build(deps): bump github.com/coreos/go-oidc/v3 from 3.19.0 to 3.20.0

Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.19.0 to 3.20.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](https://github.com/coreos/go-oidc/compare/v3.19.0...v3.20.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-version: 3.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot]
2026-07-09 14:43:57 +00:00
committed by Ralf Haferkamp
parent e5105ab33f
commit e992f952d3
9 changed files with 271 additions and 49 deletions

2
go.mod
View File

@@ -13,7 +13,7 @@ require (
github.com/beevik/etree v1.6.0
github.com/blevesearch/bleve/v2 v2.6.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/coreos/go-oidc/v3 v3.19.0
github.com/coreos/go-oidc/v3 v3.20.0
github.com/cs3org/go-cs3apis v0.0.0-20260424072047-8d9ef7076ae9
github.com/davidbyttow/govips/v2 v2.18.0
github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8

4
go.sum
View File

@@ -238,8 +238,8 @@ github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6a
github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-oidc/v3 v3.19.0 h1:F/xyOi3x1UnG1U27YVnM1N6bHiL1K2upi6U/0qr8r+I=
github.com/coreos/go-oidc/v3 v3.19.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
github.com/coreos/go-oidc/v3 v3.20.0 h1:EtE0WIBHk03N+DqGkY4+UONzzZHk7amKt6IyNd7OsZE=
github.com/coreos/go-oidc/v3 v3.20.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=

65
vendor/github.com/coreos/go-oidc/v3/oidc/doc.go generated vendored Normal file
View File

@@ -0,0 +1,65 @@
// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
//
// Construct a [Provider] and [oauth2.Config] through the identity provider's
// discovery document with [NewProvider], and construct an ID Token verifier
// with [Provider.Verifier]:
//
// provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
// if err != nil {
// // handle error
// }
//
// // Configure an OpenID Connect aware OAuth2 client.
// oauth2Config := oauth2.Config{
// ClientID: clientID,
// ClientSecret: clientSecret,
// RedirectURL: redirectURL,
// // Discovery returns the OAuth2 endpoints.
// Endpoint: provider.Endpoint(),
// // "openid" is a required scope for OpenID Connect flows.
// Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
// }
//
// idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: clientID})
//
// OAuth 2.0 redirects then opt into the OpenID Connect flow with [ScopeOpenID]:
//
// func handleRedirect(w http.ResponseWriter, r *http.Request) {
// http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
// }
//
// When handling an OAuth 2.0 response, an [IDTokenVerifier] can be used to
// validate the "id_token" payload, containing well-known fields such as the
// user's email, name, and picture URL:
//
// func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
// // Verify state and other OAuth 2.0 responses.
//
// // Perform standard token exchange.
// oauth2Token, err := oauth2Config.Exchange(r.Context(), r.URL.Query().Get("code"))
// if err != nil {
// // ...
// }
// // Extract the ID Token from OAuth2 token.
// rawIDToken, ok := oauth2Token.Extra("id_token").(string)
// if !ok {
// // ...
// }
// // Parse and verify ID Token payload.
// idToken, err := idTokenVerifier.Verify(r.Context(), rawIDToken)
// if err != nil {
// // ...
// }
// // Parse well-known claims from the token.
// // https://openid.net/specs/openid-connect-core-1_0.html#Claims
// var claims struct {
// Email string `json:"email"`
// EmailVerified bool `json:"email_verified"`
// Name string `json:"name"`
// Picture string `json:"picture"`
// }
// if err := idToken.Claims(&claims); err != nil {
// // ...
// }
// }
package oidc

View File

@@ -30,3 +30,11 @@ var allAlgs = []jose.SignatureAlgorithm{
jose.PS512,
jose.EdDSA,
}
var supportedJOSEAlgs = map[string]bool{}
func init() {
for _, alg := range allAlgs {
supportedJOSEAlgs[string(alg)] = true
}
}

View File

@@ -6,6 +6,7 @@ import (
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"encoding/json"
"errors"
"fmt"
"io"
@@ -17,8 +18,8 @@ import (
// StaticKeySet is a verifier that validates JWT against a static set of public keys.
type StaticKeySet struct {
// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey and
// *ecdsa.PublicKey.
// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey,
// *ecdsa.PublicKey, and ed25519.PublicKey.
PublicKeys []crypto.PublicKey
}
@@ -53,8 +54,10 @@ func (s *StaticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte,
// exposed for providers that don't support discovery or to prevent round trips to the
// discovery URL.
//
// The returned KeySet is a long lived verifier that caches keys based on any
// keys change. Reuse a common remote key set instead of creating new ones as needed.
// The returned KeySet is a long lived verifier that caches keys in memory,
// re-fetching from the remote URL when it encounters a key ID it hasn't seen.
// Reuse a single remote key set rather than creating a new one for each
// verification.
func NewRemoteKeySet(ctx context.Context, jwksURL string) *RemoteKeySet {
return newRemoteKeySet(ctx, jwksURL)
}
@@ -123,7 +126,7 @@ func (i *inflight) result() ([]jose.JSONWebKey, error) {
return i.keys, i.err
}
// paresdJWTKey is a context key that allows common setups to avoid parsing the
// parsedJWTKey is a context key that allows common setups to avoid parsing the
// JWT twice. It holds a *jose.JSONWebSignature value.
var parsedJWTKey contextKey
@@ -233,6 +236,55 @@ func (r *RemoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, e
}
}
// jwkJSON implements custom logic for unmarshaling JSON Web Key Sets.
type jwkJSON struct {
Keys []jose.JSONWebKey
}
func (j *jwkJSON) UnmarshalJSON(data []byte) error {
var raw struct {
Keys []json.RawMessage `json:"keys"`
}
if err := json.Unmarshal(data, &raw); err != nil {
return err
}
// For each key, attempt to determine if the algorithm is supported before
// unmarshaling the key. This allows us to ignore keys with unsupported
// algorithms, rather than failing to load the entire set.
for _, key := range raw.Keys {
var metadata struct {
Alg string `json:"alg"`
}
if err := json.Unmarshal(key, &metadata); err != nil {
return err
}
if metadata.Alg != "" {
// Algorithms are technically optional, but if the key advertises an
// algorithm we don't support, ignore it rather than failing to load
// the entire key set.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
//
// This skip is currently implemented due to secp256k1, which some
// providers use for signing with "ES256K". While we could also
// ignore the curve, this seems like a more general check in case
// providers start throwing in post-quantum algorithims or something
// like that.
//
// https://github.com/coreos/go-oidc/issues/490
if !supportedJOSEAlgs[metadata.Alg] {
continue
}
}
var jwk jose.JSONWebKey
if err := json.Unmarshal(key, &jwk); err != nil {
return err
}
j.Keys = append(j.Keys, jwk)
}
return nil
}
func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {
req, err := http.NewRequest("GET", r.jwksURL, nil)
if err != nil {
@@ -255,7 +307,7 @@ func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {
return nil, fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
}
var keySet jose.JSONWebKeySet
var keySet jwkJSON
err = unmarshalResp(resp, body, &keySet)
if err != nil {
return nil, fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)

View File

@@ -5,6 +5,7 @@ import (
"encoding/json"
"errors"
"fmt"
"slices"
"time"
)
@@ -37,7 +38,7 @@ type LogoutToken struct {
Expiry time.Time
// Optional session ID claim ("sid").
//
// The exact semantics of session IDs very between identity providers. Use
// The exact semantics of session IDs vary between identity providers. Use
// your provider's documentation to determine what this correlates to and
// how it should be handled.
SessionID string
@@ -98,7 +99,7 @@ type logoutTokenJSON struct {
// }
// verifier := provider.Verifier(oidcConfig)
//
// mux.HandleFunc("POST /logout", func(w http.ResponseWriter, r *http.Reequest) {
// mux.HandleFunc("POST /logout", func(w http.ResponseWriter, r *http.Request) {
// rawLogoutToken := r.PostFormValue("logout_token")
// if rawLogoutToken == "" {
// // ...
@@ -163,7 +164,7 @@ func (v *IDTokenVerifier) VerifyLogout(ctx context.Context, rawLogoutToken strin
if !v.config.SkipClientIDCheck {
if v.config.ClientID != "" {
if !contains(t.Audience, v.config.ClientID) {
if !slices.Contains(t.Audience, v.config.ClientID) {
return nil, fmt.Errorf("oidc: expected logout token audience %q got %q", v.config.ClientID, t.Audience)
}
} else {

View File

@@ -1,4 +1,3 @@
// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
package oidc
import (
@@ -24,6 +23,26 @@ const (
// ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.
ScopeOpenID = "openid"
// ScopeProfile can be used to request information about the user's profile,
// such as "name", "picture", etc.
//
// The exact set of claims supported by identity providers differs widely,
// though "name" and "picture" are commonly returned.
//
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
ScopeProfile = "profile"
// ScopeEmail can be used to request the user's email address through the
// "email" and "email_verified" claims.
//
// What it means to verify an email isn't well defined. Clients can
// generally throw out emails when the "emvail_verified" claim is false, but
// should consult identity provider specific docs if attempting to ensure
// that the user controls the returned email address.
//
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
ScopeEmail = "email"
// ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting
// OAuth2 refresh tokens.
//
@@ -92,7 +111,24 @@ func doRequest(ctx context.Context, req *http.Request) (*http.Response, error) {
return client.Do(req.WithContext(ctx))
}
// Provider represents an OpenID Connect server's configuration.
// Provider represents an OpenID Connect server's configuration, fetched from
// the discovery document.
//
// To access fields in the discovery document that aren't exposed directly
// through this package's API, use the [Provider.Claims] method. For example, to
// access the registration or end session endpoints:
//
// p, err := oidc.NewProvider(ctx, "https://issuer.example.com")
// if err != nil {
// // ...
// }
// var metadata struct {
// EndSessionEndpoint string `json:"end_session_endpoint"`
// RegistrationEndpoint string `json:"registration_endpoint"`
// }
// if err := p.Claims(&metadata); err != nil {
// // ...
// }
type Provider struct {
issuer string
authURL string
@@ -213,6 +249,8 @@ type ProviderConfig struct {
//
// The provided context is only used for [http.Client] configuration through
// [ClientContext], not cancelation.
//
// For providers that implement discovery, use [NewProvider] instead.
func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
return &Provider{
issuer: p.IssuerURL,
@@ -226,12 +264,36 @@ func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
}
}
// IssuerMismatchError is returned by [NewProvider] when the "iss" value
// reported by the upstream is different than the expected value.
//
// Issuer mismatches can occur due to trailing slashes ("https://example.com"
// vs. "https://example.com/") or represent significant misconfiguration for
// multi-tenant issuers.
//
// Issuers must match exactly as they are also used to validate ID Tokens.
//
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
type IssuerMismatchError struct {
// The value provided to this package. The expected value.
Provided string
// The value advertised by the discovery document.
Discovered string
}
func (e *IssuerMismatchError) Error() string {
return fmt.Sprintf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", e.Provided, e.Discovered)
}
// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
// The issuer is the URL identifier for the service. For example: "https://accounts.google.com"
// or "https://login.salesforce.com".
//
// If the "iss" value returned in the discovery document doesn't match the value
// provided here, [IssuerMismatchError] is returned.
//
// OpenID Connect providers that don't implement discovery or host the discovery
// document at a non-spec complaint path (such as requiring a URL parameter),
// document at a non-spec compliant path (such as requiring a URL parameter),
// should use [ProviderConfig] instead.
//
// See: https://openid.net/specs/openid-connect-discovery-1_0.html
@@ -267,7 +329,10 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
issuerURL = issuer
}
if p.Issuer != issuerURL && !skipIssuerValidation {
return nil, fmt.Errorf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", issuer, p.Issuer)
return nil, &IssuerMismatchError{
Provided: issuerURL,
Discovered: p.Issuer,
}
}
var algs []string
for _, a := range p.Algorithms {
@@ -301,7 +366,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
//
// For a list of fields defined by the OpenID Connect spec see:
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func (p *Provider) Claims(v interface{}) error {
func (p *Provider) Claims(v any) error {
if p.rawClaims == nil {
return errors.New("oidc: claims not set")
}
@@ -340,7 +405,7 @@ type userInfoRaw struct {
}
// Claims unmarshals the raw JSON object claims into the provided object.
func (u *UserInfo) Claims(v interface{}) error {
func (u *UserInfo) Claims(v any) error {
if u.claims == nil {
return errors.New("oidc: claims not set")
}
@@ -348,6 +413,44 @@ func (u *UserInfo) Claims(v interface{}) error {
}
// UserInfo uses the token source to query the provider's user info endpoint.
//
// It's fewer round trips and better supported to validate the ID Token with
// [Provider.Verifier], rather than using the UserInfo endpoint. The ID Token
// contains all information [UserInfo] provides:
//
// p, err := oidc.NewProvider(ctx, "https://issuer.example.com")
// if err != nil {
// // ...
// }
// config := &oidc.Config{
// ClientID: clientID,
// }
// v := p.Verifier(config)
// http.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
// oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
// if err != nil {
// // ...
// }
// rawIDToken, ok := oauth2Token.Extra("id_token").(string)
// if !ok {
// // ...
// }
// idToken, err := verifier.Verify(ctx, rawIDToken)
// if err != nil {
// // ...
// }
// // https://openid.net/specs/openid-connect-core-1_0.html#Claims
// var claims struct {
// Email string `json:"email"`
// EmailVerified bool `json:"email_verified"`
// Name string `json:"name"`
// Picture string `json:"picture"`
// }
// if err := idToken.Claims(&claims); err != nil {
// // ...
// }
// // Use claims...
// })
func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) {
if p.userInfoURL == "" {
return nil, errors.New("oidc: user info endpoint is not supported by this provider")
@@ -425,7 +528,7 @@ type IDToken struct {
// A unique string which identifies the end user.
Subject string
// Expiry of the token. Ths package will not process tokens that have
// Expiry of the token. This package will not process tokens that have
// expired unless that validation is explicitly turned off.
Expiry time.Time
// When the token was issued by the provider.
@@ -433,7 +536,7 @@ type IDToken struct {
// Initial nonce provided during the authentication redirect.
//
// This package does NOT provided verification on the value of this field
// This package does NOT provide verification on the value of this field
// and it's the user's responsibility to ensure it contains a valid value.
Nonce string
@@ -465,15 +568,15 @@ type IDToken struct {
// if err := idToken.Claims(&claims); err != nil {
// // handle error
// }
func (i *IDToken) Claims(v interface{}) error {
func (i *IDToken) Claims(v any) error {
if i.claims == nil {
return errors.New("oidc: claims not set")
}
return json.Unmarshal(i.claims, v)
}
// VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token
// matches the hash in the id token. It returns an error if the hashes don't match.
// VerifyAccessToken verifies that the hash of the access token that corresponds to the ID token
// matches the hash in the ID token. It returns an error if the hashes don't match.
// It is the caller's responsibility to ensure that the optional access token hash is present for the ID token
// before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
func (i *IDToken) VerifyAccessToken(accessToken string) error {
@@ -570,7 +673,7 @@ func (j *jsonTime) UnmarshalJSON(b []byte) error {
return nil
}
func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
func unmarshalResp(r *http.Response, body []byte, v any) error {
err := json.Unmarshal(body, &v)
if err == nil {
return nil

View File

@@ -6,6 +6,7 @@ import (
"fmt"
"io"
"net/http"
"slices"
"time"
jose "github.com/go-jose/go-jose/v4"
@@ -17,10 +18,10 @@ const (
issuerGoogleAccountsNoScheme = "accounts.google.com"
)
// TokenExpiredError indicates that Verify or VerifyLogout failed because the
// token was expired. This error does NOT indicate that the token is not also
// invalid for other reasons. Other checks might have failed if the expiration
// check had not failed.
// TokenExpiredError indicates that [IDTokenVerifier.Verify] or
// [IDTokenVerifier.VerifyLogout] failed because the token was expired. This
// error does NOT indicate that the token is not also invalid for other reasons.
// Other checks might have failed if the expiration check had not failed.
type TokenExpiredError struct {
// Expiry is the time when the token expired.
Expiry time.Time
@@ -30,7 +31,7 @@ func (e *TokenExpiredError) Error() string {
return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
}
// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
// KeySet is a set of public JSON Web Keys that can be used to validate the signature
// of JSON web tokens. This is expected to be backed by a remote key set through
// provider metadata discovery or an in-memory set of keys delivered out-of-band.
type KeySet interface {
@@ -55,8 +56,8 @@ type IDTokenVerifier struct {
// NewVerifier returns a verifier manually constructed from a key set and issuer URL.
//
// It's easier to use provider discovery to construct an IDTokenVerifier than creating
// one directly. This method is intended to be used with provider that don't support
// metadata discovery, or avoiding round trips when the key set URL is already known.
// one directly. This method is intended to be used with providers that don't support
// metadata discovery, or to avoid round trips when the key set URL is already known.
//
// This constructor can be used to create a verifier directly using the issuer URL and
// JSON Web Key Set URL without using discovery:
@@ -82,8 +83,8 @@ type Config struct {
ClientID string
// If specified, only this set of algorithms may be used to sign the JWT.
//
// If the IDTokenVerifier is created from a provider with (*Provider).Verifier, this
// defaults to the set of algorithms the provider supports. Otherwise this values
// If the IDTokenVerifier is created from a provider with [Provider.Verifier], this
// defaults to the set of algorithms the provider supports. Otherwise this value
// defaults to RS256.
SupportedSigningAlgs []string
@@ -92,7 +93,7 @@ type Config struct {
// If true, token expiry is not checked.
SkipExpiryCheck bool
// SkipIssuerCheck is intended for specialized cases where the the caller wishes to
// SkipIssuerCheck is intended for specialized cases where the caller wishes to
// defer issuer validation. When enabled, callers MUST independently verify the Token's
// Issuer is a known good value.
//
@@ -117,8 +118,9 @@ type Config struct {
}
// VerifierContext returns an IDTokenVerifier that uses the provider's key set to
// verify JWTs. As opposed to Verifier, the context is used to configure requests
// to the upstream JWKs endpoint. The provided context's cancellation is ignored.
// verify JWTs. As opposed to [Provider.Verifier], the context is used to configure
// requests to the upstream JWKs endpoint. The provided context's cancellation is
// ignored.
func (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDTokenVerifier {
return p.newVerifier(NewRemoteKeySet(ctx, p.jwksURL), config)
}
@@ -126,7 +128,7 @@ func (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDToken
// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
//
// The returned verifier uses a background context for all requests to the upstream
// JWKs endpoint. To control that context, use VerifierContext instead.
// JWKs endpoint. To control that context, use [Provider.VerifierContext] instead.
func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
return p.newVerifier(p.remoteKeySet(), config)
}
@@ -142,15 +144,6 @@ func (p *Provider) newVerifier(keySet KeySet, config *Config) *IDTokenVerifier {
return NewVerifier(p.issuer, keySet, config)
}
func contains(sli []string, ele string) bool {
for _, s := range sli {
if s == ele {
return true
}
}
return false
}
// Returns the Claims from the distributed JWT token
func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src claimSource) ([]byte, error) {
req, err := http.NewRequest("GET", src.Endpoint, nil)
@@ -187,7 +180,7 @@ func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src
// Verify parses a raw ID Token, verifies it's been signed by the provider, performs
// any additional checks depending on the Config, and returns the payload.
//
// Verify does NOT do nonce validation, which is the callers responsibility.
// Verify does NOT do nonce validation, which is the caller's responsibility.
//
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
@@ -257,7 +250,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
// This check DOES NOT ensure that the ClientID is the party to which the ID Token was issued (i.e. Authorized party).
if !v.config.SkipClientIDCheck {
if v.config.ClientID != "" {
if !contains(t.Audience, v.config.ClientID) {
if !slices.Contains(t.Audience, v.config.ClientID) {
return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
}
} else {

2
vendor/modules.txt vendored
View File

@@ -292,7 +292,7 @@ github.com/containerd/log
# github.com/containerd/platforms v1.0.0-rc.2
## explicit; go 1.20
github.com/containerd/platforms
# github.com/coreos/go-oidc/v3 v3.19.0
# github.com/coreos/go-oidc/v3 v3.20.0
## explicit; go 1.25.0
github.com/coreos/go-oidc/v3/oidc
# github.com/coreos/go-semver v0.3.1