44 lines
1.1 KiB
Go
44 lines
1.1 KiB
Go
|
package oidc
|
||
|
|
|
||
|
|
import (
|
||
|
|
"encoding/json"
|
||
|
|
"errors"
|
||
|
|
"fmt"
|
||
|
|
|
||
|
|
"golang.org/x/oauth2"
|
||
|
|
)
|
||
|
|
|
||
|
|
// Nonce returns an auth code option which requires the ID Token created by the
|
||
|
|
// OpenID Connect provider to contain the specified nonce.
|
||
|
|
func Nonce(nonce string) oauth2.AuthCodeOption {
|
||
|
|
return oauth2.SetAuthURLParam("nonce", nonce)
|
||
|
|
}
|
||
|
|
|
||
|
|
// NonceSource represents a source which can verify a nonce is valid and has not
|
||
|
|
// been claimed before.
|
||
|
|
type NonceSource interface {
|
||
|
|
ClaimNonce(nonce string) error
|
||
|
|
}
|
||
|
|
|
||
|
|
// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source.
|
||
|
|
func VerifyNonce(source NonceSource) VerificationOption {
|
||
|
|
return nonceVerifier{source}
|
||
|
|
}
|
||
|
|
|
||
|
|
type nonceVerifier struct {
|
||
|
|
nonceSource NonceSource
|
||
|
|
}
|
||
|
|
|
||
|
|
func (n nonceVerifier) verifyIDTokenPayload(payload []byte) error {
|
||
|
|
var token struct {
|
||
|
|
Nonce string `json:"nonce"`
|
||
|
|
}
|
||
|
|
if err := json.Unmarshal(payload, &token); err != nil {
|
||
|
|
return fmt.Errorf("oidc: failed to unmarshal nonce: %v", err)
|
||
|
|
}
|
||
|
|
if token.Nonce == "" {
|
||
|
|
return errors.New("oidc: no nonce present in ID Token")
|
||
|
|
}
|
||
|
|
return n.nonceSource.ClaimNonce(token.Nonce)
|
||
|
|
}
|