MCPcopy
hub / github.com/istio/istio / authenticate

Method authenticate

security/pkg/server/ca/authenticate/oidc.go:92–117  ·  view source on GitHub ↗
(ctx context.Context, bearerToken string)

Source from the content-addressed store, hash-verified

90}
91
92func (j *JwtAuthenticator) authenticate(ctx context.Context, bearerToken string) (*security.Caller, error) {
93 idToken, err := j.verifier.Verify(ctx, bearerToken)
94 if err != nil {
95 return nil, fmt.Errorf("failed to verify the JWT token (error %v)", err)
96 }
97
98 sa := JwtPayload{}
99 // "aud" for trust domain, "sub" has "system:serviceaccount:$namespace:$serviceaccount".
100 // in future trust domain may use another field as a standard is defined.
101 if err := idToken.Claims(&sa); err != nil {
102 return nil, fmt.Errorf("failed to extract claims from ID token: %v", err)
103 }
104 if !strings.HasPrefix(sa.Sub, "system:serviceaccount") {
105 return nil, fmt.Errorf("invalid sub %v", sa.Sub)
106 }
107 parts := strings.Split(sa.Sub, ":")
108 ns := parts[2]
109 ksa := parts[3]
110 if !checkAudience(sa.Aud, j.audiences) {
111 return nil, fmt.Errorf("invalid audiences %v", sa.Aud)
112 }
113 return &security.Caller{
114 AuthSource: security.AuthSourceIDToken,
115 Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)},
116 }, nil
117}
118
119// checkAudience() returns true if the audiences to check are in
120// the expected audiences. Otherwise, return false.

Callers 1

AuthenticateMethod · 0.95

Calls 6

MustGenSpiffeURIFunction · 0.92
checkAudienceFunction · 0.85
ErrorfMethod · 0.65
SplitMethod · 0.65
MeshMethod · 0.65
VerifyMethod · 0.45

Tested by

no test coverage detected