From 25ee99f93a662f87e38f8e8e13813ea606cae6dc Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 30 Nov 2020 17:08:27 -0600 Subject: [PATCH] Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer --- internal/oidc/oidctestutil/oidc.go | 6 ++++++ internal/oidc/provider/dynamic_upstream_idp_provider.go | 4 ++++ internal/upstreamoidc/upstreamoidc.go | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/internal/oidc/oidctestutil/oidc.go b/internal/oidc/oidctestutil/oidc.go index 43a7147f..eafd567f 100644 --- a/internal/oidc/oidctestutil/oidc.go +++ b/internal/oidc/oidctestutil/oidc.go @@ -7,6 +7,8 @@ import ( "context" "net/url" + "golang.org/x/oauth2" + "go.pinniped.dev/internal/oidc/provider" "go.pinniped.dev/pkg/oidcclient/nonce" "go.pinniped.dev/pkg/oidcclient/oidctypes" @@ -96,6 +98,10 @@ func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokensArgs return u.exchangeAuthcodeAndValidateTokensArgs[call] } +func (u *TestUpstreamOIDCIdentityProvider) ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error) { + panic("implement me") +} + func NewIDPListGetter(upstreamOIDCIdentityProviders ...*TestUpstreamOIDCIdentityProvider) provider.DynamicUpstreamIDPProvider { idpProvider := provider.NewDynamicUpstreamIDPProvider() upstreams := make([]provider.UpstreamOIDCIdentityProviderI, len(upstreamOIDCIdentityProviders)) diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/oidc/provider/dynamic_upstream_idp_provider.go index 0c08708c..8ef1e5db 100644 --- a/internal/oidc/provider/dynamic_upstream_idp_provider.go +++ b/internal/oidc/provider/dynamic_upstream_idp_provider.go @@ -8,6 +8,8 @@ import ( "net/url" "sync" + "golang.org/x/oauth2" + "go.pinniped.dev/pkg/oidcclient/nonce" "go.pinniped.dev/pkg/oidcclient/oidctypes" "go.pinniped.dev/pkg/oidcclient/pkce" @@ -41,6 +43,8 @@ type UpstreamOIDCIdentityProviderI interface { pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce, ) (tokens oidctypes.Token, parsedIDTokenClaims map[string]interface{}, err error) + + ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error) } type DynamicUpstreamIDPProvider interface { diff --git a/internal/upstreamoidc/upstreamoidc.go b/internal/upstreamoidc/upstreamoidc.go index b44f02bc..72de2e33 100644 --- a/internal/upstreamoidc/upstreamoidc.go +++ b/internal/upstreamoidc/upstreamoidc.go @@ -65,6 +65,10 @@ func (p *ProviderConfig) ExchangeAuthcodeAndValidateTokens(ctx context.Context, return oidctypes.Token{}, nil, err } + return p.ValidateToken(ctx, tok, expectedIDTokenNonce) +} + +func (p *ProviderConfig) ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error) { idTok, hasIDTok := tok.Extra("id_token").(string) if !hasIDTok { return oidctypes.Token{}, nil, httperr.New(http.StatusBadRequest, "received response missing ID token")