MCPcopy
hub / github.com/tinyauthapp/tinyauth / generateIDToken

Method generateIDToken

internal/service/oidc_service.go:404–468  ·  view source on GitHub ↗
(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string)

Source from the content-addressed store, hash-verified

402}
403
404func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
405 createdAt := time.Now().Unix()
406 expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
407
408 hasher := sha256.New()
409
410 der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
411
412 if der == nil {
413 return "", errors.New("failed to marshal public key")
414 }
415
416 hasher.Write(der)
417
418 signer, err := jose.NewSigner(jose.SigningKey{
419 Algorithm: jose.RS256,
420 Key: service.privateKey,
421 }, &jose.SignerOptions{
422 ExtraHeaders: map[jose.HeaderKey]any{
423 "typ": "jwt",
424 "jku": fmt.Sprintf("%s/.well-known/jwks.json", service.issuer),
425 "kid": base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
426 },
427 })
428
429 if err != nil {
430 return "", err
431 }
432
433 userInfo := service.CompileUserinfo(user, scope)
434
435 claims := ClaimSet{
436 Iss: service.issuer,
437 Aud: client.ClientID,
438 Sub: user.Sub,
439 Iat: createdAt,
440 Exp: expiresAt,
441 Name: userInfo.Name,
442 Email: userInfo.Email,
443 EmailVerified: userInfo.EmailVerified,
444 PreferredUsername: userInfo.PreferredUsername,
445 Groups: userInfo.Groups,
446 Nonce: nonce,
447 }
448
449 payload, err := json.Marshal(claims)
450
451 if err != nil {
452 return "", err
453 }
454
455 object, err := signer.Sign(payload)
456
457 if err != nil {
458 return "", err
459 }
460
461 token, err := object.CompactSerialize()

Callers 2

GenerateAccessTokenMethod · 0.95
RefreshAccessTokenMethod · 0.95

Calls 1

CompileUserinfoMethod · 0.95

Tested by

no test coverage detected