(token *oauth2.Token)
| 131 | } |
| 132 | |
| 133 | func (p *OIDC) parseIdToken(token *oauth2.Token) (jwt.MapClaims, error) { |
| 134 | idToken := token.Extra("id_token").(string) |
| 135 | if idToken == "" { |
| 136 | return nil, errors.New("empty id_token") |
| 137 | } |
| 138 | |
| 139 | claims := jwt.MapClaims{} |
| 140 | _, _, err := jwt.NewParser().ParseUnverified(idToken, claims) |
| 141 | if err != nil { |
| 142 | return nil, err |
| 143 | } |
| 144 | |
| 145 | // validate common claims |
| 146 | jwtValidator := jwt.NewValidator( |
| 147 | jwt.WithIssuedAt(), |
| 148 | jwt.WithLeeway(idTokenLeeway), |
| 149 | jwt.WithAudience(p.clientId), |
| 150 | ) |
| 151 | err = jwtValidator.Validate(claims) |
| 152 | if err != nil { |
| 153 | return nil, err |
| 154 | } |
| 155 | |
| 156 | // validate iss (if "issuers" extra config is set) |
| 157 | issuers := cast.ToStringSlice(p.Extra()["issuers"]) |
| 158 | if len(issuers) > 0 { |
| 159 | var isIssValid bool |
| 160 | claimIssuer, _ := claims.GetIssuer() |
| 161 | |
| 162 | for _, issuer := range issuers { |
| 163 | if security.Equal(claimIssuer, issuer) { |
| 164 | isIssValid = true |
| 165 | break |
| 166 | } |
| 167 | } |
| 168 | |
| 169 | if !isIssValid { |
| 170 | return nil, fmt.Errorf("iss must be one of %v, got %#v", issuers, claims["iss"]) |
| 171 | } |
| 172 | } |
| 173 | |
| 174 | // validate signature (if "jwksURL" extra config is set) |
| 175 | // |
| 176 | // note: this step could be technically considered optional because we trust |
| 177 | // the token which is a result of direct TLS communication with the provider |
| 178 | // (see also https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) |
| 179 | jwksURL := cast.ToString(p.Extra()["jwksURL"]) |
| 180 | if jwksURL != "" { |
| 181 | err = jwk.ValidateTokenSignature(p.ctx, idToken, jwksURL) |
| 182 | if err != nil { |
| 183 | return nil, fmt.Errorf("id_token validation failed: %w", err) |
| 184 | } |
| 185 | } |
| 186 | |
| 187 | return claims, nil |
| 188 | } |
no test coverage detected