(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string)
| 402 | } |
| 403 | |
| 404 | func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) { |
| 405 | createdAt := time.Now().Unix() |
| 406 | expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix() |
| 407 | |
| 408 | hasher := sha256.New() |
| 409 | |
| 410 | der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey) |
| 411 | |
| 412 | if der == nil { |
| 413 | return "", errors.New("failed to marshal public key") |
| 414 | } |
| 415 | |
| 416 | hasher.Write(der) |
| 417 | |
| 418 | signer, err := jose.NewSigner(jose.SigningKey{ |
| 419 | Algorithm: jose.RS256, |
| 420 | Key: service.privateKey, |
| 421 | }, &jose.SignerOptions{ |
| 422 | ExtraHeaders: map[jose.HeaderKey]any{ |
| 423 | "typ": "jwt", |
| 424 | "jku": fmt.Sprintf("%s/.well-known/jwks.json", service.issuer), |
| 425 | "kid": base64.URLEncoding.EncodeToString(hasher.Sum(nil)), |
| 426 | }, |
| 427 | }) |
| 428 | |
| 429 | if err != nil { |
| 430 | return "", err |
| 431 | } |
| 432 | |
| 433 | userInfo := service.CompileUserinfo(user, scope) |
| 434 | |
| 435 | claims := ClaimSet{ |
| 436 | Iss: service.issuer, |
| 437 | Aud: client.ClientID, |
| 438 | Sub: user.Sub, |
| 439 | Iat: createdAt, |
| 440 | Exp: expiresAt, |
| 441 | Name: userInfo.Name, |
| 442 | Email: userInfo.Email, |
| 443 | EmailVerified: userInfo.EmailVerified, |
| 444 | PreferredUsername: userInfo.PreferredUsername, |
| 445 | Groups: userInfo.Groups, |
| 446 | Nonce: nonce, |
| 447 | } |
| 448 | |
| 449 | payload, err := json.Marshal(claims) |
| 450 | |
| 451 | if err != nil { |
| 452 | return "", err |
| 453 | } |
| 454 | |
| 455 | object, err := signer.Sign(payload) |
| 456 | |
| 457 | if err != nil { |
| 458 | return "", err |
| 459 | } |
| 460 | |
| 461 | token, err := object.CompactSerialize() |
no test coverage detected