MCPcopy
hub / github.com/pocketbase/pocketbase / parseIdToken

Method parseIdToken

tools/auth/oidc.go:133–188  ·  view source on GitHub ↗
(token *oauth2.Token)

Source from the content-addressed store, hash-verified

131}
132
133func (p *OIDC) parseIdToken(token *oauth2.Token) (jwt.MapClaims, error) {
134 idToken := token.Extra("id_token").(string)
135 if idToken == "" {
136 return nil, errors.New("empty id_token")
137 }
138
139 claims := jwt.MapClaims{}
140 _, _, err := jwt.NewParser().ParseUnverified(idToken, claims)
141 if err != nil {
142 return nil, err
143 }
144
145 // validate common claims
146 jwtValidator := jwt.NewValidator(
147 jwt.WithIssuedAt(),
148 jwt.WithLeeway(idTokenLeeway),
149 jwt.WithAudience(p.clientId),
150 )
151 err = jwtValidator.Validate(claims)
152 if err != nil {
153 return nil, err
154 }
155
156 // validate iss (if "issuers" extra config is set)
157 issuers := cast.ToStringSlice(p.Extra()["issuers"])
158 if len(issuers) > 0 {
159 var isIssValid bool
160 claimIssuer, _ := claims.GetIssuer()
161
162 for _, issuer := range issuers {
163 if security.Equal(claimIssuer, issuer) {
164 isIssValid = true
165 break
166 }
167 }
168
169 if !isIssValid {
170 return nil, fmt.Errorf("iss must be one of %v, got %#v", issuers, claims["iss"])
171 }
172 }
173
174 // validate signature (if "jwksURL" extra config is set)
175 //
176 // note: this step could be technically considered optional because we trust
177 // the token which is a result of direct TLS communication with the provider
178 // (see also https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
179 jwksURL := cast.ToString(p.Extra()["jwksURL"])
180 if jwksURL != "" {
181 err = jwk.ValidateTokenSignature(p.ctx, idToken, jwksURL)
182 if err != nil {
183 return nil, fmt.Errorf("id_token validation failed: %w", err)
184 }
185 }
186
187 return claims, nil
188}

Callers 1

FetchRawUserInfoMethod · 0.95

Calls 4

EqualFunction · 0.92
ValidateTokenSignatureFunction · 0.92
ExtraMethod · 0.65
ValidateMethod · 0.65

Tested by

no test coverage detected