op: add example for VerifyAccessToken

zitadel · Mar 4, 2023 · f02c2c5 · f02c2c5
1 parent 944fbd7
commit f02c2c5
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 1 deletion.
diff --git a/pkg/op/verifier_access_token.go b/pkg/op/verifier_access_token.go
@@ -65,7 +65,7 @@ func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTok
 	return verifier
 }
 
-// VerifyAccessToken validates the access token (issuer, signature and expiration)
+// VerifyAccessToken validates the access token (issuer, signature and expiration).
 func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v AccessTokenVerifier) (claims C, err error) {
 	var nilClaims C
 

diff --git a/pkg/op/verifier_access_token_example_test.go b/pkg/op/verifier_access_token_example_test.go
@@ -0,0 +1,58 @@
+package op_test
+
+import (
+	"context"
+	"fmt"
+
+	tu "github.com/zitadel/oidc/v2/internal/testutil"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/op"
+)
+
+// MyCustomClaims extends the TokenClaims base,
+// so it implments the oidc.Claims interface.
+// Instead of carying a map, we add needed fields
+// to the struct for type safe access.
+type MyCustomClaims struct {
+	oidc.TokenClaims
+	NotBefore            oidc.Time `json:"nbf,omitempty"`
+	CodeHash             string    `json:"c_hash,omitempty"`
+	SessionID            string    `json:"sid,omitempty"`
+	Scopes               []string  `json:"scope,omitempty"`
+	AccessTokenUseNumber int       `json:"at_use_nbr,omitempty"`
+	Foo                  string    `json:"foo,omitempty"`
+	Bar                  string    `json:"bar,omitempty"`
+}
+
+/*
+accessToken caries the following claims. foo and bar are custom claims
+
+	{
+		"aud": [
+			"unit",
+			"test"
+		],
+		"bar": "world",
+		"exp": 4802024314,
+		"foo": "hello",
+		"iat": 1677886653,
+		"iss": "local.com",
+		"jti": "9876",
+		"nbf": 1677886653,
+		"sub": "tim@local.com"
+	}
+*/
+const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjoid29ybGQiLCJleHAiOjE2Nzc4ODc0MjcsImZvbyI6ImhlbGxvIiwiaWF0IjoxNjc3ODg3MzY2LCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc3ODg3MzY2LCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.ebq7R77mfveMsdPpuPozixlNy5ip6VJPTIX57CpaTpN6CGyred28mQyKKMQhAjMIaII59WG7r8UusaIa3SWzkN1QE3SrCDjGXcKDp-IOgtUfLpu39iXkoyt8l-yqfCtJWcGrvCU-JNMyxgLrmst-JH6YZ7X9q9wYEvJyXgOyIEDtFbnvZkY8l3K77gZ8PIoIuoyxbm39uOHe9j4TCX2fw7e5ERuTK9mi_XjYEalQVOFAKvai61vL3W7y8c3xlz84O6nNmpgsl1gk3FH3zIz0S5vR1NU_tmZECVk_GsGqUqxertwgh5x09r205vZYxwUEZMCS9xPvhn3fixiVfpj4bw`
+
+func ExampleVerifyAccessToken_customClaims() {
+	v := op.NewAccessTokenVerifier("local.com", tu.KeySet{})
+
+	// Now VerifyAccessToken can be called with the *MyCustomClaims type to provide
+	// type safe access to all the Claims.
+	claims, err := op.VerifyAccessToken[*MyCustomClaims](context.TODO(), accessToken, v)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(claims.Foo, claims.Bar)
+	// Output: hello world
+}