| 174 | } |
| 175 | |
| 176 | func NewAccessValidator(ctx context.Context, domain, issuer, applicationAUD string) (*Access, error) { |
| 177 | domainURL, err := validateUrlString(domain) |
| 178 | if err != nil { |
| 179 | return nil, err |
| 180 | } |
| 181 | |
| 182 | issuerURL, err := validateUrlString(issuer) |
| 183 | if err != nil { |
| 184 | return nil, err |
| 185 | } |
| 186 | |
| 187 | // An issuerURL from Cloudflare Access will always use HTTPS. |
| 188 | issuerURL = strings.Replace(issuerURL, "http:", "https:", 1) |
| 189 | |
| 190 | keySet := oidc.NewRemoteKeySet(ctx, domainURL+accessCertPath) |
| 191 | return &Access{oidc.NewVerifier(issuerURL, keySet, &oidc.Config{ClientID: applicationAUD})}, nil |
| 192 | } |
| 193 | |
| 194 | func (a *Access) Validate(ctx context.Context, jwt string) error { |
| 195 | token, err := a.verifier.Verify(ctx, jwt) |