33c716ddcf
BREAKING CHANGE: - The various verifier types are merged into a oidc.Verifir. - oidc.Verfier became a struct with exported fields * use type aliases for oidc.Verifier this binds the correct contstructor to each verifier usecase. * fix: handle the zero cases for oidc.Time * add unit tests to oidc verifier * fix: correct returned field for JWTTokenRequest JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field. This change corrects that by returning IssuedAt instead.
57 lines
1.4 KiB
Go
57 lines
1.4 KiB
Go
package op
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
)
|
|
|
|
type AccessTokenVerifier oidc.Verifier
|
|
|
|
type AccessTokenVerifierOpt func(*AccessTokenVerifier)
|
|
|
|
func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt {
|
|
return func(verifier *AccessTokenVerifier) {
|
|
verifier.SupportedSignAlgs = algs
|
|
}
|
|
}
|
|
|
|
// NewAccessTokenVerifier returns a AccessTokenVerifier suitable for access token verification.
|
|
func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *AccessTokenVerifier {
|
|
verifier := &AccessTokenVerifier{
|
|
Issuer: issuer,
|
|
KeySet: keySet,
|
|
}
|
|
for _, opt := range opts {
|
|
opt(verifier)
|
|
}
|
|
return verifier
|
|
}
|
|
|
|
// VerifyAccessToken validates the access token (issuer, signature and expiration).
|
|
func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *AccessTokenVerifier) (claims C, err error) {
|
|
var nilClaims C
|
|
|
|
decrypted, err := oidc.DecryptToken(token)
|
|
if err != nil {
|
|
return nilClaims, err
|
|
}
|
|
payload, err := oidc.ParseToken(decrypted, &claims)
|
|
if err != nil {
|
|
return nilClaims, err
|
|
}
|
|
|
|
if err := oidc.CheckIssuer(claims, v.Issuer); err != nil {
|
|
return nilClaims, err
|
|
}
|
|
|
|
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs, v.KeySet); err != nil {
|
|
return nilClaims, err
|
|
}
|
|
|
|
if err = oidc.CheckExpiration(claims, v.Offset); err != nil {
|
|
return nilClaims, err
|
|
}
|
|
|
|
return claims, nil
|
|
}
|