initial commit

vendor/github.com/ericchiang/oidc/nonce.go

@@ -0,0 +1,43 @@
+package oidc
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"golang.org/x/oauth2"
+)
+
+// Nonce returns an auth code option which requires the ID Token created by the
+// OpenID Connect provider to contain the specified nonce.
+func Nonce(nonce string) oauth2.AuthCodeOption {
+	return oauth2.SetAuthURLParam("nonce", nonce)
+}
+
+// NonceSource represents a source which can verify a nonce is valid and has not
+// been claimed before.
+type NonceSource interface {
+	ClaimNonce(nonce string) error
+}
+
+// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source.
+func VerifyNonce(source NonceSource) VerificationOption {
+	return nonceVerifier{source}
+}
+
+type nonceVerifier struct {
+	nonceSource NonceSource
+}
+
+func (n nonceVerifier) verifyIDTokenPayload(payload []byte) error {
+	var token struct {
+		Nonce string `json:"nonce"`
+	}
+	if err := json.Unmarshal(payload, &token); err != nil {
+		return fmt.Errorf("oidc: failed to unmarshal nonce: %v", err)
+	}
+	if token.Nonce == "" {
+		return errors.New("oidc: no nonce present in ID Token")
+	}
+	return n.nonceSource.ClaimNonce(token.Nonce)
+}