chore(linting): apply gofumpt & goimports to all .go files (#225)
This commit is contained in:
David Sharnoff
GitHub
parent
c4b7ef9160
commit
b5da6ec29b
45 changed files with 539 additions and 479 deletions
|
|
@ -4,8 +4,8 @@ import (
|
|||
"github.com/zitadel/oidc/pkg/oidc/grants/tokenexchange"
|
||||
)
|
||||
|
||||
//DelegationTokenRequest is an implementation of TokenExchangeRequest
|
||||
//it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
|
||||
// DelegationTokenRequest is an implementation of TokenExchangeRequest
|
||||
// it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
|
||||
//"urn:ietf:params:oauth:token-type:access_token" actor token for an
|
||||
//"urn:ietf:params:oauth:token-type:access_token" delegation token
|
||||
func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest {
|
||||
|
|
|
|||
|
|
@ -21,12 +21,12 @@ func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKe
|
|||
return keyset
|
||||
}
|
||||
|
||||
//SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys
|
||||
//and no kid header is set in the JWT
|
||||
// SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys
|
||||
// and no kid header is set in the JWT
|
||||
//
|
||||
//this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and
|
||||
//there is only a single remote key
|
||||
//please notice that remote keys will then only be fetched if cached keys are empty
|
||||
// this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and
|
||||
// there is only a single remote key
|
||||
// please notice that remote keys will then only be fetched if cached keys are empty
|
||||
func SkipRemoteCheck() func(set *remoteKeySet) {
|
||||
return func(set *remoteKeySet) {
|
||||
set.skipRemoteCheck = true
|
||||
|
|
@ -97,15 +97,15 @@ func (r *remoteKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig
|
|||
return r.verifySignatureRemote(ctx, jws, keyID, alg)
|
||||
}
|
||||
|
||||
//verifySignatureCached checks for a matching key in the cached key list
|
||||
// verifySignatureCached checks for a matching key in the cached key list
|
||||
//
|
||||
//if there is only one possible, it tries to verify the signature and will return the payload if successful
|
||||
// if there is only one possible, it tries to verify the signature and will return the payload if successful
|
||||
//
|
||||
//it only returns an error if signature validation fails and keys exactMatch which is if either:
|
||||
// it only returns an error if signature validation fails and keys exactMatch which is if either:
|
||||
// - both kid are empty and skipRemoteCheck is set to true
|
||||
// - or both (JWT and JWK) kid are equal
|
||||
//
|
||||
//otherwise it will return no error (so remote keys will be loaded)
|
||||
// otherwise it will return no error (so remote keys will be loaded)
|
||||
func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID, alg string) ([]byte, error) {
|
||||
keys := r.keysFromCache()
|
||||
if len(keys) == 0 {
|
||||
|
|
@ -113,7 +113,7 @@ func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID,
|
|||
}
|
||||
key, err := oidc.FindMatchingKey(keyID, oidc.KeyUseSignature, alg, keys...)
|
||||
if err != nil {
|
||||
//no key / multiple found, try with remote keys
|
||||
// no key / multiple found, try with remote keys
|
||||
return nil, nil //nolint:nilerr
|
||||
}
|
||||
payload, err := jws.Verify(&key)
|
||||
|
|
@ -121,7 +121,7 @@ func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID,
|
|||
return payload, nil
|
||||
}
|
||||
if !r.exactMatch(key.KeyID, keyID) {
|
||||
//no exact key match, try getting better match with remote keys
|
||||
// no exact key match, try getting better match with remote keys
|
||||
return nil, nil
|
||||
}
|
||||
return nil, fmt.Errorf("signature verification failed: %w", err)
|
||||
|
|
@ -213,11 +213,11 @@ func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey,
|
|||
return keySet.Keys, nil
|
||||
}
|
||||
|
||||
//jsonWebKeySet is an alias for jose.JSONWebKeySet which ignores unknown key types (kty)
|
||||
// jsonWebKeySet is an alias for jose.JSONWebKeySet which ignores unknown key types (kty)
|
||||
type jsonWebKeySet jose.JSONWebKeySet
|
||||
|
||||
//UnmarshalJSON overrides the default jose.JSONWebKeySet method to ignore any error
|
||||
//which might occur because of unknown key types (kty)
|
||||
// UnmarshalJSON overrides the default jose.JSONWebKeySet method to ignore any error
|
||||
// which might occur because of unknown key types (kty)
|
||||
func (k *jsonWebKeySet) UnmarshalJSON(data []byte) (err error) {
|
||||
var raw rawJSONWebKeySet
|
||||
err = json.Unmarshal(data, &raw)
|
||||
|
|
|
|||
|
|
@ -23,53 +23,49 @@ const (
|
|||
pkceCode = "pkce"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
|
||||
)
|
||||
var ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
|
||||
|
||||
//RelyingParty declares the minimal interface for oidc clients
|
||||
// RelyingParty declares the minimal interface for oidc clients
|
||||
type RelyingParty interface {
|
||||
//OAuthConfig returns the oauth2 Config
|
||||
// OAuthConfig returns the oauth2 Config
|
||||
OAuthConfig() *oauth2.Config
|
||||
|
||||
//Issuer returns the issuer of the oidc config
|
||||
// Issuer returns the issuer of the oidc config
|
||||
Issuer() string
|
||||
|
||||
//IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
|
||||
// IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
|
||||
IsPKCE() bool
|
||||
|
||||
//CookieHandler returns a http cookie handler used for various state transfer cookies
|
||||
// CookieHandler returns a http cookie handler used for various state transfer cookies
|
||||
CookieHandler() *httphelper.CookieHandler
|
||||
|
||||
//HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
|
||||
// HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
|
||||
HttpClient() *http.Client
|
||||
|
||||
//IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
|
||||
// IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
|
||||
IsOAuth2Only() bool
|
||||
|
||||
//Signer is used if the relaying party uses the JWT Profile
|
||||
// Signer is used if the relaying party uses the JWT Profile
|
||||
Signer() jose.Signer
|
||||
|
||||
//GetEndSessionEndpoint returns the endpoint to sign out on a IDP
|
||||
// GetEndSessionEndpoint returns the endpoint to sign out on a IDP
|
||||
GetEndSessionEndpoint() string
|
||||
|
||||
//UserinfoEndpoint returns the userinfo
|
||||
// UserinfoEndpoint returns the userinfo
|
||||
UserinfoEndpoint() string
|
||||
|
||||
//IDTokenVerifier returns the verifier interface used for oidc id_token verification
|
||||
// IDTokenVerifier returns the verifier interface used for oidc id_token verification
|
||||
IDTokenVerifier() IDTokenVerifier
|
||||
//ErrorHandler returns the handler used for callback errors
|
||||
// ErrorHandler returns the handler used for callback errors
|
||||
|
||||
ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string)
|
||||
}
|
||||
|
||||
type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
|
||||
|
||||
var (
|
||||
DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
|
||||
http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
|
||||
}
|
||||
)
|
||||
var DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
|
||||
http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
|
||||
}
|
||||
|
||||
type relyingParty struct {
|
||||
issuer string
|
||||
|
|
@ -138,9 +134,9 @@ func (rp *relyingParty) ErrorHandler() func(http.ResponseWriter, *http.Request,
|
|||
return rp.errorHandler
|
||||
}
|
||||
|
||||
//NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given
|
||||
//OAuth2 Config and possible configOptions
|
||||
//it will use the AuthURL and TokenURL set in config
|
||||
// NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given
|
||||
// OAuth2 Config and possible configOptions
|
||||
// it will use the AuthURL and TokenURL set in config
|
||||
func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error) {
|
||||
rp := &relyingParty{
|
||||
oauthConfig: config,
|
||||
|
|
@ -161,9 +157,9 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
|
|||
return rp, nil
|
||||
}
|
||||
|
||||
//NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given
|
||||
//issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
|
||||
//it will run discovery on the provided issuer and use the found endpoints
|
||||
// NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given
|
||||
// issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
|
||||
// it will run discovery on the provided issuer and use the found endpoints
|
||||
func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error) {
|
||||
rp := &relyingParty{
|
||||
issuer: issuer,
|
||||
|
|
@ -197,7 +193,7 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
return rp, nil
|
||||
}
|
||||
|
||||
//Option is the type for providing dynamic options to the relyingParty
|
||||
// Option is the type for providing dynamic options to the relyingParty
|
||||
type Option func(*relyingParty) error
|
||||
|
||||
func WithCustomDiscoveryUrl(url string) Option {
|
||||
|
|
@ -207,7 +203,7 @@ func WithCustomDiscoveryUrl(url string) Option {
|
|||
}
|
||||
}
|
||||
|
||||
//WithCookieHandler set a `CookieHandler` for securing the various redirects
|
||||
// WithCookieHandler set a `CookieHandler` for securing the various redirects
|
||||
func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.cookieHandler = cookieHandler
|
||||
|
|
@ -215,9 +211,9 @@ func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
|
|||
}
|
||||
}
|
||||
|
||||
//WithPKCE sets the RP to use PKCE (oauth2 code challenge)
|
||||
//it also sets a `CookieHandler` for securing the various redirects
|
||||
//and exchanging the code challenge
|
||||
// WithPKCE sets the RP to use PKCE (oauth2 code challenge)
|
||||
// it also sets a `CookieHandler` for securing the various redirects
|
||||
// and exchanging the code challenge
|
||||
func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.pkce = true
|
||||
|
|
@ -226,7 +222,7 @@ func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
|
|||
}
|
||||
}
|
||||
|
||||
//WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
|
||||
// WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
|
||||
func WithHTTPClient(client *http.Client) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.httpClient = client
|
||||
|
|
@ -297,7 +293,7 @@ func SignerFromKeyAndKeyID(key []byte, keyID string) SignerFromKey {
|
|||
}
|
||||
}
|
||||
|
||||
//Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
|
||||
// Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
|
||||
//
|
||||
//deprecated: use client.Discover
|
||||
func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
|
||||
|
|
@ -317,7 +313,7 @@ func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
|
|||
return GetEndpoints(discoveryConfig), nil
|
||||
}
|
||||
|
||||
//AuthURL returns the auth request url
|
||||
// AuthURL returns the auth request url
|
||||
//(wrapping the oauth2 `AuthCodeURL`)
|
||||
func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string {
|
||||
authOpts := make([]oauth2.AuthCodeOption, 0)
|
||||
|
|
@ -327,8 +323,8 @@ func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string {
|
|||
return rp.OAuthConfig().AuthCodeURL(state, authOpts...)
|
||||
}
|
||||
|
||||
//AuthURLHandler extends the `AuthURL` method with a http redirect handler
|
||||
//including handling setting cookie for secure `state` transfer
|
||||
// AuthURLHandler extends the `AuthURL` method with a http redirect handler
|
||||
// including handling setting cookie for secure `state` transfer
|
||||
func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
opts := make([]AuthURLOpt, 0)
|
||||
|
|
@ -349,7 +345,7 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
|
|||
}
|
||||
}
|
||||
|
||||
//GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
|
||||
// GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
|
||||
func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error) {
|
||||
codeVerifier := base64.RawURLEncoding.EncodeToString([]byte(uuid.New().String()))
|
||||
if err := rp.CookieHandler().SetCookie(w, pkceCode, codeVerifier); err != nil {
|
||||
|
|
@ -358,8 +354,8 @@ func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (stri
|
|||
return oidc.NewSHACodeChallenge(codeVerifier), nil
|
||||
}
|
||||
|
||||
//CodeExchange handles the oauth2 code exchange, extracting and validating the id_token
|
||||
//returning it parsed together with the oauth2 tokens (access, refresh)
|
||||
// CodeExchange handles the oauth2 code exchange, extracting and validating the id_token
|
||||
// returning it parsed together with the oauth2 tokens (access, refresh)
|
||||
func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error) {
|
||||
ctx = context.WithValue(ctx, oauth2.HTTPClient, rp.HttpClient())
|
||||
codeOpts := make([]oauth2.AuthCodeOption, 0)
|
||||
|
|
@ -391,9 +387,9 @@ func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...Cod
|
|||
|
||||
type CodeExchangeCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty)
|
||||
|
||||
//CodeExchangeHandler extends the `CodeExchange` method with a http handler
|
||||
//including cookie handling for secure `state` transfer
|
||||
//and optional PKCE code verifier checking
|
||||
// CodeExchangeHandler extends the `CodeExchange` method with a http handler
|
||||
// including cookie handling for secure `state` transfer
|
||||
// and optional PKCE code verifier checking
|
||||
func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
state, err := tryReadStateCookie(w, r, rp)
|
||||
|
|
@ -434,9 +430,9 @@ func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.Ha
|
|||
|
||||
type CodeExchangeUserinfoCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, provider RelyingParty, info oidc.UserInfo)
|
||||
|
||||
//UserinfoCallback wraps the callback function of the CodeExchangeHandler
|
||||
//and calls the userinfo endpoint with the access token
|
||||
//on success it will pass the userinfo into its callback function as well
|
||||
// UserinfoCallback wraps the callback function of the CodeExchangeHandler
|
||||
// and calls the userinfo endpoint with the access token
|
||||
// on success it will pass the userinfo into its callback function as well
|
||||
func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
|
||||
return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty) {
|
||||
info, err := Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.GetSubject(), rp)
|
||||
|
|
@ -448,7 +444,7 @@ func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
|
|||
}
|
||||
}
|
||||
|
||||
//Userinfo will call the OIDC Userinfo Endpoint with the provided token
|
||||
// Userinfo will call the OIDC Userinfo Endpoint with the provided token
|
||||
func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo, error) {
|
||||
req, err := http.NewRequest("GET", rp.UserinfoEndpoint(), nil)
|
||||
if err != nil {
|
||||
|
|
@ -512,7 +508,7 @@ func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
|
|||
|
||||
type AuthURLOpt func() []oauth2.AuthCodeOption
|
||||
|
||||
//WithCodeChallenge sets the `code_challenge` params in the auth request
|
||||
// WithCodeChallenge sets the `code_challenge` params in the auth request
|
||||
func WithCodeChallenge(codeChallenge string) AuthURLOpt {
|
||||
return func() []oauth2.AuthCodeOption {
|
||||
return []oauth2.AuthCodeOption{
|
||||
|
|
@ -522,7 +518,7 @@ func WithCodeChallenge(codeChallenge string) AuthURLOpt {
|
|||
}
|
||||
}
|
||||
|
||||
//WithPrompt sets the `prompt` params in the auth request
|
||||
// WithPrompt sets the `prompt` params in the auth request
|
||||
func WithPrompt(prompt ...string) AuthURLOpt {
|
||||
return func() []oauth2.AuthCodeOption {
|
||||
return []oauth2.AuthCodeOption{
|
||||
|
|
@ -533,14 +529,14 @@ func WithPrompt(prompt ...string) AuthURLOpt {
|
|||
|
||||
type CodeExchangeOpt func() []oauth2.AuthCodeOption
|
||||
|
||||
//WithCodeVerifier sets the `code_verifier` param in the token request
|
||||
// WithCodeVerifier sets the `code_verifier` param in the token request
|
||||
func WithCodeVerifier(codeVerifier string) CodeExchangeOpt {
|
||||
return func() []oauth2.AuthCodeOption {
|
||||
return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("code_verifier", codeVerifier)}
|
||||
}
|
||||
}
|
||||
|
||||
//WithClientAssertionJWT sets the `client_assertion` param in the token request
|
||||
// WithClientAssertionJWT sets the `client_assertion` param in the token request
|
||||
func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt {
|
||||
return func() []oauth2.AuthCodeOption {
|
||||
return client.ClientAssertionCodeOptions(clientAssertion)
|
||||
|
|
|
|||
|
|
@ -8,20 +8,20 @@ import (
|
|||
"github.com/zitadel/oidc/pkg/oidc/grants/tokenexchange"
|
||||
)
|
||||
|
||||
//TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
|
||||
// TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
|
||||
type TokenExchangeRP interface {
|
||||
RelyingParty
|
||||
|
||||
//TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
|
||||
// TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
|
||||
TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
|
||||
}
|
||||
|
||||
//DelegationTokenExchangeRP extends the `TokenExchangeRP` interface
|
||||
//for the specific `delegation token` request
|
||||
// DelegationTokenExchangeRP extends the `TokenExchangeRP` interface
|
||||
// for the specific `delegation token` request
|
||||
type DelegationTokenExchangeRP interface {
|
||||
TokenExchangeRP
|
||||
|
||||
//DelegationTokenExchange implement the `Token Exchange Grant`
|
||||
//providing an access token in request for a `delegation` token for a given resource / audience
|
||||
// DelegationTokenExchange implement the `Token Exchange Grant`
|
||||
// providing an access token in request for a `delegation` token for a given resource / audience
|
||||
DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ type IDTokenVerifier interface {
|
|||
MaxAge() time.Duration
|
||||
}
|
||||
|
||||
//VerifyTokens implement the Token Response Validation as defined in OIDC specification
|
||||
// VerifyTokens implement the Token Response Validation as defined in OIDC specification
|
||||
//https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
|
||||
func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
|
||||
idToken, err := VerifyIDToken(ctx, idTokenString, v)
|
||||
|
|
@ -32,7 +32,7 @@ func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTo
|
|||
return idToken, nil
|
||||
}
|
||||
|
||||
//VerifyIDToken validates the id token according to
|
||||
// VerifyIDToken validates the id token according to
|
||||
//https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
||||
func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
|
||||
claims := oidc.EmptyIDTokenClaims()
|
||||
|
|
@ -88,7 +88,7 @@ func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.I
|
|||
return claims, nil
|
||||
}
|
||||
|
||||
//VerifyAccessToken validates the access token according to
|
||||
// VerifyAccessToken validates the access token according to
|
||||
//https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
|
||||
func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error {
|
||||
if atHash == "" {
|
||||
|
|
@ -105,8 +105,8 @@ func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAl
|
|||
return nil
|
||||
}
|
||||
|
||||
//NewIDTokenVerifier returns an implementation of `IDTokenVerifier`
|
||||
//for `VerifyTokens` and `VerifyIDToken`
|
||||
// NewIDTokenVerifier returns an implementation of `IDTokenVerifier`
|
||||
// for `VerifyTokens` and `VerifyIDToken`
|
||||
func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier {
|
||||
v := &idTokenVerifier{
|
||||
issuer: issuer,
|
||||
|
|
@ -125,46 +125,46 @@ func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...
|
|||
return v
|
||||
}
|
||||
|
||||
//VerifierOption is the type for providing dynamic options to the IDTokenVerifier
|
||||
// VerifierOption is the type for providing dynamic options to the IDTokenVerifier
|
||||
type VerifierOption func(*idTokenVerifier)
|
||||
|
||||
//WithIssuedAtOffset mitigates the risk of iat to be in the future
|
||||
//because of clock skews with the ability to add an offset to the current time
|
||||
// WithIssuedAtOffset mitigates the risk of iat to be in the future
|
||||
// because of clock skews with the ability to add an offset to the current time
|
||||
func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier) {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.offset = offset
|
||||
}
|
||||
}
|
||||
|
||||
//WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
|
||||
// WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
|
||||
func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier) {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.maxAge = maxAge
|
||||
}
|
||||
}
|
||||
|
||||
//WithNonce sets the function to check the nonce
|
||||
// WithNonce sets the function to check the nonce
|
||||
func WithNonce(nonce func(context.Context) string) VerifierOption {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.nonce = nonce
|
||||
}
|
||||
}
|
||||
|
||||
//WithACRVerifier sets the verifier for the acr claim
|
||||
// WithACRVerifier sets the verifier for the acr claim
|
||||
func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.acr = verifier
|
||||
}
|
||||
}
|
||||
|
||||
//WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
|
||||
// WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
|
||||
func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.maxAge = maxAge
|
||||
}
|
||||
}
|
||||
|
||||
//WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm
|
||||
// WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm
|
||||
func WithSupportedSigningAlgorithms(algs ...string) VerifierOption {
|
||||
return func(v *idTokenVerifier) {
|
||||
v.supportedSignAlgs = algs
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue