cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/op/verifier_id_token_hint.go
Tim Möhlmann 88aab28603 use type aliases for oidc.Verifier 
this binds the correct contstructor to each verifier usecase.
2023-03-20 18:31:47 +02:00

68 lines
1.7 KiB
Go
Raw Blame History

package op
import (
"context"
"github.com/zitadel/oidc/v3/pkg/oidc"
)
type IDTokenHintVerifier oidc.Verifier
type IDTokenHintVerifierOpt func(*IDTokenHintVerifier)
func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt {
return func(verifier *IDTokenHintVerifier) {
verifier.SupportedSignAlgs = algs
}
}
func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) *IDTokenHintVerifier {
verifier := &IDTokenHintVerifier{
Issuer: issuer,
KeySet: keySet,
}
for _, opt := range opts {
opt(verifier)
}
return verifier
}
// VerifyIDTokenHint validates the id token according to
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTokenHintVerifier) (claims C, err error) {
var nilClaims C
decrypted, err := oidc.DecryptToken(token)
if err != nil {
return nilClaims, err
}
payload, err := oidc.ParseToken(decrypted, &claims)
if err != nil {
return nilClaims, err
}
if err := oidc.CheckIssuer(claims, v.Issuer); err != nil {
return nilClaims, err
}
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs, v.KeySet); err != nil {
return nilClaims, err
}
if err = oidc.CheckExpiration(claims, v.Offset); err != nil {
return nilClaims, err
}
if err = oidc.CheckIssuedAt(claims, v.MaxAgeIAT, v.Offset); err != nil {
return nilClaims, err
}
if err = oidc.CheckAuthorizationContextClassReference(claims, v.ACR); err != nil {
return nilClaims, err
}
if err = oidc.CheckAuthTime(claims, v.MaxAge); err != nil {
return nilClaims, err
}
return claims, nil
}
Reference in a new issue View git blame Copy permalink