package op import ( "context" "github.com/caos/oidc/pkg/oidc" ) type IDTokenHintVerifier interface { } //VerifyIDToken validates the id token according to //https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation func VerifyIDTokenHint(ctx context.Context, token string, v IDTokenHintVerifier) (*oidc.IDTokenClaims, error) { claims := new(oidc.IDTokenClaims) decrypted, err := oidc.DecryptToken(token) if err != nil { return nil, err } payload, err := oidc.ParseToken(decrypted, claims) if err != nil { return nil, err } //2, check issuer (exact match) if err := oidc.CheckIssuer(claims.GetIssuer(), v); err != nil { return nil, err } //3. check aud (aud must contain client_id, all aud strings must be allowed) if err = oidc.CheckAudience(claims.GetAudience(), v); err != nil { return nil, err } if err = oidc.CheckAuthorizedParty(claims.GetAudience(), claims.GetAuthorizedParty(), v); err != nil { return nil, err } //6. check signature by keys //7. check alg default is rs256 //8. check if alg is mac based (hs...) -> audience contains client_id. for validation use utf-8 representation of your client_secret if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs(), v.KeySet()); err != nil { return nil, err } //9. check exp before now if err = oidc.CheckExpiration(claims.GetExpiration(), v); err != nil { return nil, err } //10. check iat duration is optional (can be checked) if err = oidc.CheckIssuedAt(claims.GetIssuedAt(), v); err != nil { return nil, err } /* //11. check nonce (check if optional possible) id_token.nonce == sentNonce if err = oidc.CheckNonce(claims.GetNonce()); err != nil { return nil, err } */ //12. if acr requested check acr if err = oidc.CheckAuthorizationContextClassReference(claims.GetAuthenticationContextClassReference(), v); err != nil { return nil, err } //13. if auth_time requested check if auth_time is less than max age if err = oidc.CheckAuthTime(claims.GetAuthTime(), v); err != nil { return nil, err } return claims, nil }