change some interfaces
This commit is contained in:
Livio Amstutz
parent
bfbd4adb1c
commit
eaf47fde8e
10 changed files with 130 additions and 20 deletions
73
pkg/op/verifier.go
Normal file
73
pkg/op/verifier.go
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
package op
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
)
|
||||
|
||||
type IDTokenHintVerifier interface {
|
||||
}
|
||||
|
||||
//VerifyIDToken validates the id token according to
|
||||
//https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
||||
func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (*oidc.IDTokenClaims, error) {
|
||||
claims := new(oidc.IDTokenClaims)
|
||||
|
||||
decrypted, err := oidc.DecryptToken(token)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
payload, err := oidc.ParseToken(decrypted, claims)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
//2, check issuer (exact match)
|
||||
if err := oidc.CheckIssuer(claims.GetIssuer(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//3. check aud (aud must contain client_id, all aud strings must be allowed)
|
||||
if err = oidc.CheckAudience(claims.GetAudience(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err = oidc.CheckAuthorizedParty(claims.GetAudience(), claims.GetAuthorizedParty(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//6. check signature by keys
|
||||
//7. check alg default is rs256
|
||||
//8. check if alg is mac based (hs...) -> audience contains client_id. for validation use utf-8 representation of your client_secret
|
||||
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs(), v.KeySet()); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//9. check exp before now
|
||||
if err = oidc.CheckExpiration(claims.GetExpiration(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//10. check iat duration is optional (can be checked)
|
||||
if err = oidc.CheckIssuedAt(claims.GetIssuedAt(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
/*
|
||||
//11. check nonce (check if optional possible) id_token.nonce == sentNonce
|
||||
if err = oidc.CheckNonce(claims.GetNonce()); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
*/
|
||||
|
||||
//12. if acr requested check acr
|
||||
if err = oidc.CheckAuthorizationContextClassReference(claims.GetAuthenticationContextClassReference(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//13. if auth_time requested check if auth_time is less than max age
|
||||
if err = oidc.CheckAuthTime(claims.GetAuthTime(), v); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return claims, nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue