cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/op/verifier_jwt_profile.go
Livio Amstutz 1518c843de
feat: token introspection (#83) 
* introspect

* introspect and client assertion

* introspect and client assertion

* scopes

* token introspection

* introspect

* refactoring

* fixes

* clenaup

* Update example/internal/mock/storage.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* clenaup

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2021-02-15 13:43:50 +01:00

101 lines
2.1 KiB
Go
Raw Blame History

package op
import (
"context"
"errors"
"time"
"gopkg.in/square/go-jose.v2"
"github.com/caos/oidc/pkg/oidc"
)
type JWTProfileVerifier interface {
oidc.Verifier
Storage() Storage
}
type jwtProfileVerifier struct {
storage Storage
issuer string
maxAgeIAT time.Duration
offset time.Duration
}
func NewJWTProfileVerifier(storage Storage, issuer string, maxAgeIAT, offset time.Duration) JWTProfileVerifier {
return &jwtProfileVerifier{
storage: storage,
issuer: issuer,
maxAgeIAT: maxAgeIAT,
offset: offset,
}
}
func (v *jwtProfileVerifier) Issuer() string {
return v.issuer
}
func (v *jwtProfileVerifier) Storage() Storage {
return v.storage
}
func (v *jwtProfileVerifier) MaxAgeIAT() time.Duration {
return v.maxAgeIAT
}
func (v *jwtProfileVerifier) Offset() time.Duration {
return v.offset
}
func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error) {
request := new(oidc.JWTTokenRequest)
payload, err := oidc.ParseToken(assertion, request)
if err != nil {
return nil, err
}
if err = oidc.CheckAudience(request, v.Issuer()); err != nil {
return nil, err
}
if err = oidc.CheckExpiration(request, v.Offset()); err != nil {
return nil, err
}
if err = oidc.CheckIssuedAt(request, v.MaxAgeIAT(), v.Offset()); err != nil {
return nil, err
}
if request.Issuer != request.Subject {
//TODO: implement delegation (openid core / oauth rfc)
}
keySet := &jwtProfileKeySet{v.Storage(), request.Issuer}
if err = oidc.CheckSignature(ctx, assertion, payload, request, nil, keySet); err != nil {
return nil, err
}
return request, nil
}
type jwtProfileKeySet struct {
Storage
userID string
}
func (k *jwtProfileKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
keyID := ""
for _, sig := range jws.Signatures {
keyID = sig.Header.KeyID
break
}
key, err := k.Storage.GetKeyByIDAndUserID(ctx, keyID, k.userID)
if err != nil {
return nil, errors.New("error fetching keys")
}
payload, err, ok := oidc.CheckKey(keyID, jws, *key)
if !ok {
return nil, errors.New("invalid kid")
}
return payload, err
}
Reference in a new issue View git blame Copy permalink