op: add example for VerifyAccessToken

zitadel · Mar 4, 2023 · ef5a8a2 · ef5a8a2
1 parent 944fbd7
commit ef5a8a2
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 1 deletion.
diff --git a/pkg/op/verifier_access_token.go b/pkg/op/verifier_access_token.go
@@ -65,7 +65,7 @@ func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTok
 	return verifier
 }
 
-// VerifyAccessToken validates the access token (issuer, signature and expiration)
+// VerifyAccessToken validates the access token (issuer, signature and expiration).
 func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v AccessTokenVerifier) (claims C, err error) {
 	var nilClaims C
 

diff --git a/pkg/op/verifier_access_token_example_test.go b/pkg/op/verifier_access_token_example_test.go
@@ -0,0 +1,58 @@
+package op_test
+
+import (
+	"context"
+	"fmt"
+
+	tu "github.com/zitadel/oidc/v2/internal/testutil"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/op"
+)
+
+// MyCustomClaims extends the TokenClaims base,
+// so it implments the oidc.Claims interface.
+// Instead of carying a map, we add needed fields
+// to the struct for type safe access.
+type MyCustomClaims struct {
+	oidc.TokenClaims
+	NotBefore            oidc.Time `json:"nbf,omitempty"`
+	CodeHash             string    `json:"c_hash,omitempty"`
+	SessionID            string    `json:"sid,omitempty"`
+	Scopes               []string  `json:"scope,omitempty"`
+	AccessTokenUseNumber int       `json:"at_use_nbr,omitempty"`
+	Foo                  string    `json:"foo,omitempty"`
+	Bar                  string    `json:"bar,omitempty"`
+}
+
+/*
+accessToken caries the following claims. foo and bar are custom claims
+
+	{
+		"aud": [
+			"unit",
+			"test"
+		],
+		"bar": "world",
+		"exp": 4802025920,
+		"foo": "hello",
+		"iat": 1677888259,
+		"iss": "local.com",
+		"jti": "9876",
+		"nbf": 1677888259,
+		"sub": "tim@local.com"
+	}
+*/
+const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjoid29ybGQiLCJleHAiOjQ4MDIwMjU5MjAsImZvbyI6ImhlbGxvIiwiaWF0IjoxNjc3ODg4MjU5LCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc3ODg4MjU5LCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.TbKRJnfyfn1PTC46VVXqqiKZl4gVmRPdQy8dxXvMtp1SAeMU4gSuu2qb-bNlVgFqQ5YqvveKH4mswcUf7DrqPx79roBEY1VZ6R0e10beZBg0UZ0XaBf9V9YJGTRQNEuETRjl6kMwVav4oyP8ZW74-AOrgSql7vxCX3FDRTRxt_7oeFRz2YzugFdHPOqQo4IHudQNMN9WD9b3QgoKDyj0BGxAQ9WpDE5N7WKIf6fXipSXJBQmf22QazXFZcUOGfKdhFYZ9eSlZQRDFJTguEtKwzk7wcxt6aJBsU-AEha2SucRXe3j7J56hAEsN5gC5i9edSdr8ebzrhnnLJ1t-PafhQ`
+
+func ExampleVerifyAccessToken_customClaims() {
+	v := op.NewAccessTokenVerifier("local.com", tu.KeySet{})
+
+	// Now VerifyAccessToken can be called with the *MyCustomClaims type to provide
+	// type safe access to all the Claims.
+	claims, err := op.VerifyAccessToken[*MyCustomClaims](context.TODO(), accessToken, v)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(claims.Foo, claims.Bar)
+	// Output: hello world
+}