|
|
@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { |
|
|
|
func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) { |
|
|
|
func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) { |
|
|
|
audience := getClaimValue(claims, []string{audienceClaim}) |
|
|
|
audience := getClaimValue(claims, []string{audienceClaim}) |
|
|
|
if audience != p.ClientKey { |
|
|
|
if audience != p.ClientKey { |
|
|
|
return time.Time{}, errors.New("audience in token does not match client key") |
|
|
|
found := false |
|
|
|
|
|
|
|
audiences := getClaimValues(claims, []string{audienceClaim}) |
|
|
|
|
|
|
|
for _, aud := range audiences { |
|
|
|
|
|
|
|
if aud == p.ClientKey { |
|
|
|
|
|
|
|
found = true |
|
|
|
|
|
|
|
break |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if !found { |
|
|
|
|
|
|
|
return time.Time{}, errors.New("audience in token does not match client key") |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
issuer := getClaimValue(claims, []string{issuerClaim}) |
|
|
|
issuer := getClaimValue(claims, []string{issuerClaim}) |
|
|
@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string { |
|
|
|
return "" |
|
|
|
return "" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func getClaimValues(data map[string]interface{}, claims []string) []string { |
|
|
|
|
|
|
|
var result []string |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for _, claim := range claims { |
|
|
|
|
|
|
|
if value, ok := data[claim]; ok { |
|
|
|
|
|
|
|
if stringValues, ok := value.([]interface{}); ok { |
|
|
|
|
|
|
|
for _, stringValue := range stringValues { |
|
|
|
|
|
|
|
if s, ok := stringValue.(string); ok && len(s) > 0 { |
|
|
|
|
|
|
|
result = append(result, s) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return result |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// decodeJWT decodes a JSON Web Token into a simple map
|
|
|
|
// decodeJWT decodes a JSON Web Token into a simple map
|
|
|
|
// http://openid.net/specs/draft-jones-json-web-token-07.html
|
|
|
|
// http://openid.net/specs/draft-jones-json-web-token-07.html
|
|
|
|
func decodeJWT(jwt string) (map[string]interface{}, error) { |
|
|
|
func decodeJWT(jwt string) (map[string]interface{}, error) { |
|
|
|