diff --git a/internal/testutil/token.go b/internal/testutil/token.go index 8e80026..121aa0b 100644 --- a/internal/testutil/token.go +++ b/internal/testutil/token.go @@ -4,8 +4,6 @@ package testutil import ( "context" - "crypto/rand" - "crypto/rsa" "encoding/json" "errors" "time" @@ -14,40 +12,45 @@ import ( "gopkg.in/square/go-jose.v2" ) -const SignatureAlgorithm = jose.PS512 +// KeySet implements oidc.Keys +type KeySet struct{} -// KeySet implements oidc.Keys and -// additionally can create tokens and claims that can -// be validated by this KeySet. -type KeySet struct { - Private *rsa.PrivateKey - Public *rsa.PublicKey +// VerifySignature implments op.KeySet. +func (KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) { + if ctx.Err() != nil { + return nil, err + } + return jws.Verify(WebKey.Public()) +} + +// use a reproducible signing key +const webkeyJSON = `{"kty":"RSA","kid":"1","alg":"PS512","n":"x6JoG8t2Li68JSwPwnh51TvHYFf3z72tQ3wmJG3VosU6MdJF0gSTCIwflOJ38OWE6hYtN1WAeyBy2CYdnXd1QZzkK_apGK4M7hsNA9jCTg8NOZjLPL0ww1jp7313Skla7mbm90uNdg4TUNp2n_r-sCYywI-9cfSlhzLSksxKK_BRdzy6xW20daAcI-mErQXIcvdYIguunJk_uTb8kJedsWMcQ4Mb57QujUok2Z2YabWyb9Fi1_StixXJvd_WEu93SHNMORB0u6ymnO3aZJdATLdhtcP-qsVicQhffpqVazmZQPf7K-7n4I5vJE4g9XXzZ2dSKSp3Ewe_nna_2kvbCw","e":"AQAB","d":"sl3F_QeF2O-CxQegMRYpbL6Tfd47GM6VDxXOkn_cACmNvFPudB4ILPvdf830cjTv06Lq1WS8fcZZNgygK0A_cNc3-pvRK67e-KMMtuIlgU7rdwmwlN1Iw1Ee-w6z1ZjC-PzR4iQMCW28DmKS2I-OnV4TvH7xOe7nMmvTPrvujV__YKfUxvAWXJG7_wtaJBGplezn5nNsKG2Ot9h0mhMdYUgGC36wLxo3Q5d4m79EXQYdhm89EfxogwvMmHRes5PNpHRuDZRHGAI4RZi2KvgmqF07e1Qdq4TqbQnY5pCYrdjqvEFFjGC6jTE-ak_b21FcSVy-9aZHyf04U4g5-cIUEQ","p":"7AaicFryJCHRekdSkx8tfPxaSiyEuN8jhP9cLqs4rLkIbrSHmanPhjnLe-Tlh3icQ8hPoy6WC8ktLwsrzbfGIh4U_zgAfvtD1Y_lZM-YSWZsxqlrGiI5do11iVzzoy4a1XdkgOjHQz9y6J-uoA9jY8ILG7VaEZQnaYwWZV3cspk","q":"2Ide9hlwthXJQJYqI0mibM5BiGBxJ4CafPmF1DYNXggBCczZ6ERGReNTGM_AEhy5mvLXUH6uBSOJlfHTYzx49C1GgIO3hEWVEGAKAytVRL6RfAkVSOXMQUp-HjXKpGg_Nx1SJxQf3rulbW8HXO4KqIlloyIXpPQSK7jB8A4hJUM","dp":"1nmc6F4sRNsaQHRJO_mL21RxM4_KtzfFThjCCoJ6iLHHUNnpkp_1PTKNjrLMRFM8JHgErfMqU-FmlqYfEtvZRq1xRQ39nWX0GT-eIwJljuVtGQVglqnc77bRxJXbqz-9EJdik6VzVM92Op7IDxiMp1zvvSkJhInNWqL6wvgNEZk","dq":"dlHizlAwiw90ndpwxD-khhhfLwqkSpW31br0KnYu78cn6hcKrCVC0UXbTp-XsU4JDmbMyauvpBc7Q7iVbpDI94UWFXvkeF8diYkxb3HqclpAXasI-oC4EKWILTHvvc9JW_Clx7zzfV7Ekvws5dcd8-LAq1gh232TwFiBgY_3BMk","qi":"E1k_9W3odXgcmIP2PCJztE7hB7jeuAL1ElAY88VJBBPY670uwOEjKL2VfQuz9q9IjzLAvcgf7vS9blw2RHP_XqHqSOlJWGwvMQTF0Q8zLknCgKt8q7HQQNWIJcBZ8qdUVn02-qf4E3tgZ3JHaHNs8imA_L-__WoUmzC4z5jH_lM"}` + +const SignatureAlgorithm = jose.RS256 + +var ( + WebKey jose.JSONWebKey Signer jose.Signer -} +) -func NewKeySet() *KeySet { - privateKey, err := rsa.GenerateKey(rand.Reader, 2048) +func init() { + err := json.Unmarshal([]byte(webkeyJSON), &WebKey) if err != nil { panic(err) } - signer, err := jose.NewSigner(jose.SigningKey{Algorithm: SignatureAlgorithm, Key: privateKey}, nil) + Signer, err = jose.NewSigner(jose.SigningKey{Algorithm: SignatureAlgorithm, Key: WebKey}, nil) if err != nil { panic(err) } - return &KeySet{ - Private: privateKey, - Public: &privateKey.PublicKey, - Signer: signer, - } } -func (k *KeySet) signEncodeTokenClaims(claims any) string { +func signEncodeTokenClaims(claims any) string { payload, err := json.Marshal(claims) if err != nil { panic(err) } - object, err := k.Signer.Sign(payload) + object, err := Signer.Sign(payload) if err != nil { panic(err) } @@ -70,11 +73,27 @@ func claimsMap(claims any) map[string]any { return dst } -// NewIDToken creates a new IDTokenClaims with passed data and returns a signed token and claims. -func (k *KeySet) NewIDToken(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string) (string, *oidc.IDTokenClaims) { +func NewIDTokenCustom(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string, custom map[string]any) (string, *oidc.IDTokenClaims) { claims := oidc.NewIDTokenClaims(issuer, subject, audience, expiration, authTime, nonce, acr, amr, clientID, skew) claims.AccessTokenHash = atHash - token := k.signEncodeTokenClaims(claims) + claims.Claims = custom + token := signEncodeTokenClaims(claims) + + // set this so that assertion in tests will work + claims.SignatureAlg = SignatureAlgorithm + claims.Claims = claimsMap(claims) + return token, claims +} + +// NewIDToken creates a new IDTokenClaims with passed data and returns a signed token and claims. +func NewIDToken(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string) (string, *oidc.IDTokenClaims) { + return NewIDTokenCustom(issuer, subject, audience, expiration, authTime, nonce, acr, amr, clientID, skew, atHash, nil) +} + +func NewAccessTokenCustom(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration, custom map[string]any) (string, *oidc.AccessTokenClaims) { + claims := oidc.NewAccessTokenClaims(issuer, subject, audience, expiration, jwtid, clientID, skew) + claims.Claims = custom + token := signEncodeTokenClaims(claims) // set this so that assertion in tests will work claims.SignatureAlg = SignatureAlgorithm @@ -83,20 +102,13 @@ func (k *KeySet) NewIDToken(issuer, subject string, audience []string, expiratio } // NewAcccessToken creates a new AccessTokenClaims with passed data and returns a signed token and claims. -func (k *KeySet) NewAccessToken(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) (string, *oidc.AccessTokenClaims) { - claims := oidc.NewAccessTokenClaims(issuer, subject, audience, expiration, jwtid, clientID, skew) - token := k.signEncodeTokenClaims(claims) - - // set this so that assertion in tests will work - claims.SignatureAlg = SignatureAlgorithm - claims.Claims = claimsMap(claims) - return token, claims +func NewAccessToken(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) (string, *oidc.AccessTokenClaims) { + return NewAccessTokenCustom(issuer, subject, audience, expiration, jwtid, clientID, skew, nil) } const InvalidSignatureToken = `eyJhbGciOiJQUzUxMiJ9.eyJpc3MiOiJsb2NhbC5jb20iLCJzdWIiOiJ0aW1AbG9jYWwuY29tIiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImV4cCI6MTY3Nzg0MDQzMSwiaWF0IjoxNjc3ODQwMzcwLCJhdXRoX3RpbWUiOjE2Nzc4NDAzMTAsIm5vbmNlIjoiMTIzNDUiLCJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF6cCI6IjU1NTY2NiJ9.DtZmvVkuE4Hw48ijBMhRJbxEWCr_WEYuPQBMY73J9TP6MmfeNFkjVJf4nh4omjB9gVLnQ-xhEkNOe62FS5P0BB2VOxPuHZUj34dNspCgG3h98fGxyiMb5vlIYAHDF9T-w_LntlYItohv63MmdYR-hPpAqjXE7KOfErf-wUDGE9R3bfiQ4HpTdyFJB1nsToYrZ9lhP2mzjTCTs58ckZfQ28DFHn_lfHWpR4rJBgvLx7IH4rMrUayr09Ap-PxQLbv0lYMtmgG1z3JK8MXnuYR0UJdZnEIezOzUTlThhCXB-nvuAXYjYxZZTR0FtlgZUHhIpYK0V2abf_Q_Or36akNCUg` // These variables always result in a valid token -// for the same test run. var ( ValidIssuer = "local.com" ValidSubject = "tim@local.com" @@ -112,26 +124,17 @@ var ( ) // ValidIDToken returns a token and claims that are in the token. -// It uses the Valid* global variables and the token always passes -// verification within the same test run. -func (k *KeySet) ValidIDToken() (string, *oidc.IDTokenClaims) { - return k.NewIDToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidAuthTime, ValidNonce, ValidACR, ValidAMR, ValidClientID, ValidSkew, "") +// It uses the Valid* global variables and the token will always +// pass verification. +func ValidIDToken() (string, *oidc.IDTokenClaims) { + return NewIDToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidAuthTime, ValidNonce, ValidACR, ValidAMR, ValidClientID, ValidSkew, "") } // ValidAccessToken returns a token and claims that are in the token. // It uses the Valid* global variables and the token always passes // verification within the same test run. -func (k *KeySet) ValidAccessToken() (string, *oidc.AccessTokenClaims) { - return k.NewAccessToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidJWTID, ValidClientID, ValidSkew) -} - -// VerifySignature implments op.KeySet. -func (k *KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) { - if ctx.Err() != nil { - return nil, err - } - - return jws.Verify(k.Public) +func ValidAccessToken() (string, *oidc.AccessTokenClaims) { + return NewAccessToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidJWTID, ValidClientID, ValidSkew) } // ACRVerify is a oidc.ACRVerifier func. diff --git a/pkg/client/rp/verifier_test.go b/pkg/client/rp/verifier_test.go index 41c79ea..28c9ded 100644 --- a/pkg/client/rp/verifier_test.go +++ b/pkg/client/rp/verifier_test.go @@ -13,19 +13,18 @@ import ( ) func TestVerifyTokens(t *testing.T) { - keySet := tu.NewKeySet() verifier := &idTokenVerifier{ issuer: tu.ValidIssuer, maxAgeIAT: 2 * time.Minute, offset: time.Second, - supportedSignAlgs: []string{string(jose.PS512)}, - keySet: keySet, + supportedSignAlgs: []string{string(tu.SignatureAlgorithm)}, + keySet: tu.KeySet{}, maxAge: 2 * time.Minute, acr: tu.ACRVerify, nonce: func(context.Context) string { return tu.ValidNonce }, clientID: tu.ValidClientID, } - accessToken, _ := keySet.ValidAccessToken() + accessToken, _ := tu.ValidAccessToken() atHash, err := oidc.ClaimHash(accessToken, tu.SignatureAlgorithm) require.NoError(t, err) @@ -37,13 +36,13 @@ func TestVerifyTokens(t *testing.T) { }{ { name: "without access token", - idTokenClaims: keySet.ValidIDToken, + idTokenClaims: tu.ValidIDToken, }, { name: "with access token", accessToken: accessToken, idTokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash, @@ -54,7 +53,7 @@ func TestVerifyTokens(t *testing.T) { name: "expired id token", accessToken: accessToken, idTokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash, @@ -66,7 +65,7 @@ func TestVerifyTokens(t *testing.T) { name: "wronf access token", accessToken: accessToken, idTokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "~~~", @@ -92,13 +91,12 @@ func TestVerifyTokens(t *testing.T) { } func TestVerifyIDToken(t *testing.T) { - keySet := tu.NewKeySet() verifier := &idTokenVerifier{ issuer: tu.ValidIssuer, maxAgeIAT: 2 * time.Minute, offset: time.Second, - supportedSignAlgs: []string{string(jose.PS512)}, - keySet: keySet, + supportedSignAlgs: []string{string(tu.SignatureAlgorithm)}, + keySet: tu.KeySet{}, maxAge: 2 * time.Minute, acr: tu.ACRVerify, nonce: func(context.Context) string { return tu.ValidNonce }, @@ -113,7 +111,7 @@ func TestVerifyIDToken(t *testing.T) { { name: "success", clientID: tu.ValidClientID, - tokenClaims: keySet.ValidIDToken, + tokenClaims: tu.ValidIDToken, }, { name: "parse err", @@ -131,7 +129,7 @@ func TestVerifyIDToken(t *testing.T) { name: "empty subject", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, "", tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -143,7 +141,7 @@ func TestVerifyIDToken(t *testing.T) { name: "wrong issuer", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( "foo", tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -154,14 +152,14 @@ func TestVerifyIDToken(t *testing.T) { { name: "wrong clientID", clientID: "foo", - tokenClaims: keySet.ValidIDToken, + tokenClaims: tu.ValidIDToken, wantErr: true, }, { name: "expired", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -173,7 +171,7 @@ func TestVerifyIDToken(t *testing.T) { name: "wrong IAT", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "", @@ -185,7 +183,7 @@ func TestVerifyIDToken(t *testing.T) { name: "wrong acr", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, "else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -197,7 +195,7 @@ func TestVerifyIDToken(t *testing.T) { name: "expired auth", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime.Add(-time.Hour), tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -209,7 +207,7 @@ func TestVerifyIDToken(t *testing.T) { name: "wrong nonce", clientID: tu.ValidClientID, tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, "foo", tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -236,8 +234,7 @@ func TestVerifyIDToken(t *testing.T) { } func TestVerifyAccessToken(t *testing.T) { - keySet := tu.NewKeySet() - token, _ := keySet.ValidAccessToken() + token, _ := tu.ValidAccessToken() hash, err := oidc.ClaimHash(token, tu.SignatureAlgorithm) require.NoError(t, err) @@ -294,7 +291,6 @@ func TestVerifyAccessToken(t *testing.T) { } func TestNewIDTokenVerifier(t *testing.T) { - keySet := tu.NewKeySet() type args struct { issuer string clientID string @@ -311,7 +307,7 @@ func TestNewIDTokenVerifier(t *testing.T) { args: args{ issuer: tu.ValidIssuer, clientID: tu.ValidClientID, - keySet: keySet, + keySet: tu.KeySet{}, options: []VerifierOption{ WithIssuedAtOffset(time.Minute), //WithIssuedAtMaxAge(time.Hour), @@ -326,7 +322,7 @@ func TestNewIDTokenVerifier(t *testing.T) { offset: time.Minute, //maxAgeIAT: time.Hour, // Maybe BUG? clientID: tu.ValidClientID, - keySet: keySet, + keySet: tu.KeySet{}, nonce: nil, acr: nil, maxAge: 2 * time.Hour, diff --git a/pkg/op/verifier_access_token_test.go b/pkg/op/verifier_access_token_test.go index 718de1c..62c26a9 100644 --- a/pkg/op/verifier_access_token_test.go +++ b/pkg/op/verifier_access_token_test.go @@ -9,11 +9,9 @@ import ( "github.com/stretchr/testify/require" tu "github.com/zitadel/oidc/v2/internal/testutil" "github.com/zitadel/oidc/v2/pkg/oidc" - "gopkg.in/square/go-jose.v2" ) func TestNewAccessTokenVerifier(t *testing.T) { - keySet := tu.NewKeySet() type args struct { issuer string keySet oidc.KeySet @@ -28,25 +26,25 @@ func TestNewAccessTokenVerifier(t *testing.T) { name: "simple", args: args{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, }, want: &accessTokenVerifier{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, }, }, { name: "with signature algorithm", args: args{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, opts: []AccessTokenVerifierOpt{ WithSupportedAccessTokenSigningAlgorithms("ABC", "DEF"), }, }, want: &accessTokenVerifier{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, supportedSignAlgs: []string{"ABC", "DEF"}, }, }, @@ -60,13 +58,12 @@ func TestNewAccessTokenVerifier(t *testing.T) { } func TestVerifyAccessToken(t *testing.T) { - keySet := tu.NewKeySet() verifier := &accessTokenVerifier{ issuer: tu.ValidIssuer, maxAgeIAT: 2 * time.Minute, offset: time.Second, - supportedSignAlgs: []string{string(jose.PS512)}, - keySet: keySet, + supportedSignAlgs: []string{string(tu.SignatureAlgorithm)}, + keySet: tu.KeySet{}, } tests := []struct { @@ -76,7 +73,7 @@ func TestVerifyAccessToken(t *testing.T) { }{ { name: "success", - tokenClaims: keySet.ValidAccessToken, + tokenClaims: tu.ValidAccessToken, }, { name: "parse err", @@ -91,7 +88,7 @@ func TestVerifyAccessToken(t *testing.T) { { name: "wrong issuer", tokenClaims: func() (string, *oidc.AccessTokenClaims) { - return keySet.NewAccessToken( + return tu.NewAccessToken( "foo", tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidJWTID, tu.ValidClientID, tu.ValidSkew, @@ -102,7 +99,7 @@ func TestVerifyAccessToken(t *testing.T) { { name: "expired", tokenClaims: func() (string, *oidc.AccessTokenClaims) { - return keySet.NewAccessToken( + return tu.NewAccessToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration.Add(-time.Hour), tu.ValidJWTID, tu.ValidClientID, tu.ValidSkew, diff --git a/pkg/op/verifier_id_token_hint_test.go b/pkg/op/verifier_id_token_hint_test.go index 27fc0b9..f4d0b0c 100644 --- a/pkg/op/verifier_id_token_hint_test.go +++ b/pkg/op/verifier_id_token_hint_test.go @@ -9,11 +9,9 @@ import ( "github.com/stretchr/testify/require" tu "github.com/zitadel/oidc/v2/internal/testutil" "github.com/zitadel/oidc/v2/pkg/oidc" - "gopkg.in/square/go-jose.v2" ) func TestNewIDTokenHintVerifier(t *testing.T) { - keySet := tu.NewKeySet() type args struct { issuer string keySet oidc.KeySet @@ -28,25 +26,25 @@ func TestNewIDTokenHintVerifier(t *testing.T) { name: "simple", args: args{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, }, want: &idTokenHintVerifier{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, }, }, { name: "with signature algorithm", args: args{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, opts: []IDTokenHintVerifierOpt{ WithSupportedIDTokenHintSigningAlgorithms("ABC", "DEF"), }, }, want: &idTokenHintVerifier{ issuer: tu.ValidIssuer, - keySet: keySet, + keySet: tu.KeySet{}, supportedSignAlgs: []string{"ABC", "DEF"}, }, }, @@ -60,15 +58,14 @@ func TestNewIDTokenHintVerifier(t *testing.T) { } func TestVerifyIDTokenHint(t *testing.T) { - keySet := tu.NewKeySet() verifier := &idTokenHintVerifier{ issuer: tu.ValidIssuer, maxAgeIAT: 2 * time.Minute, offset: time.Second, - supportedSignAlgs: []string{string(jose.PS512)}, + supportedSignAlgs: []string{string(tu.SignatureAlgorithm)}, maxAge: 2 * time.Minute, acr: tu.ACRVerify, - keySet: keySet, + keySet: tu.KeySet{}, } tests := []struct { @@ -78,7 +75,7 @@ func TestVerifyIDTokenHint(t *testing.T) { }{ { name: "success", - tokenClaims: keySet.ValidIDToken, + tokenClaims: tu.ValidIDToken, }, { name: "parse err", @@ -93,7 +90,7 @@ func TestVerifyIDTokenHint(t *testing.T) { { name: "wrong issuer", tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( "foo", tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -104,7 +101,7 @@ func TestVerifyIDTokenHint(t *testing.T) { { name: "expired", tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -115,7 +112,7 @@ func TestVerifyIDTokenHint(t *testing.T) { { name: "wrong IAT", tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "", @@ -126,7 +123,7 @@ func TestVerifyIDTokenHint(t *testing.T) { { name: "wrong acr", tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce, "else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "", @@ -137,7 +134,7 @@ func TestVerifyIDTokenHint(t *testing.T) { { name: "expired auth", tokenClaims: func() (string, *oidc.IDTokenClaims) { - return keySet.NewIDToken( + return tu.NewIDToken( tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience, tu.ValidExpiration, tu.ValidAuthTime.Add(-time.Hour), tu.ValidNonce, tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",