use type aliases for oidc.Verifier
this binds the correct contstructor to each verifier usecase.
This commit is contained in:
parent
aad76b0d91
commit
88aab28603
17 changed files with 64 additions and 59 deletions
|
@ -38,7 +38,7 @@ type Authorizer interface {
|
|||
Storage() Storage
|
||||
Decoder() httphelper.Decoder
|
||||
Encoder() httphelper.Encoder
|
||||
IDTokenHintVerifier(context.Context) *oidc.Verifier
|
||||
IDTokenHintVerifier(context.Context) *IDTokenHintVerifier
|
||||
Crypto() Crypto
|
||||
RequestObjectSupported() bool
|
||||
}
|
||||
|
@ -47,7 +47,7 @@ type Authorizer interface {
|
|||
// implementing its own validation mechanism for the auth request
|
||||
type AuthorizeValidator interface {
|
||||
Authorizer
|
||||
ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, *oidc.Verifier) (string, error)
|
||||
ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, *IDTokenHintVerifier) (string, error)
|
||||
}
|
||||
|
||||
func authorizeHandler(authorizer Authorizer) func(http.ResponseWriter, *http.Request) {
|
||||
|
@ -204,7 +204,7 @@ func CopyRequestObjectToAuthRequest(authReq *oidc.AuthRequest, requestObject *oi
|
|||
}
|
||||
|
||||
// ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed
|
||||
func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier *oidc.Verifier) (sub string, err error) {
|
||||
func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier *IDTokenHintVerifier) (sub string, err error) {
|
||||
authReq.MaxAge, err = ValidateAuthReqPrompt(authReq.Prompt, authReq.MaxAge)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
@ -384,7 +384,7 @@ func ValidateAuthReqResponseType(client Client, responseType oidc.ResponseType)
|
|||
|
||||
// ValidateAuthReqIDTokenHint validates the id_token_hint (if passed as parameter in the request)
|
||||
// and returns the `sub` claim
|
||||
func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier *oidc.Verifier) (string, error) {
|
||||
func ValidateAuthReqIDTokenHint(ctx context.Context, idTokenHint string, verifier *IDTokenHintVerifier) (string, error) {
|
||||
if idTokenHint == "" {
|
||||
return "", nil
|
||||
}
|
||||
|
|
|
@ -146,7 +146,7 @@ func TestValidateAuthRequest(t *testing.T) {
|
|||
type args struct {
|
||||
authRequest *oidc.AuthRequest
|
||||
storage op.Storage
|
||||
verifier *oidc.Verifier
|
||||
verifier *op.IDTokenHintVerifier
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
|
@ -11,7 +11,6 @@ import (
|
|||
gomock "github.com/golang/mock/gomock"
|
||||
http "github.com/zitadel/oidc/v3/pkg/http"
|
||||
op "github.com/zitadel/oidc/v3/pkg/op"
|
||||
oidc "github.com/zitadel/oidc/v3/pkg/oidc"
|
||||
)
|
||||
|
||||
// MockAuthorizer is a mock of Authorizer interface.
|
||||
|
@ -80,10 +79,10 @@ func (mr *MockAuthorizerMockRecorder) Encoder() *gomock.Call {
|
|||
}
|
||||
|
||||
// IDTokenHintVerifier mocks base method.
|
||||
func (m *MockAuthorizer) IDTokenHintVerifier(arg0 context.Context) *oidc.Verifier {
|
||||
func (m *MockAuthorizer) IDTokenHintVerifier(arg0 context.Context) *op.IDTokenHintVerifier {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "IDTokenHintVerifier", arg0)
|
||||
ret0, _ := ret[0].(*oidc.Verifier)
|
||||
ret0, _ := ret[0].(*op.IDTokenHintVerifier)
|
||||
return ret0
|
||||
}
|
||||
|
||||
|
|
|
@ -49,7 +49,7 @@ func ExpectEncoder(a op.Authorizer) {
|
|||
func ExpectVerifier(a op.Authorizer, t *testing.T) {
|
||||
mockA := a.(*MockAuthorizer)
|
||||
mockA.EXPECT().IDTokenHintVerifier(gomock.Any()).DoAndReturn(
|
||||
func() *oidc.Verifier {
|
||||
func() *op.IDTokenHintVerifier {
|
||||
return op.NewIDTokenHintVerifier("", nil)
|
||||
})
|
||||
}
|
||||
|
|
|
@ -73,8 +73,8 @@ type OpenIDProvider interface {
|
|||
Storage() Storage
|
||||
Decoder() httphelper.Decoder
|
||||
Encoder() httphelper.Encoder
|
||||
IDTokenHintVerifier(context.Context) *oidc.Verifier
|
||||
AccessTokenVerifier(context.Context) *oidc.Verifier
|
||||
IDTokenHintVerifier(context.Context) *IDTokenHintVerifier
|
||||
AccessTokenVerifier(context.Context) *AccessTokenVerifier
|
||||
Crypto() Crypto
|
||||
DefaultLogoutRedirectURI() string
|
||||
Probes() []ProbesFn
|
||||
|
@ -342,7 +342,7 @@ func (o *Provider) Encoder() httphelper.Encoder {
|
|||
return o.encoder
|
||||
}
|
||||
|
||||
func (o *Provider) IDTokenHintVerifier(ctx context.Context) *oidc.Verifier {
|
||||
func (o *Provider) IDTokenHintVerifier(ctx context.Context) *IDTokenHintVerifier {
|
||||
return NewIDTokenHintVerifier(IssuerFromContext(ctx), o.openIDKeySet(), o.idTokenHintVerifierOpts...)
|
||||
}
|
||||
|
||||
|
@ -350,7 +350,7 @@ func (o *Provider) JWTProfileVerifier(ctx context.Context) *JWTProfileVerifier {
|
|||
return NewJWTProfileVerifier(o.Storage(), IssuerFromContext(ctx), 1*time.Hour, time.Second)
|
||||
}
|
||||
|
||||
func (o *Provider) AccessTokenVerifier(ctx context.Context) *oidc.Verifier {
|
||||
func (o *Provider) AccessTokenVerifier(ctx context.Context) *AccessTokenVerifier {
|
||||
return NewAccessTokenVerifier(IssuerFromContext(ctx), o.openIDKeySet(), o.accessTokenVerifierOpts...)
|
||||
}
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
type SessionEnder interface {
|
||||
Decoder() httphelper.Decoder
|
||||
Storage() Storage
|
||||
IDTokenHintVerifier(context.Context) *oidc.Verifier
|
||||
IDTokenHintVerifier(context.Context) *IDTokenHintVerifier
|
||||
DefaultLogoutRedirectURI() string
|
||||
}
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ type Introspector interface {
|
|||
Decoder() httphelper.Decoder
|
||||
Crypto() Crypto
|
||||
Storage() Storage
|
||||
AccessTokenVerifier(context.Context) *oidc.Verifier
|
||||
AccessTokenVerifier(context.Context) *AccessTokenVerifier
|
||||
}
|
||||
|
||||
type IntrospectorJWTProfile interface {
|
||||
|
|
|
@ -20,8 +20,8 @@ type Exchanger interface {
|
|||
GrantTypeJWTAuthorizationSupported() bool
|
||||
GrantTypeClientCredentialsSupported() bool
|
||||
GrantTypeDeviceCodeSupported() bool
|
||||
AccessTokenVerifier(context.Context) *oidc.Verifier
|
||||
IDTokenHintVerifier(context.Context) *oidc.Verifier
|
||||
AccessTokenVerifier(context.Context) *AccessTokenVerifier
|
||||
IDTokenHintVerifier(context.Context) *IDTokenHintVerifier
|
||||
}
|
||||
|
||||
func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
|
||||
|
|
|
@ -15,7 +15,7 @@ type Revoker interface {
|
|||
Decoder() httphelper.Decoder
|
||||
Crypto() Crypto
|
||||
Storage() Storage
|
||||
AccessTokenVerifier(context.Context) *oidc.Verifier
|
||||
AccessTokenVerifier(context.Context) *AccessTokenVerifier
|
||||
AuthMethodPrivateKeyJWTSupported() bool
|
||||
AuthMethodPostSupported() bool
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ type UserinfoProvider interface {
|
|||
Decoder() httphelper.Decoder
|
||||
Crypto() Crypto
|
||||
Storage() Storage
|
||||
AccessTokenVerifier(context.Context) *oidc.Verifier
|
||||
AccessTokenVerifier(context.Context) *AccessTokenVerifier
|
||||
}
|
||||
|
||||
func userinfoHandler(userinfoProvider UserinfoProvider) func(http.ResponseWriter, *http.Request) {
|
||||
|
|
|
@ -6,17 +6,19 @@ import (
|
|||
"github.com/zitadel/oidc/v3/pkg/oidc"
|
||||
)
|
||||
|
||||
type AccessTokenVerifierOpt func(*oidc.Verifier)
|
||||
type AccessTokenVerifier oidc.Verifier
|
||||
|
||||
type AccessTokenVerifierOpt func(*AccessTokenVerifier)
|
||||
|
||||
func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt {
|
||||
return func(verifier *oidc.Verifier) {
|
||||
return func(verifier *AccessTokenVerifier) {
|
||||
verifier.SupportedSignAlgs = algs
|
||||
}
|
||||
}
|
||||
|
||||
// NewAccessTokenVerifier returns a oidc.Verifier suitable for access token verification.
|
||||
func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *oidc.Verifier {
|
||||
verifier := &oidc.Verifier{
|
||||
// NewAccessTokenVerifier returns a AccessTokenVerifier suitable for access token verification.
|
||||
func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *AccessTokenVerifier {
|
||||
verifier := &AccessTokenVerifier{
|
||||
Issuer: issuer,
|
||||
KeySet: keySet,
|
||||
}
|
||||
|
@ -27,7 +29,7 @@ func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTok
|
|||
}
|
||||
|
||||
// VerifyAccessToken validates the access token (issuer, signature and expiration).
|
||||
func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *oidc.Verifier) (claims C, err error) {
|
||||
func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *AccessTokenVerifier) (claims C, err error) {
|
||||
var nilClaims C
|
||||
|
||||
decrypted, err := oidc.DecryptToken(token)
|
||||
|
|
|
@ -20,7 +20,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
|
|||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want *oidc.Verifier
|
||||
want *AccessTokenVerifier
|
||||
}{
|
||||
{
|
||||
name: "simple",
|
||||
|
@ -28,7 +28,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
|
|||
issuer: tu.ValidIssuer,
|
||||
keySet: tu.KeySet{},
|
||||
},
|
||||
want: &oidc.Verifier{
|
||||
want: &AccessTokenVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
KeySet: tu.KeySet{},
|
||||
},
|
||||
|
@ -42,7 +42,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
|
|||
WithSupportedAccessTokenSigningAlgorithms("ABC", "DEF"),
|
||||
},
|
||||
},
|
||||
want: &oidc.Verifier{
|
||||
want: &AccessTokenVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
KeySet: tu.KeySet{},
|
||||
SupportedSignAlgs: []string{"ABC", "DEF"},
|
||||
|
@ -58,7 +58,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestVerifyAccessToken(t *testing.T) {
|
||||
verifier := &oidc.Verifier{
|
||||
verifier := &AccessTokenVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
MaxAgeIAT: 2 * time.Minute,
|
||||
Offset: time.Second,
|
||||
|
|
|
@ -6,16 +6,18 @@ import (
|
|||
"github.com/zitadel/oidc/v3/pkg/oidc"
|
||||
)
|
||||
|
||||
type IDTokenHintVerifierOpt func(*oidc.Verifier)
|
||||
type IDTokenHintVerifier oidc.Verifier
|
||||
|
||||
type IDTokenHintVerifierOpt func(*IDTokenHintVerifier)
|
||||
|
||||
func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt {
|
||||
return func(verifier *oidc.Verifier) {
|
||||
return func(verifier *IDTokenHintVerifier) {
|
||||
verifier.SupportedSignAlgs = algs
|
||||
}
|
||||
}
|
||||
|
||||
func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) *oidc.Verifier {
|
||||
verifier := &oidc.Verifier{
|
||||
func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) *IDTokenHintVerifier {
|
||||
verifier := &IDTokenHintVerifier{
|
||||
Issuer: issuer,
|
||||
KeySet: keySet,
|
||||
}
|
||||
|
@ -27,7 +29,7 @@ func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHi
|
|||
|
||||
// VerifyIDTokenHint validates the id token according to
|
||||
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
||||
func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *oidc.Verifier) (claims C, err error) {
|
||||
func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTokenHintVerifier) (claims C, err error) {
|
||||
var nilClaims C
|
||||
|
||||
decrypted, err := oidc.DecryptToken(token)
|
||||
|
|
|
@ -20,7 +20,7 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
|
|||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want *oidc.Verifier
|
||||
want *IDTokenHintVerifier
|
||||
}{
|
||||
{
|
||||
name: "simple",
|
||||
|
@ -28,7 +28,7 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
|
|||
issuer: tu.ValidIssuer,
|
||||
keySet: tu.KeySet{},
|
||||
},
|
||||
want: &oidc.Verifier{
|
||||
want: &IDTokenHintVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
KeySet: tu.KeySet{},
|
||||
},
|
||||
|
@ -42,7 +42,7 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
|
|||
WithSupportedIDTokenHintSigningAlgorithms("ABC", "DEF"),
|
||||
},
|
||||
},
|
||||
want: &oidc.Verifier{
|
||||
want: &IDTokenHintVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
KeySet: tu.KeySet{},
|
||||
SupportedSignAlgs: []string{"ABC", "DEF"},
|
||||
|
@ -58,7 +58,7 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestVerifyIDTokenHint(t *testing.T) {
|
||||
verifier := &oidc.Verifier{
|
||||
verifier := &IDTokenHintVerifier{
|
||||
Issuer: tu.ValidIssuer,
|
||||
MaxAgeIAT: 2 * time.Minute,
|
||||
Offset: time.Second,
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue