mirror of https://github.com/dexidp/dex.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43 lines
1.1 KiB
43 lines
1.1 KiB
package oidc |
|
|
|
import ( |
|
"encoding/json" |
|
"errors" |
|
"fmt" |
|
|
|
"golang.org/x/oauth2" |
|
) |
|
|
|
// Nonce returns an auth code option which requires the ID Token created by the |
|
// OpenID Connect provider to contain the specified nonce. |
|
func Nonce(nonce string) oauth2.AuthCodeOption { |
|
return oauth2.SetAuthURLParam("nonce", nonce) |
|
} |
|
|
|
// NonceSource represents a source which can verify a nonce is valid and has not |
|
// been claimed before. |
|
type NonceSource interface { |
|
ClaimNonce(nonce string) error |
|
} |
|
|
|
// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source. |
|
func VerifyNonce(source NonceSource) VerificationOption { |
|
return nonceVerifier{source} |
|
} |
|
|
|
type nonceVerifier struct { |
|
nonceSource NonceSource |
|
} |
|
|
|
func (n nonceVerifier) verifyIDTokenPayload(payload []byte) error { |
|
var token struct { |
|
Nonce string `json:"nonce"` |
|
} |
|
if err := json.Unmarshal(payload, &token); err != nil { |
|
return fmt.Errorf("oidc: failed to unmarshal nonce: %v", err) |
|
} |
|
if token.Nonce == "" { |
|
return errors.New("oidc: no nonce present in ID Token") |
|
} |
|
return n.nonceSource.ClaimNonce(token.Nonce) |
|
}
|
|
|