From 5bf72089b0d60137d05f3f1368bce1edb9a09966 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Fri, 10 Mar 2023 14:23:07 +0200 Subject: [PATCH] resolve (most) review comments --- example/server/storage/storage.go | 1 - pkg/client/rp/verifier_tokens_example_test.go | 7 ++- pkg/oidc/token.go | 48 +++++++++++++++---- pkg/oidc/token_test.go | 13 +++++ pkg/op/verifier_access_token_example_test.go | 7 ++- 5 files changed, 57 insertions(+), 19 deletions(-) diff --git a/example/server/storage/storage.go b/example/server/storage/storage.go index b467738c..ff7889e4 100644 --- a/example/server/storage/storage.go +++ b/example/server/storage/storage.go @@ -625,7 +625,6 @@ func (s *Storage) setUserinfo(ctx context.Context, userInfo *oidc.UserInfo, user case oidc.ScopeEmail: userInfo.Email = user.Email userInfo.EmailVerified = oidc.Bool(user.EmailVerified) - //user.Email, user.EmailVerified case oidc.ScopeProfile: userInfo.PreferredUsername = user.Username userInfo.Name = user.FirstName + " " + user.LastName diff --git a/pkg/client/rp/verifier_tokens_example_test.go b/pkg/client/rp/verifier_tokens_example_test.go index 8be23cc3..c297efe4 100644 --- a/pkg/client/rp/verifier_tokens_example_test.go +++ b/pkg/client/rp/verifier_tokens_example_test.go @@ -10,9 +10,8 @@ import ( ) // MyCustomClaims extends the TokenClaims base, -// so it implments the oidc.Claims interface. -// Instead of carying a map, we add needed fields -// to the struct for type safe access. +// so it implmeents the oidc.Claims interface. +// Instead of carrying a map, we add needed fields// to the struct for type safe access. type MyCustomClaims struct { oidc.TokenClaims NotBefore oidc.Time `json:"nbf,omitempty"` @@ -34,7 +33,7 @@ type Nested struct { } /* -idToken caries the following claims. foo and bar are custom claims +idToken carries the following claims. foo and bar are custom claims { "acr": "something", diff --git a/pkg/oidc/token.go b/pkg/oidc/token.go index 52b309b0..1ade913c 100644 --- a/pkg/oidc/token.go +++ b/pkg/oidc/token.go @@ -51,18 +51,46 @@ type TokenClaims struct { SignatureAlg jose.SignatureAlgorithm `json:"-"` } -func (c *TokenClaims) GetIssuer() string { return c.Issuer } -func (c *TokenClaims) GetSubject() string { return c.Subject } -func (c *TokenClaims) GetAudience() []string { return c.Audience } -func (c *TokenClaims) GetExpiration() time.Time { return c.Expiration.AsTime() } -func (c *TokenClaims) GetIssuedAt() time.Time { return c.IssuedAt.AsTime() } -func (c *TokenClaims) GetNonce() string { return c.Nonce } -func (c *TokenClaims) GetAuthTime() time.Time { return c.AuthTime.AsTime() } -func (c *TokenClaims) GetAuthorizedParty() string { return c.AuthorizedParty } -func (c *TokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm { return c.SignatureAlg } +func (c *TokenClaims) GetIssuer() string { + return c.Issuer +} + +func (c *TokenClaims) GetSubject() string { + return c.Subject +} + +func (c *TokenClaims) GetAudience() []string { + return c.Audience +} + +func (c *TokenClaims) GetExpiration() time.Time { + return c.Expiration.AsTime() +} + +func (c *TokenClaims) GetIssuedAt() time.Time { + return c.IssuedAt.AsTime() +} + +func (c *TokenClaims) GetNonce() string { + return c.Nonce +} + +func (c *TokenClaims) GetAuthTime() time.Time { + return c.AuthTime.AsTime() +} + +func (c *TokenClaims) GetAuthorizedParty() string { + return c.AuthorizedParty +} + +func (c *TokenClaims) GetSignatureAlgorithm() jose.SignatureAlgorithm { + return c.SignatureAlg +} + func (c *TokenClaims) GetAuthenticationContextClassReference() string { return c.AuthenticationContextClassReference } + func (c *TokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm) { c.SignatureAlg = algorithm } @@ -110,7 +138,7 @@ type IDTokenClaims struct { NotBefore Time `json:"nbf,omitempty"` AccessTokenHash string `json:"at_hash,omitempty"` CodeHash string `json:"c_hash,omitempty"` - SessionID string `json:"sid,omitempty"` // IDToken - session management spec + SessionID string `json:"sid,omitempty"` UserInfoProfile UserInfoEmail UserInfoPhone diff --git a/pkg/oidc/token_test.go b/pkg/oidc/token_test.go index 8b35e715..0d9874e9 100644 --- a/pkg/oidc/token_test.go +++ b/pkg/oidc/token_test.go @@ -154,6 +154,13 @@ func TestNewAccessTokenClaims(t *testing.T) { want.Expiration.AsTime(), want.JWTID, "foo", time.Second, ) + // test if the dynamic timestamps are around now, + // allowing for a delta of 1, just in case we flip on + // either side of a second boundry. + nowMinusSkew := NowTime() - 1 + assert.InDelta(t, int64(nowMinusSkew), int64(got.IssuedAt), 1) + assert.InDelta(t, int64(nowMinusSkew), int64(got.NotBefore), 1) + // Make equal not fail on dynamic timestamp got.IssuedAt = 0 got.NotBefore = 0 @@ -207,6 +214,12 @@ func TestNewIDTokenClaims(t *testing.T) { time.Second, ) + // test if the dynamic timestamp is around now, + // allowing for a delta of 1, just in case we flip on + // either side of a second boundry. + nowMinusSkew := NowTime() - 1 + assert.InDelta(t, int64(nowMinusSkew), int64(got.IssuedAt), 1) + // Make equal not fail on dynamic timestamp got.IssuedAt = 0 diff --git a/pkg/op/verifier_access_token_example_test.go b/pkg/op/verifier_access_token_example_test.go index 0b0e0cb5..effdd587 100644 --- a/pkg/op/verifier_access_token_example_test.go +++ b/pkg/op/verifier_access_token_example_test.go @@ -10,9 +10,8 @@ import ( ) // MyCustomClaims extends the TokenClaims base, -// so it implments the oidc.Claims interface. -// Instead of carying a map, we add needed fields -// to the struct for type safe access. +// so it implements the oidc.Claims interface. +// Instead of carrying a map, we add needed fields// to the struct for type safe access. type MyCustomClaims struct { oidc.TokenClaims NotBefore oidc.Time `json:"nbf,omitempty"` @@ -31,7 +30,7 @@ type Nested struct { } /* -accessToken caries the following claims. foo and bar are custom claims +accessToken carries the following claims. foo and bar are custom claims { "aud": [