cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/rp/verifier.go
Livio Amstutz a37a8461a5 lot of unfinished changes
2020-09-08 16:07:49 +02:00

116 lines
3.4 KiB
Go
Raw Blame History

package rp
import (
"context"
"gopkg.in/square/go-jose.v2"
"github.com/caos/oidc/pkg/oidc"
)
//deprecated: Use IDTokenVerifier or oidc.Verifier
type Verifier interface {
//Verify checks the access_token and id_token and returns the `id token claims`
Verify(ctx context.Context, accessToken, idTokenString string) (*oidc.IDTokenClaims, error)
//VerifyIDToken checks the id_token only and returns its `id token claims`
VerifyIDToken(ctx context.Context, idTokenString string) (*oidc.IDTokenClaims, error)
}
type IDTokenVerifier interface {
oidc.Verifier
}
//VerifyTokens implement the Token Response Validation as defined in OIDC specification
//https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (*oidc.IDTokenClaims, error) {
idToken, err := VerifyIDToken(ctx, idTokenString, v)
if err != nil {
return nil, err
}
if err := VerifyAccessToken(accessToken, idToken.AccessTokenHash, idToken.Signature); err != nil {
return nil, err
}
return idToken, nil
}
//VerifyIDToken validates the id token according to
//https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (*oidc.IDTokenClaims, error) {
claims := new(oidc.IDTokenClaims)
decrypted, err := oidc.DecryptToken(token)
if err != nil {
return nil, err
}
payload, err := oidc.ParseToken(decrypted, claims)
if err != nil {
return nil, err
}
//2, check issuer (exact match)
if err := oidc.CheckIssuer(claims.GetIssuer(), v); err != nil {
return nil, err
}
//3. check aud (aud must contain client_id, all aud strings must be allowed)
if err = oidc.CheckAudience(claims.GetAudience(), v); err != nil {
return nil, err
}
if err = oidc.CheckAuthorizedParty(claims.GetAudience(), claims.GetAuthorizedParty(), v); err != nil {
return nil, err
}
//6. check signature by keys
//7. check alg default is rs256
//8. check if alg is mac based (hs...) -> audience contains client_id. for validation use utf-8 representation of your client_secret
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v); err != nil {
return nil, err
}
//9. check exp before now
if err = oidc.CheckExpiration(claims.GetExpiration(), v); err != nil {
return nil, err
}
//10. check iat duration is optional (can be checked)
if err = oidc.CheckIssuedAt(claims.GetIssuedAt(), v); err != nil {
return nil, err
}
/*
//11. check nonce (check if optional possible) id_token.nonce == sentNonce
if err = oidc.CheckNonce(claims.GetNonce()); err != nil {
return nil, err
}
*/
//12. if acr requested check acr
if err = oidc.CheckAuthorizationContextClassReference(claims.GetAuthenticationContextClassReference(), v); err != nil {
return nil, err
}
//13. if auth_time requested check if auth_time is less than max age
if err = oidc.CheckAuthTime(claims.GetAuthTime(), v); err != nil {
return nil, err
}
return claims, nil
}
//VerifyAccessToken validates the access token according to
//https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error {
if atHash == "" {
return nil
}
actual, err := oidc.ClaimHash(accessToken, sigAlgorithm)
if err != nil {
return err
}
if actual != atHash {
return oidc.ErrAtHash
}
return nil
}
Reference in a new issue View git blame Copy permalink