined in OIDC specification // VerifyTokens implement the Token Response Validation as defined in OIDC specification
// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v *IDTokenVerifier) (claims C, err error) { func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v *IDTokenVerifier, options ...VerifyTokenFn) (claims C, err error) {
ctx, span := client.Tracer.Start(ctx, "VerifyTokens") ctx, span := client.Tracer.Start(ctx, "VerifyTokens")
defer span.End() defer span.End()
var nilClaims C var nilClaims C
claims, err = VerifyIDToken[C](ctx, idToken, v) claims, err = VerifyIDToken[C](ctx, idToken, v, options...)
if err != nil { if err != nil {
return nilClaims, err return nilClaims, err
} }
@ -30,7 +33,7 @@ func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken str
// VerifyIDToken validates the id token according to // VerifyIDToken validates the id token according to
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenVerifier) (claims C, err error) { func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenVerifier, options ...VerifyTokenFn) (claims C, err error) {
ctx, span := client.Tracer.Start(ctx, "VerifyIDToken") ctx, span := client.Tracer.Start(ctx, "VerifyIDToken")
defer span.End() defer span.End()
@ -57,10 +60,6 @@ func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenV
return nilClaims, err return nilClaims, err
} }
if err = oidc.CheckAuthorizedParty(claims, v.ClientID); err != nil {
return nilClaims, err
}
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs, v.KeySet); err != nil { if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs, v.KeySet); err != nil {
return nilClaims, err return nilClaims, err
} }
@ -86,9 +85,23 @@ func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenV
if err = oidc.CheckAuthTime(claims, v.MaxAge); err != nil { if err = oidc.CheckAuthTime(claims, v.MaxAge); err != nil {
return nilClaims, err return nilClaims, err
} }
for _, verifyFn := range options {
if err := verifyFn(claims, v); err != nil {
return nilClaims, err
}
}
return claims, nil return claims, nil
} }
// WithCheckAuthorizedParty checks azp (authorized party) claim requirements.
func WithCheckAuthorizedParty() VerifyTokenFn {
return func(claims oidc.Claims, v *IDTokenVerifier) error {
return oidc.CheckAuthorizedParty(claims, v.ClientID)
}
}
type IDTokenVerifier oidc.Verifier type IDTokenVerifier oidc.Verifier
// VerifyAccessToken validates the access token according to // VerifyAccessToken validates the access token according to