ContainerImage.Pinniped/internal/oidc/oidctestutil/oidc.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package oidctestutil

import (
	"context"
	"crypto"
	"crypto/ecdsa"
	"fmt"
	"net/url"
	"testing"

	coreosoidc "github.com/coreos/go-oidc/v3/oidc"
	"github.com/stretchr/testify/require"
	"golang.org/x/oauth2"
	"gopkg.in/square/go-jose.v2"

	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/pkg/oidcclient/nonce"
	"go.pinniped.dev/pkg/oidcclient/oidctypes"
	"go.pinniped.dev/pkg/oidcclient/pkce"
)

// Test helpers for the OIDC package.

// ExchangeAuthcodeAndValidateTokenArgs is a POGO (plain old go object?) used to spy on calls to
// TestUpstreamOIDCIdentityProvider.ExchangeAuthcodeAndValidateTokensFunc().
type ExchangeAuthcodeAndValidateTokenArgs struct {
	Ctx                  context.Context
	Authcode             string
	PKCECodeVerifier     pkce.Code
	ExpectedIDTokenNonce nonce.Nonce
	RedirectURI          string
}

type TestUpstreamOIDCIdentityProvider struct {
	Name                                  string
	ClientID                              string
	AuthorizationURL                      url.URL
	UsernameClaim                         string
	GroupsClaim                           string
	Scopes                                []string
	ExchangeAuthcodeAndValidateTokensFunc func(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
	) (*oidctypes.Token, error)

	exchangeAuthcodeAndValidateTokensCallCount int
	exchangeAuthcodeAndValidateTokensArgs      []*ExchangeAuthcodeAndValidateTokenArgs
}

func (u *TestUpstreamOIDCIdentityProvider) GetName() string {
	return u.Name
}

func (u *TestUpstreamOIDCIdentityProvider) GetClientID() string {
	return u.ClientID
}

func (u *TestUpstreamOIDCIdentityProvider) GetAuthorizationURL() *url.URL {
	return &u.AuthorizationURL
}

func (u *TestUpstreamOIDCIdentityProvider) GetScopes() []string {
	return u.Scopes
}

func (u *TestUpstreamOIDCIdentityProvider) GetUsernameClaim() string {
	return u.UsernameClaim
}

func (u *TestUpstreamOIDCIdentityProvider) GetGroupsClaim() string {
	return u.GroupsClaim
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(
	ctx context.Context,
	authcode string,
	pkceCodeVerifier pkce.Code,
	expectedIDTokenNonce nonce.Nonce,
	redirectURI string,
) (*oidctypes.Token, error) {
	if u.exchangeAuthcodeAndValidateTokensArgs == nil {
		u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)
	}
	u.exchangeAuthcodeAndValidateTokensCallCount++
	u.exchangeAuthcodeAndValidateTokensArgs = append(u.exchangeAuthcodeAndValidateTokensArgs, &ExchangeAuthcodeAndValidateTokenArgs{
		Ctx:                  ctx,
		Authcode:             authcode,
		PKCECodeVerifier:     pkceCodeVerifier,
		ExpectedIDTokenNonce: expectedIDTokenNonce,
		RedirectURI:          redirectURI,
	})
	return u.ExchangeAuthcodeAndValidateTokensFunc(ctx, authcode, pkceCodeVerifier, expectedIDTokenNonce)
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensCallCount() int {
	return u.exchangeAuthcodeAndValidateTokensCallCount
}

func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensArgs(call int) *ExchangeAuthcodeAndValidateTokenArgs {
	if u.exchangeAuthcodeAndValidateTokensArgs == nil {
		u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)
	}
	return u.exchangeAuthcodeAndValidateTokensArgs[call]
}

func (u *TestUpstreamOIDCIdentityProvider) ValidateToken(_ context.Context, _ *oauth2.Token, _ nonce.Nonce) (*oidctypes.Token, error) {
	panic("implement me")
}

func NewIDPListGetter(upstreamOIDCIdentityProviders ...*TestUpstreamOIDCIdentityProvider) provider.DynamicUpstreamIDPProvider {
	idpProvider := provider.NewDynamicUpstreamIDPProvider()
	upstreams := make([]provider.UpstreamOIDCIdentityProviderI, len(upstreamOIDCIdentityProviders))
	for i := range upstreamOIDCIdentityProviders {
		upstreams[i] = provider.UpstreamOIDCIdentityProviderI(upstreamOIDCIdentityProviders[i])
	}
	idpProvider.SetIDPList(upstreams)
	return idpProvider
}

// Declare a separate type from the production code to ensure that the state param's contents was serialized
// in the format that we expect, with the json keys that we expect, etc. This also ensure that the order of
// the serialized fields is the same, which doesn't really matter expect that we can make simpler equality
// assertions about the redirect URL in this test.
type ExpectedUpstreamStateParamFormat struct {
	P string `json:"p"`
	U string `json:"u"`
	N string `json:"n"`
	C string `json:"c"`
	K string `json:"k"`
	V string `json:"v"`
}

type staticKeySet struct {
	publicKey crypto.PublicKey
}

func newStaticKeySet(publicKey crypto.PublicKey) coreosoidc.KeySet {
	return &staticKeySet{publicKey}
}

func (s *staticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
	jws, err := jose.ParseSigned(jwt)
	if err != nil {
		return nil, fmt.Errorf("oidc: malformed jwt: %w", err)
	}
	return jws.Verify(s.publicKey)
}

// VerifyECDSAIDToken verifies that the provided idToken was issued via the provided jwtSigningKey.
// It also performs some light validation on the claims, i.e., it makes sure the provided idToken
// has the provided  issuer and clientID.
//
// Further validation can be done via callers via the returned coreosoidc.IDToken.
func VerifyECDSAIDToken(
	t *testing.T,
	issuer, clientID string,
	jwtSigningKey *ecdsa.PrivateKey,
	idToken string,
) *coreosoidc.IDToken {
	t.Helper()

	keySet := newStaticKeySet(jwtSigningKey.Public())
	verifyConfig := coreosoidc.Config{ClientID: clientID, SupportedSigningAlgs: []string{coreosoidc.ES256}}
	verifier := coreosoidc.NewVerifier(issuer, keySet, &verifyConfig)
	token, err := verifier.Verify(context.Background(), idToken)
	require.NoError(t, err)

	return token
}
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-20 01:57:07 +00:00			`package oidctestutil`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`import (`
			`"context"`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`"crypto"`
			`"crypto/ecdsa"`
			`"fmt"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"net/url"`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`"testing"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00
Upgrade to github.com/coreos/go-oidc v3.0.0. See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-01-20 17:54:44 +00:00			`coreosoidc "github.com/coreos/go-oidc/v3/oidc"`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`"github.com/stretchr/testify/require"`
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`"golang.org/x/oauth2"`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`"gopkg.in/square/go-jose.v2"`
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"go.pinniped.dev/internal/oidc/provider"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/nonce"`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`"go.pinniped.dev/pkg/oidcclient/oidctypes"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/pkce"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`)`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00
			`// Test helpers for the OIDC package.`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`// ExchangeAuthcodeAndValidateTokenArgs is a POGO (plain old go object?) used to spy on calls to`
			`// TestUpstreamOIDCIdentityProvider.ExchangeAuthcodeAndValidateTokensFunc().`
			`type ExchangeAuthcodeAndValidateTokenArgs struct {`
			`Ctx context.Context`
			`Authcode string`
			`PKCECodeVerifier pkce.Code`
			`ExpectedIDTokenNonce nonce.Nonce`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`RedirectURI string`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`}`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`type TestUpstreamOIDCIdentityProvider struct {`
			`Name string`
			`ClientID string`
			`AuthorizationURL url.URL`
			`UsernameClaim string`
			`GroupsClaim string`
			`Scopes []string`
			`ExchangeAuthcodeAndValidateTokensFunc func(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`) (*oidctypes.Token, error)`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00
			`exchangeAuthcodeAndValidateTokensCallCount int`
			`exchangeAuthcodeAndValidateTokensArgs []*ExchangeAuthcodeAndValidateTokenArgs`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetName() string {`
			`return u.Name`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetClientID() string {`
			`return u.ClientID`
			`}`

			`func (u TestUpstreamOIDCIdentityProvider) GetAuthorizationURL() url.URL {`
			`return &u.AuthorizationURL`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetScopes() []string {`
			`return u.Scopes`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetUsernameClaim() string {`
			`return u.UsernameClaim`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) GetGroupsClaim() string {`
			`return u.GroupsClaim`
			`}`

			`func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`redirectURI string,`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`) (*oidctypes.Token, error) {`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`if u.exchangeAuthcodeAndValidateTokensArgs == nil {`
			`u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)`
			`}`
			`u.exchangeAuthcodeAndValidateTokensCallCount++`
			`u.exchangeAuthcodeAndValidateTokensArgs = append(u.exchangeAuthcodeAndValidateTokensArgs, &ExchangeAuthcodeAndValidateTokenArgs{`
			`Ctx: ctx,`
			`Authcode: authcode,`
			`PKCECodeVerifier: pkceCodeVerifier,`
			`ExpectedIDTokenNonce: expectedIDTokenNonce,`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`RedirectURI: redirectURI,`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`})`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`return u.ExchangeAuthcodeAndValidateTokensFunc(ctx, authcode, pkceCodeVerifier, expectedIDTokenNonce)`
			`}`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensCallCount() int {`
			`return u.exchangeAuthcodeAndValidateTokensCallCount`
			`}`

			`func (u TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensArgs(call int) ExchangeAuthcodeAndValidateTokenArgs {`
			`if u.exchangeAuthcodeAndValidateTokensArgs == nil {`
			`u.exchangeAuthcodeAndValidateTokensArgs = make([]*ExchangeAuthcodeAndValidateTokenArgs, 0)`
			`}`
			`return u.exchangeAuthcodeAndValidateTokensArgs[call]`
			`}`

Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`func (u TestUpstreamOIDCIdentityProvider) ValidateToken(_ context.Context, _ oauth2.Token, _ nonce.Nonce) (*oidctypes.Token, error) {`
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`panic("implement me")`
			`}`

callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`func NewIDPListGetter(upstreamOIDCIdentityProviders ...*TestUpstreamOIDCIdentityProvider) provider.DynamicUpstreamIDPProvider {`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`idpProvider := provider.NewDynamicUpstreamIDPProvider()`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`upstreams := make([]provider.UpstreamOIDCIdentityProviderI, len(upstreamOIDCIdentityProviders))`
			`for i := range upstreamOIDCIdentityProviders {`
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-19 15:20:46 +00:00			`upstreams[i] = provider.UpstreamOIDCIdentityProviderI(upstreamOIDCIdentityProviders[i])`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`
			`idpProvider.SetIDPList(upstreams)`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`return idpProvider`
			`}`

			`// Declare a separate type from the production code to ensure that the state param's contents was serialized`
			`// in the format that we expect, with the json keys that we expect, etc. This also ensure that the order of`
			`// the serialized fields is the same, which doesn't really matter expect that we can make simpler equality`
			`// assertions about the redirect URL in this test.`
			`type ExpectedUpstreamStateParamFormat struct {`
			P string `json:"p"`
Use /callback (without IDP name) path for callback endpoint (part 1) This is much nicer UX for an administrator installing a UpstreamOIDCProvider CRD. They don't have to guess as hard at what the callback endpoint path should be for their UpstreamOIDCProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-20 21:14:45 +00:00			U string `json:"u"`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			N string `json:"n"`
			C string `json:"c"`
			K string `json:"k"`
			V string `json:"v"`
			`}`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00
			`type staticKeySet struct {`
			`publicKey crypto.PublicKey`
			`}`

			`func newStaticKeySet(publicKey crypto.PublicKey) coreosoidc.KeySet {`
			`return &staticKeySet{publicKey}`
			`}`

			`func (s *staticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {`
			`jws, err := jose.ParseSigned(jwt)`
			`if err != nil {`
			`return nil, fmt.Errorf("oidc: malformed jwt: %w", err)`
			`}`
			`return jws.Verify(s.publicKey)`
			`}`

			`// VerifyECDSAIDToken verifies that the provided idToken was issued via the provided jwtSigningKey.`
			`// It also performs some light validation on the claims, i.e., it makes sure the provided idToken`
			`// has the provided issuer and clientID.`
			`//`
			`// Further validation can be done via callers via the returned coreosoidc.IDToken.`
			`func VerifyECDSAIDToken(`
			`t *testing.T,`
			`issuer, clientID string,`
			`jwtSigningKey *ecdsa.PrivateKey,`
			`idToken string,`
			`) *coreosoidc.IDToken {`
			`t.Helper()`

			`keySet := newStaticKeySet(jwtSigningKey.Public())`
			`verifyConfig := coreosoidc.Config{ClientID: clientID, SupportedSigningAlgs: []string{coreosoidc.ES256}}`
			`verifier := coreosoidc.NewVerifier(issuer, keySet, &verifyConfig)`
			`token, err := verifier.Verify(context.Background(), idToken)`
			`require.NoError(t, err)`

			`return token`
			`}`