package oidc import ( "encoding/json" "errors" "fmt" "golang.org/x/oauth2" ) // Nonce returns an auth code option which requires the ID Token created by the // OpenID Connect provider to contain the specified nonce. func Nonce(nonce string) oauth2.AuthCodeOption { return oauth2.SetAuthURLParam("nonce", nonce) } // NonceSource represents a source which can verify a nonce is valid and has not // been claimed before. type NonceSource interface { ClaimNonce(nonce string) error } // VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source. func VerifyNonce(source NonceSource) VerificationOption { return nonceVerifier{source} } type nonceVerifier struct { nonceSource NonceSource } func (n nonceVerifier) verifyIDTokenPayload(payload []byte) error { var token struct { Nonce string `json:"nonce"` } if err := json.Unmarshal(payload, &token); err != nil { return fmt.Errorf("oidc: failed to unmarshal nonce: %v", err) } if token.Nonce == "" { return errors.New("oidc: no nonce present in ID Token") } return n.nonceSource.ClaimNonce(token.Nonce) }