diff options
Diffstat (limited to 'vendor/github.com/coreos/go-oidc')
| -rw-r--r-- | vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go | 10 | ||||
| -rw-r--r-- | vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go | 45 | ||||
| -rw-r--r-- | vendor/github.com/coreos/go-oidc/v3/oidc/verify.go | 14 |
3 files changed, 38 insertions, 31 deletions
diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go b/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go index 6a162689b..a272b7ab2 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go @@ -18,8 +18,8 @@ import ( // exposed for providers that don't support discovery or to prevent round trips to the // discovery URL. // -// The returned KeySet is a long lived verifier that caches keys based on cache-control -// headers. Reuse a common remote key set instead of creating new ones as needed. +// The returned KeySet is a long lived verifier that caches keys based on any +// keys change. Reuse a common remote key set instead of creating new ones as needed. func NewRemoteKeySet(ctx context.Context, jwksURL string) *RemoteKeySet { return newRemoteKeySet(ctx, jwksURL, time.Now) } @@ -39,7 +39,7 @@ type RemoteKeySet struct { now func() time.Time // guard all other fields - mu sync.Mutex + mu sync.RWMutex // inflight suppresses parallel execution of updateKeys and allows // multiple goroutines to wait for its result. @@ -131,8 +131,8 @@ func (r *RemoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ( } func (r *RemoteKeySet) keysFromCache() (keys []jose.JSONWebKey) { - r.mu.Lock() - defer r.mu.Unlock() + r.mu.RLock() + defer r.mu.RUnlock() return r.cachedKeys } diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go b/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go index 9726f13bd..3e1d80e08 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go @@ -17,7 +17,6 @@ import ( "time" "golang.org/x/oauth2" - jose "gopkg.in/square/go-jose.v2" ) const ( @@ -40,6 +39,10 @@ var ( errInvalidAtHash = errors.New("access token hash does not match value in ID token") ) +type contextKey int + +var issuerURLKey contextKey + // ClientContext returns a new Context that carries the provided HTTP client. // // This method sets the same context key used by the golang.org/x/oauth2 package, @@ -56,7 +59,7 @@ func ClientContext(ctx context.Context, client *http.Client) context.Context { } // cloneContext copies a context's bag-of-values into a new context that isn't -// associated with its cancelation. This is used to initialize remote keys sets +// associated with its cancellation. This is used to initialize remote keys sets // which run in the background and aren't associated with the initial context. func cloneContext(ctx context.Context) context.Context { cp := context.Background() @@ -66,6 +69,25 @@ func cloneContext(ctx context.Context) context.Context { return cp } +// InsecureIssuerURLContext allows discovery to work when the issuer_url reported +// by upstream is mismatched with the discovery URL. This is meant for integration +// with off-spec providers such as Azure. +// +// discoveryBaseURL := "https://login.microsoftonline.com/organizations/v2.0" +// issuerURL := "https://login.microsoftonline.com/my-tenantid/v2.0" +// +// ctx := oidc.InsecureIssuerURLContext(parentContext, issuerURL) +// +// // Provider will be discovered with the discoveryBaseURL, but use issuerURL +// // for future issuer validation. +// provider, err := oidc.NewProvider(ctx, discoveryBaseURL) +// +// This is insecure because validating the correct issuer is critical for multi-tenant +// proivders. Any overrides here MUST be carefully reviewed. +func InsecureIssuerURLContext(ctx context.Context, issuerURL string) context.Context { + return context.WithValue(ctx, issuerURLKey, issuerURL) +} + func doRequest(ctx context.Context, req *http.Request) (*http.Response, error) { client := http.DefaultClient if c, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok { @@ -88,11 +110,6 @@ type Provider struct { remoteKeySet KeySet } -type cachedKeys struct { - keys []jose.JSONWebKey - expiry time.Time -} - type providerJSON struct { Issuer string `json:"issuer"` AuthURL string `json:"authorization_endpoint"` @@ -148,7 +165,11 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) { return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err) } - if p.Issuer != issuer { + issuerURL, skipIssuerValidation := ctx.Value(issuerURLKey).(string) + if !skipIssuerValidation { + issuerURL = issuer + } + if p.Issuer != issuerURL && !skipIssuerValidation { return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer) } var algs []string @@ -158,7 +179,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) { } } return &Provider{ - issuer: p.Issuer, + issuer: issuerURL, authURL: p.AuthURL, tokenURL: p.TokenURL, userInfoURL: p.UserInfoURL, @@ -398,9 +419,9 @@ type stringAsBool bool func (sb *stringAsBool) UnmarshalJSON(b []byte) error { switch string(b) { case "true", `"true"`: - *sb = stringAsBool(true) + *sb = true case "false", `"false"`: - *sb = stringAsBool(false) + *sb = false default: return errors.New("invalid value for boolean") } @@ -419,7 +440,7 @@ func (a *audience) UnmarshalJSON(b []byte) error { if err := json.Unmarshal(b, &auds); err != nil { return err } - *a = audience(auds) + *a = auds return nil } diff --git a/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go b/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go index 5c4d6582c..dc6b56dfe 100644 --- a/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go +++ b/vendor/github.com/coreos/go-oidc/v3/oidc/verify.go @@ -171,20 +171,6 @@ func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src return token.claims, nil } -func parseClaim(raw []byte, name string, v interface{}) error { - var parsed map[string]json.RawMessage - if err := json.Unmarshal(raw, &parsed); err != nil { - return err - } - - val, ok := parsed[name] - if !ok { - return fmt.Errorf("claim doesn't exist: %s", name) - } - - return json.Unmarshal([]byte(val), v) -} - // Verify parses a raw ID Token, verifies it's been signed by the provider, performs // any additional checks depending on the Config, and returns the payload. // |