fix token validation and error messages

2020-08-03 15:32:49 +02:00 · 2020-08-03 15:32:49 +02:00 · e46029eebd
commit e46029eebd
parent 3663b9d1af
7 changed files with 57 additions and 31 deletions
--- a/pkg/rp/default_verifier.go
+++ b/pkg/rp/default_verifier.go
@ -148,7 +148,7 @@ func DefaultACRVerifier(possibleValues []string) ACRVerifier {
 //and https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
 func (v *DefaultVerifier) Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error) {
 	v.config.now = time.Now().UTC()
-	idToken, err := v.VerifyIDToken(ctx, idTokenString)
+	idToken, err := v.VerifyIdToken(ctx, idTokenString)
 	if err != nil {
 		return nil, err
 	}
@ -158,15 +158,9 @@ func (v *DefaultVerifier) Verify(ctx context.Context, accessToken, idTokenString
 	return idToken, nil
 }

-func (v *DefaultVerifier) now() time.Time {
-	if v.config.now.IsZero() {
-		v.config.now = time.Now().UTC().Round(time.Second)
-	}
-	return v.config.now
-}
-
-//VerifyIDToken: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
-func (v *DefaultVerifier) VerifyIDToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error) {
+//Verify implements the `VerifyIdToken` method of the `Verifier` interface
+//according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+func (v *DefaultVerifier) VerifyIdToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error) {
 	//1. if encrypted --> decrypt
 	decrypted, err := v.decryptToken(idTokenString)
 	if err != nil {
@ -227,6 +221,13 @@ func (v *DefaultVerifier) VerifyIDToken(ctx context.Context, idTokenString strin
 	return claims, nil
 }

+func (v *DefaultVerifier) now() time.Time {
+	if v.config.now.IsZero() {
+		v.config.now = time.Now().UTC().Round(time.Second)
+	}
+	return v.config.now
+}
+
 func (v *DefaultVerifier) parseToken(tokenString string) (*oidc.IDTokenClaims, []byte, error) {
 	parts := strings.Split(tokenString, ".")
 	if len(parts) != 3 {
@ -372,7 +373,7 @@ func (v *DefaultVerifier) decryptToken(tokenString string) (string, error) {
 }

 func (v *DefaultVerifier) verifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error {
-	if accessToken == "" {
+	if atHash == "" {
 		return nil
 	}

--- a/pkg/rp/mock/verifier.mock.go
+++ b/pkg/rp/mock/verifier.mock.go
@ -48,3 +48,18 @@ func (mr *MockVerifierMockRecorder) Verify(arg0, arg1, arg2 interface{}) *gomock
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Verify", reflect.TypeOf((*MockVerifier)(nil).Verify), arg0, arg1, arg2)
 }
+
+// VerifyIdToken mocks base method
+func (m *MockVerifier) VerifyIdToken(arg0 context.Context, arg1 string) (*oidc.IDTokenClaims, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "VerifyIdToken", arg0, arg1)
+	ret0, _ := ret[0].(*oidc.IDTokenClaims)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyIdToken indicates an expected call of VerifyIdToken
+func (mr *MockVerifierMockRecorder) VerifyIdToken(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyIdToken", reflect.TypeOf((*MockVerifier)(nil).VerifyIdToken), arg0, arg1)
+}
--- a/pkg/rp/verifier.go
+++ b/pkg/rp/verifier.go
@ -12,4 +12,7 @@ type Verifier interface {

 	//Verify checks the access_token and id_token and returns the `id token claims`
 	Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error)
+
+	//VerifyIdToken checks the id_token only and returns its `id token claims`
+	VerifyIdToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error)
 }