mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-07-13 00:52:01 -04:00
build(deps): bump github.com/coreos/go-oidc/v3 from 3.19.0 to 3.20.0
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.19.0 to 3.20.0. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](https://github.com/coreos/go-oidc/compare/v3.19.0...v3.20.0) --- updated-dependencies: - dependency-name: github.com/coreos/go-oidc/v3 dependency-version: 3.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
committed by
Ralf Haferkamp
parent
e5105ab33f
commit
e992f952d3
2
go.mod
2
go.mod
@@ -13,7 +13,7 @@ require (
|
||||
github.com/beevik/etree v1.6.0
|
||||
github.com/blevesearch/bleve/v2 v2.6.0
|
||||
github.com/cenkalti/backoff v2.2.1+incompatible
|
||||
github.com/coreos/go-oidc/v3 v3.19.0
|
||||
github.com/coreos/go-oidc/v3 v3.20.0
|
||||
github.com/cs3org/go-cs3apis v0.0.0-20260424072047-8d9ef7076ae9
|
||||
github.com/davidbyttow/govips/v2 v2.18.0
|
||||
github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
|
||||
|
||||
4
go.sum
4
go.sum
@@ -238,8 +238,8 @@ github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6a
|
||||
github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-oidc/v3 v3.19.0 h1:F/xyOi3x1UnG1U27YVnM1N6bHiL1K2upi6U/0qr8r+I=
|
||||
github.com/coreos/go-oidc/v3 v3.19.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
|
||||
github.com/coreos/go-oidc/v3 v3.20.0 h1:EtE0WIBHk03N+DqGkY4+UONzzZHk7amKt6IyNd7OsZE=
|
||||
github.com/coreos/go-oidc/v3 v3.20.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
|
||||
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
|
||||
github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
|
||||
github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
|
||||
|
||||
65
vendor/github.com/coreos/go-oidc/v3/oidc/doc.go
generated
vendored
Normal file
65
vendor/github.com/coreos/go-oidc/v3/oidc/doc.go
generated
vendored
Normal file
@@ -0,0 +1,65 @@
|
||||
// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
|
||||
//
|
||||
// Construct a [Provider] and [oauth2.Config] through the identity provider's
|
||||
// discovery document with [NewProvider], and construct an ID Token verifier
|
||||
// with [Provider.Verifier]:
|
||||
//
|
||||
// provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
|
||||
// if err != nil {
|
||||
// // handle error
|
||||
// }
|
||||
//
|
||||
// // Configure an OpenID Connect aware OAuth2 client.
|
||||
// oauth2Config := oauth2.Config{
|
||||
// ClientID: clientID,
|
||||
// ClientSecret: clientSecret,
|
||||
// RedirectURL: redirectURL,
|
||||
// // Discovery returns the OAuth2 endpoints.
|
||||
// Endpoint: provider.Endpoint(),
|
||||
// // "openid" is a required scope for OpenID Connect flows.
|
||||
// Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
|
||||
// }
|
||||
//
|
||||
// idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: clientID})
|
||||
//
|
||||
// OAuth 2.0 redirects then opt into the OpenID Connect flow with [ScopeOpenID]:
|
||||
//
|
||||
// func handleRedirect(w http.ResponseWriter, r *http.Request) {
|
||||
// http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
|
||||
// }
|
||||
//
|
||||
// When handling an OAuth 2.0 response, an [IDTokenVerifier] can be used to
|
||||
// validate the "id_token" payload, containing well-known fields such as the
|
||||
// user's email, name, and picture URL:
|
||||
//
|
||||
// func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
|
||||
// // Verify state and other OAuth 2.0 responses.
|
||||
//
|
||||
// // Perform standard token exchange.
|
||||
// oauth2Token, err := oauth2Config.Exchange(r.Context(), r.URL.Query().Get("code"))
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// // Extract the ID Token from OAuth2 token.
|
||||
// rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
||||
// if !ok {
|
||||
// // ...
|
||||
// }
|
||||
// // Parse and verify ID Token payload.
|
||||
// idToken, err := idTokenVerifier.Verify(r.Context(), rawIDToken)
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// // Parse well-known claims from the token.
|
||||
// // https://openid.net/specs/openid-connect-core-1_0.html#Claims
|
||||
// var claims struct {
|
||||
// Email string `json:"email"`
|
||||
// EmailVerified bool `json:"email_verified"`
|
||||
// Name string `json:"name"`
|
||||
// Picture string `json:"picture"`
|
||||
// }
|
||||
// if err := idToken.Claims(&claims); err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// }
|
||||
package oidc
|
||||
8
vendor/github.com/coreos/go-oidc/v3/oidc/jose.go
generated
vendored
8
vendor/github.com/coreos/go-oidc/v3/oidc/jose.go
generated
vendored
@@ -30,3 +30,11 @@ var allAlgs = []jose.SignatureAlgorithm{
|
||||
jose.PS512,
|
||||
jose.EdDSA,
|
||||
}
|
||||
|
||||
var supportedJOSEAlgs = map[string]bool{}
|
||||
|
||||
func init() {
|
||||
for _, alg := range allAlgs {
|
||||
supportedJOSEAlgs[string(alg)] = true
|
||||
}
|
||||
}
|
||||
|
||||
64
vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go
generated
vendored
64
vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go
generated
vendored
@@ -6,6 +6,7 @@ import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/rsa"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
@@ -17,8 +18,8 @@ import (
|
||||
|
||||
// StaticKeySet is a verifier that validates JWT against a static set of public keys.
|
||||
type StaticKeySet struct {
|
||||
// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey and
|
||||
// *ecdsa.PublicKey.
|
||||
// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey,
|
||||
// *ecdsa.PublicKey, and ed25519.PublicKey.
|
||||
PublicKeys []crypto.PublicKey
|
||||
}
|
||||
|
||||
@@ -53,8 +54,10 @@ func (s *StaticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte,
|
||||
// exposed for providers that don't support discovery or to prevent round trips to the
|
||||
// discovery URL.
|
||||
//
|
||||
// The returned KeySet is a long lived verifier that caches keys based on any
|
||||
// keys change. Reuse a common remote key set instead of creating new ones as needed.
|
||||
// The returned KeySet is a long lived verifier that caches keys in memory,
|
||||
// re-fetching from the remote URL when it encounters a key ID it hasn't seen.
|
||||
// Reuse a single remote key set rather than creating a new one for each
|
||||
// verification.
|
||||
func NewRemoteKeySet(ctx context.Context, jwksURL string) *RemoteKeySet {
|
||||
return newRemoteKeySet(ctx, jwksURL)
|
||||
}
|
||||
@@ -123,7 +126,7 @@ func (i *inflight) result() ([]jose.JSONWebKey, error) {
|
||||
return i.keys, i.err
|
||||
}
|
||||
|
||||
// paresdJWTKey is a context key that allows common setups to avoid parsing the
|
||||
// parsedJWTKey is a context key that allows common setups to avoid parsing the
|
||||
// JWT twice. It holds a *jose.JSONWebSignature value.
|
||||
var parsedJWTKey contextKey
|
||||
|
||||
@@ -233,6 +236,55 @@ func (r *RemoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, e
|
||||
}
|
||||
}
|
||||
|
||||
// jwkJSON implements custom logic for unmarshaling JSON Web Key Sets.
|
||||
type jwkJSON struct {
|
||||
Keys []jose.JSONWebKey
|
||||
}
|
||||
|
||||
func (j *jwkJSON) UnmarshalJSON(data []byte) error {
|
||||
var raw struct {
|
||||
Keys []json.RawMessage `json:"keys"`
|
||||
}
|
||||
if err := json.Unmarshal(data, &raw); err != nil {
|
||||
return err
|
||||
}
|
||||
// For each key, attempt to determine if the algorithm is supported before
|
||||
// unmarshaling the key. This allows us to ignore keys with unsupported
|
||||
// algorithms, rather than failing to load the entire set.
|
||||
for _, key := range raw.Keys {
|
||||
var metadata struct {
|
||||
Alg string `json:"alg"`
|
||||
}
|
||||
if err := json.Unmarshal(key, &metadata); err != nil {
|
||||
return err
|
||||
}
|
||||
if metadata.Alg != "" {
|
||||
// Algorithms are technically optional, but if the key advertises an
|
||||
// algorithm we don't support, ignore it rather than failing to load
|
||||
// the entire key set.
|
||||
//
|
||||
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
|
||||
//
|
||||
// This skip is currently implemented due to secp256k1, which some
|
||||
// providers use for signing with "ES256K". While we could also
|
||||
// ignore the curve, this seems like a more general check in case
|
||||
// providers start throwing in post-quantum algorithims or something
|
||||
// like that.
|
||||
//
|
||||
// https://github.com/coreos/go-oidc/issues/490
|
||||
if !supportedJOSEAlgs[metadata.Alg] {
|
||||
continue
|
||||
}
|
||||
}
|
||||
var jwk jose.JSONWebKey
|
||||
if err := json.Unmarshal(key, &jwk); err != nil {
|
||||
return err
|
||||
}
|
||||
j.Keys = append(j.Keys, jwk)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {
|
||||
req, err := http.NewRequest("GET", r.jwksURL, nil)
|
||||
if err != nil {
|
||||
@@ -255,7 +307,7 @@ func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {
|
||||
return nil, fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
|
||||
}
|
||||
|
||||
var keySet jose.JSONWebKeySet
|
||||
var keySet jwkJSON
|
||||
err = unmarshalResp(resp, body, &keySet)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
|
||||
|
||||
7
vendor/github.com/coreos/go-oidc/v3/oidc/logout.go
generated
vendored
7
vendor/github.com/coreos/go-oidc/v3/oidc/logout.go
generated
vendored
@@ -5,6 +5,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"slices"
|
||||
"time"
|
||||
)
|
||||
|
||||
@@ -37,7 +38,7 @@ type LogoutToken struct {
|
||||
Expiry time.Time
|
||||
// Optional session ID claim ("sid").
|
||||
//
|
||||
// The exact semantics of session IDs very between identity providers. Use
|
||||
// The exact semantics of session IDs vary between identity providers. Use
|
||||
// your provider's documentation to determine what this correlates to and
|
||||
// how it should be handled.
|
||||
SessionID string
|
||||
@@ -98,7 +99,7 @@ type logoutTokenJSON struct {
|
||||
// }
|
||||
// verifier := provider.Verifier(oidcConfig)
|
||||
//
|
||||
// mux.HandleFunc("POST /logout", func(w http.ResponseWriter, r *http.Reequest) {
|
||||
// mux.HandleFunc("POST /logout", func(w http.ResponseWriter, r *http.Request) {
|
||||
// rawLogoutToken := r.PostFormValue("logout_token")
|
||||
// if rawLogoutToken == "" {
|
||||
// // ...
|
||||
@@ -163,7 +164,7 @@ func (v *IDTokenVerifier) VerifyLogout(ctx context.Context, rawLogoutToken strin
|
||||
|
||||
if !v.config.SkipClientIDCheck {
|
||||
if v.config.ClientID != "" {
|
||||
if !contains(t.Audience, v.config.ClientID) {
|
||||
if !slices.Contains(t.Audience, v.config.ClientID) {
|
||||
return nil, fmt.Errorf("oidc: expected logout token audience %q got %q", v.config.ClientID, t.Audience)
|
||||
}
|
||||
} else {
|
||||
|
||||
127
vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go
generated
vendored
127
vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go
generated
vendored
@@ -1,4 +1,3 @@
|
||||
// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
|
||||
package oidc
|
||||
|
||||
import (
|
||||
@@ -24,6 +23,26 @@ const (
|
||||
// ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.
|
||||
ScopeOpenID = "openid"
|
||||
|
||||
// ScopeProfile can be used to request information about the user's profile,
|
||||
// such as "name", "picture", etc.
|
||||
//
|
||||
// The exact set of claims supported by identity providers differs widely,
|
||||
// though "name" and "picture" are commonly returned.
|
||||
//
|
||||
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
|
||||
ScopeProfile = "profile"
|
||||
|
||||
// ScopeEmail can be used to request the user's email address through the
|
||||
// "email" and "email_verified" claims.
|
||||
//
|
||||
// What it means to verify an email isn't well defined. Clients can
|
||||
// generally throw out emails when the "emvail_verified" claim is false, but
|
||||
// should consult identity provider specific docs if attempting to ensure
|
||||
// that the user controls the returned email address.
|
||||
//
|
||||
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
|
||||
ScopeEmail = "email"
|
||||
|
||||
// ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting
|
||||
// OAuth2 refresh tokens.
|
||||
//
|
||||
@@ -92,7 +111,24 @@ func doRequest(ctx context.Context, req *http.Request) (*http.Response, error) {
|
||||
return client.Do(req.WithContext(ctx))
|
||||
}
|
||||
|
||||
// Provider represents an OpenID Connect server's configuration.
|
||||
// Provider represents an OpenID Connect server's configuration, fetched from
|
||||
// the discovery document.
|
||||
//
|
||||
// To access fields in the discovery document that aren't exposed directly
|
||||
// through this package's API, use the [Provider.Claims] method. For example, to
|
||||
// access the registration or end session endpoints:
|
||||
//
|
||||
// p, err := oidc.NewProvider(ctx, "https://issuer.example.com")
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// var metadata struct {
|
||||
// EndSessionEndpoint string `json:"end_session_endpoint"`
|
||||
// RegistrationEndpoint string `json:"registration_endpoint"`
|
||||
// }
|
||||
// if err := p.Claims(&metadata); err != nil {
|
||||
// // ...
|
||||
// }
|
||||
type Provider struct {
|
||||
issuer string
|
||||
authURL string
|
||||
@@ -213,6 +249,8 @@ type ProviderConfig struct {
|
||||
//
|
||||
// The provided context is only used for [http.Client] configuration through
|
||||
// [ClientContext], not cancelation.
|
||||
//
|
||||
// For providers that implement discovery, use [NewProvider] instead.
|
||||
func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
|
||||
return &Provider{
|
||||
issuer: p.IssuerURL,
|
||||
@@ -226,12 +264,36 @@ func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
|
||||
}
|
||||
}
|
||||
|
||||
// IssuerMismatchError is returned by [NewProvider] when the "iss" value
|
||||
// reported by the upstream is different than the expected value.
|
||||
//
|
||||
// Issuer mismatches can occur due to trailing slashes ("https://example.com"
|
||||
// vs. "https://example.com/") or represent significant misconfiguration for
|
||||
// multi-tenant issuers.
|
||||
//
|
||||
// Issuers must match exactly as they are also used to validate ID Tokens.
|
||||
//
|
||||
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
||||
type IssuerMismatchError struct {
|
||||
// The value provided to this package. The expected value.
|
||||
Provided string
|
||||
// The value advertised by the discovery document.
|
||||
Discovered string
|
||||
}
|
||||
|
||||
func (e *IssuerMismatchError) Error() string {
|
||||
return fmt.Sprintf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", e.Provided, e.Discovered)
|
||||
}
|
||||
|
||||
// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
|
||||
// The issuer is the URL identifier for the service. For example: "https://accounts.google.com"
|
||||
// or "https://login.salesforce.com".
|
||||
//
|
||||
// If the "iss" value returned in the discovery document doesn't match the value
|
||||
// provided here, [IssuerMismatchError] is returned.
|
||||
//
|
||||
// OpenID Connect providers that don't implement discovery or host the discovery
|
||||
// document at a non-spec complaint path (such as requiring a URL parameter),
|
||||
// document at a non-spec compliant path (such as requiring a URL parameter),
|
||||
// should use [ProviderConfig] instead.
|
||||
//
|
||||
// See: https://openid.net/specs/openid-connect-discovery-1_0.html
|
||||
@@ -267,7 +329,10 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
|
||||
issuerURL = issuer
|
||||
}
|
||||
if p.Issuer != issuerURL && !skipIssuerValidation {
|
||||
return nil, fmt.Errorf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", issuer, p.Issuer)
|
||||
return nil, &IssuerMismatchError{
|
||||
Provided: issuerURL,
|
||||
Discovered: p.Issuer,
|
||||
}
|
||||
}
|
||||
var algs []string
|
||||
for _, a := range p.Algorithms {
|
||||
@@ -301,7 +366,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
|
||||
//
|
||||
// For a list of fields defined by the OpenID Connect spec see:
|
||||
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
||||
func (p *Provider) Claims(v interface{}) error {
|
||||
func (p *Provider) Claims(v any) error {
|
||||
if p.rawClaims == nil {
|
||||
return errors.New("oidc: claims not set")
|
||||
}
|
||||
@@ -340,7 +405,7 @@ type userInfoRaw struct {
|
||||
}
|
||||
|
||||
// Claims unmarshals the raw JSON object claims into the provided object.
|
||||
func (u *UserInfo) Claims(v interface{}) error {
|
||||
func (u *UserInfo) Claims(v any) error {
|
||||
if u.claims == nil {
|
||||
return errors.New("oidc: claims not set")
|
||||
}
|
||||
@@ -348,6 +413,44 @@ func (u *UserInfo) Claims(v interface{}) error {
|
||||
}
|
||||
|
||||
// UserInfo uses the token source to query the provider's user info endpoint.
|
||||
//
|
||||
// It's fewer round trips and better supported to validate the ID Token with
|
||||
// [Provider.Verifier], rather than using the UserInfo endpoint. The ID Token
|
||||
// contains all information [UserInfo] provides:
|
||||
//
|
||||
// p, err := oidc.NewProvider(ctx, "https://issuer.example.com")
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// config := &oidc.Config{
|
||||
// ClientID: clientID,
|
||||
// }
|
||||
// v := p.Verifier(config)
|
||||
// http.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
|
||||
// oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
||||
// if !ok {
|
||||
// // ...
|
||||
// }
|
||||
// idToken, err := verifier.Verify(ctx, rawIDToken)
|
||||
// if err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// // https://openid.net/specs/openid-connect-core-1_0.html#Claims
|
||||
// var claims struct {
|
||||
// Email string `json:"email"`
|
||||
// EmailVerified bool `json:"email_verified"`
|
||||
// Name string `json:"name"`
|
||||
// Picture string `json:"picture"`
|
||||
// }
|
||||
// if err := idToken.Claims(&claims); err != nil {
|
||||
// // ...
|
||||
// }
|
||||
// // Use claims...
|
||||
// })
|
||||
func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) {
|
||||
if p.userInfoURL == "" {
|
||||
return nil, errors.New("oidc: user info endpoint is not supported by this provider")
|
||||
@@ -425,7 +528,7 @@ type IDToken struct {
|
||||
// A unique string which identifies the end user.
|
||||
Subject string
|
||||
|
||||
// Expiry of the token. Ths package will not process tokens that have
|
||||
// Expiry of the token. This package will not process tokens that have
|
||||
// expired unless that validation is explicitly turned off.
|
||||
Expiry time.Time
|
||||
// When the token was issued by the provider.
|
||||
@@ -433,7 +536,7 @@ type IDToken struct {
|
||||
|
||||
// Initial nonce provided during the authentication redirect.
|
||||
//
|
||||
// This package does NOT provided verification on the value of this field
|
||||
// This package does NOT provide verification on the value of this field
|
||||
// and it's the user's responsibility to ensure it contains a valid value.
|
||||
Nonce string
|
||||
|
||||
@@ -465,15 +568,15 @@ type IDToken struct {
|
||||
// if err := idToken.Claims(&claims); err != nil {
|
||||
// // handle error
|
||||
// }
|
||||
func (i *IDToken) Claims(v interface{}) error {
|
||||
func (i *IDToken) Claims(v any) error {
|
||||
if i.claims == nil {
|
||||
return errors.New("oidc: claims not set")
|
||||
}
|
||||
return json.Unmarshal(i.claims, v)
|
||||
}
|
||||
|
||||
// VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token
|
||||
// matches the hash in the id token. It returns an error if the hashes don't match.
|
||||
// VerifyAccessToken verifies that the hash of the access token that corresponds to the ID token
|
||||
// matches the hash in the ID token. It returns an error if the hashes don't match.
|
||||
// It is the caller's responsibility to ensure that the optional access token hash is present for the ID token
|
||||
// before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
|
||||
func (i *IDToken) VerifyAccessToken(accessToken string) error {
|
||||
@@ -570,7 +673,7 @@ func (j *jsonTime) UnmarshalJSON(b []byte) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
|
||||
func unmarshalResp(r *http.Response, body []byte, v any) error {
|
||||
err := json.Unmarshal(body, &v)
|
||||
if err == nil {
|
||||
return nil
|
||||
|
||||
41
vendor/github.com/coreos/go-oidc/v3/oidc/verify.go
generated
vendored
41
vendor/github.com/coreos/go-oidc/v3/oidc/verify.go
generated
vendored
@@ -6,6 +6,7 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"slices"
|
||||
"time"
|
||||
|
||||
jose "github.com/go-jose/go-jose/v4"
|
||||
@@ -17,10 +18,10 @@ const (
|
||||
issuerGoogleAccountsNoScheme = "accounts.google.com"
|
||||
)
|
||||
|
||||
// TokenExpiredError indicates that Verify or VerifyLogout failed because the
|
||||
// token was expired. This error does NOT indicate that the token is not also
|
||||
// invalid for other reasons. Other checks might have failed if the expiration
|
||||
// check had not failed.
|
||||
// TokenExpiredError indicates that [IDTokenVerifier.Verify] or
|
||||
// [IDTokenVerifier.VerifyLogout] failed because the token was expired. This
|
||||
// error does NOT indicate that the token is not also invalid for other reasons.
|
||||
// Other checks might have failed if the expiration check had not failed.
|
||||
type TokenExpiredError struct {
|
||||
// Expiry is the time when the token expired.
|
||||
Expiry time.Time
|
||||
@@ -30,7 +31,7 @@ func (e *TokenExpiredError) Error() string {
|
||||
return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
|
||||
}
|
||||
|
||||
// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
|
||||
// KeySet is a set of public JSON Web Keys that can be used to validate the signature
|
||||
// of JSON web tokens. This is expected to be backed by a remote key set through
|
||||
// provider metadata discovery or an in-memory set of keys delivered out-of-band.
|
||||
type KeySet interface {
|
||||
@@ -55,8 +56,8 @@ type IDTokenVerifier struct {
|
||||
// NewVerifier returns a verifier manually constructed from a key set and issuer URL.
|
||||
//
|
||||
// It's easier to use provider discovery to construct an IDTokenVerifier than creating
|
||||
// one directly. This method is intended to be used with provider that don't support
|
||||
// metadata discovery, or avoiding round trips when the key set URL is already known.
|
||||
// one directly. This method is intended to be used with providers that don't support
|
||||
// metadata discovery, or to avoid round trips when the key set URL is already known.
|
||||
//
|
||||
// This constructor can be used to create a verifier directly using the issuer URL and
|
||||
// JSON Web Key Set URL without using discovery:
|
||||
@@ -82,8 +83,8 @@ type Config struct {
|
||||
ClientID string
|
||||
// If specified, only this set of algorithms may be used to sign the JWT.
|
||||
//
|
||||
// If the IDTokenVerifier is created from a provider with (*Provider).Verifier, this
|
||||
// defaults to the set of algorithms the provider supports. Otherwise this values
|
||||
// If the IDTokenVerifier is created from a provider with [Provider.Verifier], this
|
||||
// defaults to the set of algorithms the provider supports. Otherwise this value
|
||||
// defaults to RS256.
|
||||
SupportedSigningAlgs []string
|
||||
|
||||
@@ -92,7 +93,7 @@ type Config struct {
|
||||
// If true, token expiry is not checked.
|
||||
SkipExpiryCheck bool
|
||||
|
||||
// SkipIssuerCheck is intended for specialized cases where the the caller wishes to
|
||||
// SkipIssuerCheck is intended for specialized cases where the caller wishes to
|
||||
// defer issuer validation. When enabled, callers MUST independently verify the Token's
|
||||
// Issuer is a known good value.
|
||||
//
|
||||
@@ -117,8 +118,9 @@ type Config struct {
|
||||
}
|
||||
|
||||
// VerifierContext returns an IDTokenVerifier that uses the provider's key set to
|
||||
// verify JWTs. As opposed to Verifier, the context is used to configure requests
|
||||
// to the upstream JWKs endpoint. The provided context's cancellation is ignored.
|
||||
// verify JWTs. As opposed to [Provider.Verifier], the context is used to configure
|
||||
// requests to the upstream JWKs endpoint. The provided context's cancellation is
|
||||
// ignored.
|
||||
func (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDTokenVerifier {
|
||||
return p.newVerifier(NewRemoteKeySet(ctx, p.jwksURL), config)
|
||||
}
|
||||
@@ -126,7 +128,7 @@ func (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDToken
|
||||
// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
|
||||
//
|
||||
// The returned verifier uses a background context for all requests to the upstream
|
||||
// JWKs endpoint. To control that context, use VerifierContext instead.
|
||||
// JWKs endpoint. To control that context, use [Provider.VerifierContext] instead.
|
||||
func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
|
||||
return p.newVerifier(p.remoteKeySet(), config)
|
||||
}
|
||||
@@ -142,15 +144,6 @@ func (p *Provider) newVerifier(keySet KeySet, config *Config) *IDTokenVerifier {
|
||||
return NewVerifier(p.issuer, keySet, config)
|
||||
}
|
||||
|
||||
func contains(sli []string, ele string) bool {
|
||||
for _, s := range sli {
|
||||
if s == ele {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Returns the Claims from the distributed JWT token
|
||||
func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src claimSource) ([]byte, error) {
|
||||
req, err := http.NewRequest("GET", src.Endpoint, nil)
|
||||
@@ -187,7 +180,7 @@ func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src
|
||||
// Verify parses a raw ID Token, verifies it's been signed by the provider, performs
|
||||
// any additional checks depending on the Config, and returns the payload.
|
||||
//
|
||||
// Verify does NOT do nonce validation, which is the callers responsibility.
|
||||
// Verify does NOT do nonce validation, which is the caller's responsibility.
|
||||
//
|
||||
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
||||
//
|
||||
@@ -257,7 +250,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
|
||||
// This check DOES NOT ensure that the ClientID is the party to which the ID Token was issued (i.e. Authorized party).
|
||||
if !v.config.SkipClientIDCheck {
|
||||
if v.config.ClientID != "" {
|
||||
if !contains(t.Audience, v.config.ClientID) {
|
||||
if !slices.Contains(t.Audience, v.config.ClientID) {
|
||||
return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
|
||||
}
|
||||
} else {
|
||||
|
||||
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
@@ -292,7 +292,7 @@ github.com/containerd/log
|
||||
# github.com/containerd/platforms v1.0.0-rc.2
|
||||
## explicit; go 1.20
|
||||
github.com/containerd/platforms
|
||||
# github.com/coreos/go-oidc/v3 v3.19.0
|
||||
# github.com/coreos/go-oidc/v3 v3.20.0
|
||||
## explicit; go 1.25.0
|
||||
github.com/coreos/go-oidc/v3/oidc
|
||||
# github.com/coreos/go-semver v0.3.1
|
||||
|
||||
Reference in New Issue
Block a user