From b2d98e71d41908a69da5180c30d32e85017a974a Mon Sep 17 00:00:00 2001 From: Konrad Holowinski Date: Wed, 24 Jun 2020 17:18:50 +0200 Subject: [PATCH 01/11] support signed jwt userinfo response Removed redundandt jwt parsing for jwt userinf removing empty lines Simplified test server setup for userinfo tests --- oidc.go | 8 ++++ oidc_test.go | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+) diff --git a/oidc.go b/oidc.go index b39cb515..911718e2 100644 --- a/oidc.go +++ b/oidc.go @@ -230,6 +230,14 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) return nil, fmt.Errorf("%s: %s", resp.Status, body) } + if strings.EqualFold(resp.Header.Get("Content-Type"), "application/jwt") { + payload, err := p.remoteKeySet.VerifySignature(ctx, string(body)) + if err != nil { + return nil, fmt.Errorf("oidc: invalid userinfo jwt signature %v", err) + } + body = payload + } + var userInfo UserInfo if err := json.Unmarshal(body, &userInfo); err != nil { return nil, fmt.Errorf("oidc: failed to decode userinfo: %v", err) diff --git a/oidc_test.go b/oidc_test.go index e82d2c15..17af9dca 100644 --- a/oidc_test.go +++ b/oidc_test.go @@ -9,6 +9,8 @@ import ( "reflect" "strings" "testing" + + "golang.org/x/oauth2" ) const ( @@ -297,3 +299,129 @@ func TestNewProvider(t *testing.T) { }) } } + +type testServer struct { + contentType string + userInfo string +} + +func (ts *testServer) run(t *testing.T) string { + newMux := http.NewServeMux() + server := httptest.NewServer(newMux) + + // generated using mkjwk.org + jwks := `{ + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "use": "sig", + "kid": "test", + "alg": "RS256", + "n": "luTpO0eGNYC36udr3gvoBxTjF1RxHXBMRcEdY13E_IocCM5GuqFNLbScH3q69O6WSq8a43cVmsdnayw3oHu8GDTZuggnsPG28Ln4FFWehdV306YBPBgS_6C8x6mX9PipoNnIpG2PAGhqw1iL_V0WmmNqdJPl9EirgbbHJh7GIkMxyj9UZiwi19YSFHhDdyJvux1L6hieqjrsFFJdwxk1QOlp9NkkCcVNZarUqUltb5JH82IiMSXYsDeOjjE7DlrFLqdo-zg8QlOtY8pow6gueweMWyY4iVv5IAziOh7128aid0-48-mNLTdZtAG758rtuKHJg9dq0nfOm64qROCNUQ" + } + ] + }` + + wellKnown := fmt.Sprintf(`{ + "issuer": "%[1]s", + "authorization_endpoint": "%[1]s/auth", + "token_endpoint": "%[1]s/token", + "jwks_uri": "%[1]s/keys", + "userinfo_endpoint": "%[1]s/userinfo", + "id_token_signing_alg_values_supported": ["RS256"] + }`, server.URL) + + newMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, req *http.Request) { + _, err := io.WriteString(w, wellKnown) + if err != nil { + w.WriteHeader(500) + } + }) + newMux.HandleFunc("/keys", func(w http.ResponseWriter, req *http.Request) { + _, err := io.WriteString(w, jwks) + if err != nil { + w.WriteHeader(500) + } + }) + newMux.HandleFunc("/userinfo", func(w http.ResponseWriter, req *http.Request) { + w.Header().Add("Content-Type", ts.contentType) + _, err := io.WriteString(w, ts.userInfo) + if err != nil { + w.WriteHeader(500) + } + }) + t.Cleanup(server.Close) + return server.URL +} + +func TestUserInfoEndpoint(t *testing.T) { + + userInfoJson := `{ + "sub": "1234567890", + "profile": "Joe Doe", + "email": "joe@doe.com", + "email_verified": true, + "is_admin": true + }` + + tests := []struct { + name string + server testServer + wantUserInfo UserInfo + }{ + { + name: "basic json userinfo", + server: testServer{ + contentType: "application/json", + userInfo: userInfoJson, + }, + wantUserInfo: UserInfo{ + Subject: "1234567890", + Profile: "Joe Doe", + Email: "joe@doe.com", + EmailVerified: true, + claims: []byte(userInfoJson), + }, + }, + { + name: "signed jwt userinfo", + server: testServer{ + contentType: "application/jwt", + // generated with jwt.io based on the private/public key pair + userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.AP9Y8Md1rjPfuFPTw7hI6kREQe1J0Wb2P5SeVnu_dmAFAyYbG8nbu2Xveb4HOY9wMZbU7UAuSrlvvF_duImlIWei_Ym0ZVrFDATYoMI_MNKwmt4-vM_pm-97zghuPfpXTLYenHgeyPTkHv_SEwhiKzg0Ap7kC3PlAOGeElMO1L1thDZdMd1MqClOEzie00fZwbUGXwkUdDV0_vd173GBACniEQF_9qtgDyxNzh9IMYPNVdRk0bqzBCdQuhTE1AQmWebTrri962uHdWex25KEk_sxOsSW5HIDc0vEF8uBBPUJjaHDPTvwzMh0RuqwT_SqwJvyOHhG0jSz-LYEa5eugQ", + }, + wantUserInfo: UserInfo{ + Subject: "1234567890", + Profile: "Joe Doe", + Email: "joe@doe.com", + EmailVerified: true, + claims: []byte(userInfoJson), + }, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + serverURL := test.server.run(t) + + ctx := context.Background() + + provider, err := NewProvider(ctx, serverURL) + if err != nil { + t.Fatalf("Failed to initialize provider for test %v", err) + } + + fakeOauthToken := oauth2.Token{} + info, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(&fakeOauthToken)) + if err != nil { + t.Fatalf("failed to get userinfo %v", err) + } + + if info.Email != test.wantUserInfo.Email { + t.Errorf("expected UserInfo to be %v , got %v", test.wantUserInfo, info) + } + }) + } + +} From ae004f59740489a310770268fb721f3cfccb905d Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Thu, 25 Jun 2020 13:59:35 -0700 Subject: [PATCH 02/11] *: s/Json/JSON/g to appease lint --- oidc_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/oidc_test.go b/oidc_test.go index 17af9dca..00c05c3a 100644 --- a/oidc_test.go +++ b/oidc_test.go @@ -357,7 +357,7 @@ func (ts *testServer) run(t *testing.T) string { func TestUserInfoEndpoint(t *testing.T) { - userInfoJson := `{ + userInfoJSON := `{ "sub": "1234567890", "profile": "Joe Doe", "email": "joe@doe.com", @@ -374,14 +374,14 @@ func TestUserInfoEndpoint(t *testing.T) { name: "basic json userinfo", server: testServer{ contentType: "application/json", - userInfo: userInfoJson, + userInfo: userInfoJSON, }, wantUserInfo: UserInfo{ Subject: "1234567890", Profile: "Joe Doe", Email: "joe@doe.com", EmailVerified: true, - claims: []byte(userInfoJson), + claims: []byte(userInfoJSON), }, }, { @@ -396,7 +396,7 @@ func TestUserInfoEndpoint(t *testing.T) { Profile: "Joe Doe", Email: "joe@doe.com", EmailVerified: true, - claims: []byte(userInfoJson), + claims: []byte(userInfoJSON), }, }, } From b0d36609f8b33f50cf4ba9927c2c324a2b9fe285 Mon Sep 17 00:00:00 2001 From: Konrad Holowinski Date: Fri, 26 Jun 2020 15:22:52 +0200 Subject: [PATCH 03/11] userinfo - handling charset in Content-Type header Using mime.ParseMediaType --- oidc.go | 4 +++- oidc_test.go | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/oidc.go b/oidc.go index 911718e2..dd5a4954 100644 --- a/oidc.go +++ b/oidc.go @@ -230,7 +230,9 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) return nil, fmt.Errorf("%s: %s", resp.Status, body) } - if strings.EqualFold(resp.Header.Get("Content-Type"), "application/jwt") { + ct := resp.Header.Get("Content-Type") + mediaType, _, parseErr := mime.ParseMediaType(ct) + if parseErr == nil && mediaType == "application/jwt" { payload, err := p.remoteKeySet.VerifySignature(ctx, string(body)) if err != nil { return nil, fmt.Errorf("oidc: invalid userinfo jwt signature %v", err) diff --git a/oidc_test.go b/oidc_test.go index 00c05c3a..8a654a10 100644 --- a/oidc_test.go +++ b/oidc_test.go @@ -399,6 +399,21 @@ func TestUserInfoEndpoint(t *testing.T) { claims: []byte(userInfoJSON), }, }, + { + name: "signed jwt userinfo, content-type with charset", + server: testServer{ + contentType: "application/jwt; charset=ISO-8859-1", + // generated with jwt.io based on the private/public key pair + userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.AP9Y8Md1rjPfuFPTw7hI6kREQe1J0Wb2P5SeVnu_dmAFAyYbG8nbu2Xveb4HOY9wMZbU7UAuSrlvvF_duImlIWei_Ym0ZVrFDATYoMI_MNKwmt4-vM_pm-97zghuPfpXTLYenHgeyPTkHv_SEwhiKzg0Ap7kC3PlAOGeElMO1L1thDZdMd1MqClOEzie00fZwbUGXwkUdDV0_vd173GBACniEQF_9qtgDyxNzh9IMYPNVdRk0bqzBCdQuhTE1AQmWebTrri962uHdWex25KEk_sxOsSW5HIDc0vEF8uBBPUJjaHDPTvwzMh0RuqwT_SqwJvyOHhG0jSz-LYEa5eugQ", + }, + wantUserInfo: UserInfo{ + Subject: "1234567890", + Profile: "Joe Doe", + Email: "joe@doe.com", + EmailVerified: true, + claims: []byte(userInfoJson), + }, + }, } for _, test := range tests { From 2817d7b83cd8d5e0248943ca88e3388b80923880 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Mon, 20 Jul 2020 09:16:57 -0700 Subject: [PATCH 04/11] oidc: fix Json/JSON spelling --- oidc_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_test.go b/oidc_test.go index 8a654a10..daa3cfc7 100644 --- a/oidc_test.go +++ b/oidc_test.go @@ -411,7 +411,7 @@ func TestUserInfoEndpoint(t *testing.T) { Profile: "Joe Doe", Email: "joe@doe.com", EmailVerified: true, - claims: []byte(userInfoJson), + claims: []byte(userInfoJSON), }, }, } From 0dcb7d68f8a05da92eaac1b71468ab63c4917589 Mon Sep 17 00:00:00 2001 From: dickynovanto1103 Date: Thu, 6 Aug 2020 22:48:27 +0800 Subject: [PATCH 05/11] travis.yml: change go version used in .travis.yml to v1.14 we need to use go v1.14 to fix CI failing because unit test code uses t.Cleanup() function that is only available in go v1.14 Fixes #267 --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3fddaaac..433c328b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,8 +1,7 @@ language: go go: - - "1.12" - - "1.13" + - "1.14" install: - go get -v -t github.com/coreos/go-oidc/... From 2b28d0cc38907454ddd8644363eb1e893ac07b69 Mon Sep 17 00:00:00 2001 From: Dallan Quass Date: Sat, 22 Aug 2020 20:07:30 -0600 Subject: [PATCH 06/11] add support for AWS Cognito, which returns email_verified as a string instead of a bool --- oidc.go | 44 +++++++++++++++++++++++++++++++++++++++++--- oidc_test.go | 46 +++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 84 insertions(+), 6 deletions(-) diff --git a/oidc.go b/oidc.go index dd5a4954..a1d36c5b 100644 --- a/oidc.go +++ b/oidc.go @@ -13,6 +13,7 @@ import ( "io/ioutil" "mime" "net/http" + "strconv" "strings" "time" @@ -192,6 +193,16 @@ type UserInfo struct { claims []byte } +type userInfoRaw struct { + Subject string `json:"sub"` + Profile string `json:"profile"` + Email string `json:"email"` + // Handle providers that return email_verified as a string + // https://forums.aws.amazon.com/thread.jspa?messageID=949441󧳁 and + // https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11 + EmailVerified stringAsBool `json:"email_verified"` +} + // Claims unmarshals the raw JSON object claims into the provided object. func (u *UserInfo) Claims(v interface{}) error { if u.claims == nil { @@ -240,12 +251,17 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) body = payload } - var userInfo UserInfo + var userInfo userInfoRaw if err := json.Unmarshal(body, &userInfo); err != nil { return nil, fmt.Errorf("oidc: failed to decode userinfo: %v", err) } - userInfo.claims = body - return &userInfo, nil + return &UserInfo{ + Subject: userInfo.Subject, + Profile: userInfo.Profile, + Email: userInfo.Email, + EmailVerified: bool(userInfo.EmailVerified), + claims: body, + }, nil } // IDToken is an OpenID Connect extension that provides a predictable representation @@ -367,6 +383,28 @@ type claimSource struct { AccessToken string `json:"access_token"` } +type stringAsBool bool + +func (sb *stringAsBool) UnmarshalJSON(b []byte) error { + var result bool + err := json.Unmarshal(b, &result) + if err == nil { + *sb = stringAsBool(result) + return nil + } + var s string + err = json.Unmarshal(b, &s) + if err != nil { + return err + } + result, err = strconv.ParseBool(s) + if err != nil { + return err + } + *sb = stringAsBool(result) + return nil +} + type audience []string func (a *audience) UnmarshalJSON(b []byte) error { diff --git a/oidc_test.go b/oidc_test.go index daa3cfc7..bcc49166 100644 --- a/oidc_test.go +++ b/oidc_test.go @@ -318,7 +318,7 @@ func (ts *testServer) run(t *testing.T) string { "use": "sig", "kid": "test", "alg": "RS256", - "n": "luTpO0eGNYC36udr3gvoBxTjF1RxHXBMRcEdY13E_IocCM5GuqFNLbScH3q69O6WSq8a43cVmsdnayw3oHu8GDTZuggnsPG28Ln4FFWehdV306YBPBgS_6C8x6mX9PipoNnIpG2PAGhqw1iL_V0WmmNqdJPl9EirgbbHJh7GIkMxyj9UZiwi19YSFHhDdyJvux1L6hieqjrsFFJdwxk1QOlp9NkkCcVNZarUqUltb5JH82IiMSXYsDeOjjE7DlrFLqdo-zg8QlOtY8pow6gueweMWyY4iVv5IAziOh7128aid0-48-mNLTdZtAG758rtuKHJg9dq0nfOm64qROCNUQ" + "n": "ilhCmTGFjjIPVN7Lfdn_fvpXOlzxa3eWnQGZ_eRa2ibFB1mnqoWxZJ8fkWIVFOQpsn66bIfWjBo_OI3sE6LhhRF8xhsMxlSeRKhpsWg0klYnMBeTWYET69YEAX_rGxy0MCZlFZ5tpr56EVZ-3QLfNiR4hcviqj9F2qE6jopfywsnlulJgyMi3N3kugit_JCNBJ0yz4ndZrMozVOtGqt35HhggUgYROzX6SWHUJdPXSmbAZU-SVLlesQhPfHS8LLq0sACb9OmdcwrpEFdbGCSTUPlHGkN5h6Zy8CS4s_bCdXKkjD20jv37M3GjRQkjE8vyMxFlo_qT8F8VZlSgXYTFw" } ] }` @@ -364,6 +364,13 @@ func TestUserInfoEndpoint(t *testing.T) { "email_verified": true, "is_admin": true }` + userInfoJSONCognitoVariant := `{ + "sub": "1234567890", + "profile": "Joe Doe", + "email": "joe@doe.com", + "email_verified": "true", + "is_admin": true + }` tests := []struct { name string @@ -389,7 +396,7 @@ func TestUserInfoEndpoint(t *testing.T) { server: testServer{ contentType: "application/jwt", // generated with jwt.io based on the private/public key pair - userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.AP9Y8Md1rjPfuFPTw7hI6kREQe1J0Wb2P5SeVnu_dmAFAyYbG8nbu2Xveb4HOY9wMZbU7UAuSrlvvF_duImlIWei_Ym0ZVrFDATYoMI_MNKwmt4-vM_pm-97zghuPfpXTLYenHgeyPTkHv_SEwhiKzg0Ap7kC3PlAOGeElMO1L1thDZdMd1MqClOEzie00fZwbUGXwkUdDV0_vd173GBACniEQF_9qtgDyxNzh9IMYPNVdRk0bqzBCdQuhTE1AQmWebTrri962uHdWex25KEk_sxOsSW5HIDc0vEF8uBBPUJjaHDPTvwzMh0RuqwT_SqwJvyOHhG0jSz-LYEa5eugQ", + userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.ejzc2IOLtvYp-2n5w3w4SW3rHNG9pOahnwpQCwuIaj7DvO4SxDIzeJmFPMKTJUc-1zi5T42mS4Gs2r18KWhSkk8kqYermRX0VcGEEsH0r2BG5boeza_EjCoJ5-jBPX5ODWGhu2sZIkZl29IbaVSC8jk8qKnqacchiHNmuv_xXjRsAgUsqYftrEQOxqhpfL5KN2qtgeVTczg3ABqs2-SFeEzcgA1TnA9H3AynCPCVUMFgh7xyS8jxx7DN-1vRHBySz5gNbf8z8MNx_XBLfRxxxMF24rDIE8Z2gf1DEAPr4tT38hD8ugKSE84gC3xHJWFWsRLg-Ll6OQqshs82axS00Q", }, wantUserInfo: UserInfo{ Subject: "1234567890", @@ -404,7 +411,7 @@ func TestUserInfoEndpoint(t *testing.T) { server: testServer{ contentType: "application/jwt; charset=ISO-8859-1", // generated with jwt.io based on the private/public key pair - userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.AP9Y8Md1rjPfuFPTw7hI6kREQe1J0Wb2P5SeVnu_dmAFAyYbG8nbu2Xveb4HOY9wMZbU7UAuSrlvvF_duImlIWei_Ym0ZVrFDATYoMI_MNKwmt4-vM_pm-97zghuPfpXTLYenHgeyPTkHv_SEwhiKzg0Ap7kC3PlAOGeElMO1L1thDZdMd1MqClOEzie00fZwbUGXwkUdDV0_vd173GBACniEQF_9qtgDyxNzh9IMYPNVdRk0bqzBCdQuhTE1AQmWebTrri962uHdWex25KEk_sxOsSW5HIDc0vEF8uBBPUJjaHDPTvwzMh0RuqwT_SqwJvyOHhG0jSz-LYEa5eugQ", + userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzX2FkbWluIjp0cnVlfQ.ejzc2IOLtvYp-2n5w3w4SW3rHNG9pOahnwpQCwuIaj7DvO4SxDIzeJmFPMKTJUc-1zi5T42mS4Gs2r18KWhSkk8kqYermRX0VcGEEsH0r2BG5boeza_EjCoJ5-jBPX5ODWGhu2sZIkZl29IbaVSC8jk8qKnqacchiHNmuv_xXjRsAgUsqYftrEQOxqhpfL5KN2qtgeVTczg3ABqs2-SFeEzcgA1TnA9H3AynCPCVUMFgh7xyS8jxx7DN-1vRHBySz5gNbf8z8MNx_XBLfRxxxMF24rDIE8Z2gf1DEAPr4tT38hD8ugKSE84gC3xHJWFWsRLg-Ll6OQqshs82axS00Q", }, wantUserInfo: UserInfo{ Subject: "1234567890", @@ -414,6 +421,35 @@ func TestUserInfoEndpoint(t *testing.T) { claims: []byte(userInfoJSON), }, }, + { + name: "basic json userinfo - cognito variant", + server: testServer{ + contentType: "application/json", + userInfo: userInfoJSONCognitoVariant, + }, + wantUserInfo: UserInfo{ + Subject: "1234567890", + Profile: "Joe Doe", + Email: "joe@doe.com", + EmailVerified: true, + claims: []byte(userInfoJSONCognitoVariant), + }, + }, + { + name: "signed jwt userinfo - cognito variant", + server: testServer{ + contentType: "application/jwt", + // generated with jwt.io based on the private/public key pair + userInfo: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicHJvZmlsZSI6IkpvZSBEb2UiLCJlbWFpbCI6ImpvZUBkb2UuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiaXNfYWRtaW4iOnRydWV9.V9j6Q208fnj7E5dhCHnAktqndvelyz6PYxmd2fLzA4ze8N770Tq9KFEE3QSM400GTxiP7tMyvBqnTj2q5Hr6DeRoy0WtLmYlnDfOJCr2qKbrPN0k94Ts9_sXAKEiJSKsTFUBHkrH4NhyWsaBaPamI8ghuqPKJ1LniNuskHUlzBmDDW4mTy15ArsaIno8S4XVn19OoqODIO30axJJxKfxEbsDR3-YW4OD9qn80Wzw0zOsGJ04NJRfO56VSprX0PhqvduOSUuHvm4cxtJIHHvj3AitrQriKZebZpXSs9PXPSPCysiQHyDz0A8y7R-sDgEhJlxe93nVbTU0itBehrbugQ", + }, + wantUserInfo: UserInfo{ + Subject: "1234567890", + Profile: "Joe Doe", + Email: "joe@doe.com", + EmailVerified: true, + claims: []byte(userInfoJSONCognitoVariant), + }, + }, } for _, test := range tests { @@ -436,6 +472,10 @@ func TestUserInfoEndpoint(t *testing.T) { if info.Email != test.wantUserInfo.Email { t.Errorf("expected UserInfo to be %v , got %v", test.wantUserInfo, info) } + + if info.EmailVerified != test.wantUserInfo.EmailVerified { + t.Errorf("expected UserInfo.EmailVerified to be %v , got %v", test.wantUserInfo.EmailVerified, info.EmailVerified) + } }) } From 86d950ac3f3c4a8ef9ca3197a5a0187c5b2e60d7 Mon Sep 17 00:00:00 2001 From: dickynovanto1103 Date: Wed, 5 Aug 2020 23:22:55 +0800 Subject: [PATCH 07/11] IDTokenVerifier: fix typo word: `preforms` to `performs` this fix one word typo of the IDTokenVerifier.Verify function's comment Fixes #265 --- verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verify.go b/verify.go index d43f0662..5c4d6582 100644 --- a/verify.go +++ b/verify.go @@ -185,7 +185,7 @@ func parseClaim(raw []byte, name string, v interface{}) error { return json.Unmarshal([]byte(val), v) } -// Verify parses a raw ID Token, verifies it's been signed by the provider, preforms +// Verify parses a raw ID Token, verifies it's been signed by the provider, performs // any additional checks depending on the Config, and returns the payload. // // Verify does NOT do nonce validation, which is the callers responsibility. From a4badd1273bf233eccb3fe596b27ba8054fa9bb4 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Thu, 3 Sep 2020 08:33:43 -0700 Subject: [PATCH 08/11] also run travis tests under 1.15 Followup from https://github.com/coreos/go-oidc/pull/268 --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 433c328b..46c850a2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,6 +2,7 @@ language: go go: - "1.14" + - "1.15" install: - go get -v -t github.com/coreos/go-oidc/... From e05c4c73b4b5f159727021bf2921c214f61b2688 Mon Sep 17 00:00:00 2001 From: dthadi3 <70625669+dthadi3@users.noreply.github.com> Date: Thu, 15 Oct 2020 02:04:47 +0530 Subject: [PATCH 09/11] Added power support (#277) Test ppc64le in Travic CI. --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 46c850a2..9f0b0601 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,9 @@ language: go go: - "1.14" - "1.15" - +arch: + - AMD64 + - ppc64le install: - go get -v -t github.com/coreos/go-oidc/... - go get golang.org/x/tools/cmd/cover From a57141768115b09a2f823a17726d25c998a7fc9d Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Wed, 22 Jan 2025 17:27:56 +0000 Subject: [PATCH 10/11] fix up v2 CI There are some awkward issues with go modules here, since newer versions of the Go tool require a go.mod file, but in the past we broke users by adding one: https://github.com/coreos/go-oidc/issues/230 --- .github/workflows/test.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/test.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 00000000..9d349fdf --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,32 @@ +name: test +on: + push: + branches: + - v2 + pull_request: + branches: + - v2 + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + go: ['1.22', '1.23'] + name: Linux Go ${{ matrix.go }} + steps: + - uses: actions/checkout@v4 + - name: Setup go + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go }} + # For awkward reasons we can't actually add a go.mod file for the v2 + # branch, because Go enforces that a "v2.x.x" tag has a "v2" prefix. + # + # https://github.com/coreos/go-oidc/issues/230 + - name: Setup go module + run: go mod init github.com/coreos/go-oidc + - name: Go get + run: go get ./... + - name: Test + run: go test -v ./... From b7e896c40598f5307b3b5a163b6ad02ae97ec1a5 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 22 Jan 2025 10:43:06 -0500 Subject: [PATCH 11/11] Switch to maintained gopkg.in/go-jose/go-jose.v2 library --- jwks.go | 2 +- jwks_test.go | 2 +- oidc.go | 2 +- verify.go | 2 +- verify_test.go | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/jwks.go b/jwks.go index e6a82c84..e262f7bd 100644 --- a/jwks.go +++ b/jwks.go @@ -10,7 +10,7 @@ import ( "time" "github.com/pquerna/cachecontrol" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) // keysExpiryDelta is the allowed clock skew between a client and the OpenID Connect diff --git a/jwks_test.go b/jwks_test.go index 6226117a..ad19b9b5 100644 --- a/jwks_test.go +++ b/jwks_test.go @@ -14,7 +14,7 @@ import ( "testing" "time" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) type keyServer struct { diff --git a/oidc.go b/oidc.go index a1d36c5b..bf35ee9e 100644 --- a/oidc.go +++ b/oidc.go @@ -18,7 +18,7 @@ import ( "time" "golang.org/x/oauth2" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) const ( diff --git a/verify.go b/verify.go index 5c4d6582..3e7999c9 100644 --- a/verify.go +++ b/verify.go @@ -13,7 +13,7 @@ import ( "time" "golang.org/x/oauth2" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) const ( diff --git a/verify_test.go b/verify_test.go index d2fffa9c..de100986 100644 --- a/verify_test.go +++ b/verify_test.go @@ -11,7 +11,7 @@ import ( "testing" "time" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) type testVerifier struct {