When ParseAuthorizeRequest received an invalid URL,
for example containing a semi-colon `;`,
AuthRequestError used to panic.
This was because a typed nil was passed as a interface argument.
The nil check inside AuthRequestError always resulted in false,
allowing access through the nil pointer.
Fixes#315
* feat: Allow modifying request to device authorization endpoint
This change enables the caller to set URL parameters when calling the
device authorization endpoint.
Fixes#354
* Update device authorization example
This fixes an issue where, when using the device authorization flow, the
grant type would be set twice. Some OPs don't accept this, and fail when
polling.
With this fix the grant type is only set once, which will make some OPs
happy again.
Fixes#352
* op: correct typo
rename checkURIAginstRedirects to checkURIAgainstRedirects
* chore: document standard deviation when using globs
add example on how to toggle the underlying
client implementation based on DevMode.
---------
Co-authored-by: David Sharnoff <dsharnoff@singlestore.com>
BREAKING CHANGE:
- The various verifier types are merged into a oidc.Verifir.
- oidc.Verfier became a struct with exported fields
* use type aliases for oidc.Verifier
this binds the correct contstructor to each verifier usecase.
* fix: handle the zero cases for oidc.Time
* add unit tests to oidc verifier
* fix: correct returned field for JWTTokenRequest
JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field.
This change corrects that by returning IssuedAt instead.
JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field.
This change corrects that by returning IssuedAt instead.
This bug was introduced in #283
- rotated features table for better rendering
- add links to specifications in feature table
- remove redundant links from the resources section
- changed "Token Exhange" feature to full yes (PR #255)
- add "Device Authorization" with full yes (PR #285)
* oidc: add regression tests for token claim json
this helps to verify that the same JSON is produced,
after these types are refactored.
* refactor: use struct types for claim related types
BREAKING CHANGE:
The following types are changed from interface to struct type:
- AccessTokenClaims
- IDTokenClaims
- IntrospectionResponse
- UserInfo and related types.
The following methods of OPStorage now take a pointer to a struct type,
instead of an interface:
- SetUserinfoFromScopes
- SetUserinfoFromToken
- SetIntrospectionFromToken
The following functions are now generic, so that type-safe extension
of Claims is now possible:
- op.VerifyIDTokenHint
- op.VerifyAccessToken
- rp.VerifyTokens
- rp.VerifyIDToken
- Changed UserInfoAddress to pointer in UserInfo and
IntrospectionResponse.
This was needed to make omitempty work correctly.
- Copy or merge maps in IntrospectionResponse and SetUserInfo
* op: add example for VerifyAccessToken
* fix: rp: wrong assignment in WithIssuedAtMaxAge
WithIssuedAtMaxAge assigned its value to v.maxAge, which was wrong.
This change fixes that by assiging the duration to v.maxAgeIAT.
* rp: add VerifyTokens example
* oidc: add standard references to:
- IDTokenClaims
- IntrospectionResponse
- UserInfo
* only count coverage for `./pkg/...`
BREAKING CHANGE:
- op.NewOpenIDProvider
- op.NewDynamicOpenIDProvider
The call chain of above functions did not use the context anywhere.
This change removes the context from those fucntion arguments.
This change implements OAuth2 Token Exchange in OP according to RFC 8693 (and client code)
Some implementation details:
- OP parses and verifies subject/actor tokens natively if they were issued by OP
- Third-party tokens verification is also possible by implementing additional storage interface
- Token exchange can issue only OP's native tokens (id_token, access_token and refresh_token) with static issuer
