| 293 | } |
| 294 | |
| 295 | func (auth *OIDCProvider) CheckToken(r *http.Request) error { |
| 296 | tokenCookie, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthToken)) |
| 297 | if err != nil { |
| 298 | return ErrMissingOAuthToken |
| 299 | } |
| 300 | |
| 301 | idToken, err := auth.oidcVerifier.Verify(r.Context(), tokenCookie.Value) |
| 302 | if err != nil { |
| 303 | return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err) |
| 304 | } |
| 305 | |
| 306 | claims, err := parseClaims(idToken) |
| 307 | if err != nil { |
| 308 | return fmt.Errorf("%w: %w", ErrInvalidOAuthToken, err) |
| 309 | } |
| 310 | |
| 311 | if !auth.checkAllowed(claims.Username, claims.Groups) { |
| 312 | return ErrUserNotAllowed |
| 313 | } |
| 314 | return nil |
| 315 | } |
| 316 | |
| 317 | func (auth *OIDCProvider) PostAuthCallbackHandler(w http.ResponseWriter, r *http.Request) { |
| 318 | // For testing purposes, skip provider verification |