Update github.com/coreos/go-oidc

2025-07-29 14:37:00 +00:00 · 2016-05-04 09:47:11 -07:00 · 2016-05-04 09:47:11 -07:00 · 82bdf9051c
commit 82bdf9051c
parent a6812d18a5
9 changed files with 65 additions and 14 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -485,23 +485,23 @@
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/http",
-			"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
+			"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/jose",
-			"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
+			"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/key",
-			"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
+			"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/oauth2",
-			"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
+			"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/oidc",
-			"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
+			"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-semver/semver",
--- a/vendor/github.com/coreos/go-oidc/jose/sig.go
+++ b/vendor/github.com/coreos/go-oidc/jose/sig.go
@ -2,7 +2,6 @@ package jose

 import (
 	"fmt"
-	"strings"
 )

 type Verifier interface {
@ -17,7 +16,7 @@ type Signer interface {
 }

 func NewVerifier(jwk JWK) (Verifier, error) {
-	if strings.ToUpper(jwk.Type) != "RSA" {
+	if jwk.Type != "RSA" {
 		return nil, fmt.Errorf("unsupported key type %q", jwk.Type)
 	}

--- a/vendor/github.com/coreos/go-oidc/jose/sig_hmac.go
+++ b/vendor/github.com/coreos/go-oidc/jose/sig_hmac.go
@ -7,7 +7,6 @@ import (
 	_ "crypto/sha256"
 	"errors"
 	"fmt"
-	"strings"
 )

 type VerifierHMAC struct {
@ -21,7 +20,7 @@ type SignerHMAC struct {
 }

 func NewVerifierHMAC(jwk JWK) (*VerifierHMAC, error) {
-	if strings.ToUpper(jwk.Alg) != "HS256" {
+	if jwk.Alg != "" && jwk.Alg != "HS256" {
 		return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg)
 	}

--- a/vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
+++ b/vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
@ -5,7 +5,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"fmt"
-	"strings"
 )

 type VerifierRSA struct {
@ -20,7 +19,7 @@ type SignerRSA struct {
 }

 func NewVerifierRSA(jwk JWK) (*VerifierRSA, error) {
-	if strings.ToUpper(jwk.Alg) != "RS256" {
+	if jwk.Alg != "" && jwk.Alg != "RS256" {
 		return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg)
 	}

--- a/vendor/github.com/coreos/go-oidc/key/key.go
+++ b/vendor/github.com/coreos/go-oidc/key/key.go
@ -20,7 +20,7 @@ type PublicKey struct {
 }

 func (k *PublicKey) MarshalJSON() ([]byte, error) {
-	return json.Marshal(k.jwk)
+	return json.Marshal(&k.jwk)
 }

 func (k *PublicKey) UnmarshalJSON(data []byte) error {
--- a/vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
+++ b/vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
@ -56,6 +56,7 @@ const (
 const (
 	GrantTypeAuthCode     = "authorization_code"
 	GrantTypeClientCreds  = "client_credentials"
+	GrantTypeUserCreds    = "password"
 	GrantTypeImplicit     = "implicit"
 	GrantTypeRefreshToken = "refresh_token"

@ -140,6 +141,11 @@ func NewClient(hc phttp.Client, cfg Config) (c *Client, err error) {
 	return
 }

+// Return the embedded HTTP client
+func (c *Client) HttpClient() phttp.Client {
+	return c.hc
+}
+
 // Generate the url for initial redirect to oauth provider.
 func (c *Client) AuthCodeURL(state, accessType, prompt string) string {
 	v := c.commonURLValues()
@ -220,6 +226,30 @@ func (c *Client) ClientCredsToken(scope []string) (result TokenResponse, err err
 	return parseTokenResponse(resp)
 }

+// UserCredsToken posts the username and password to obtain a token scoped to the OAuth2 client via the "password" grant_type
+// May not be supported by all OAuth2 servers.
+func (c *Client) UserCredsToken(username, password string) (result TokenResponse, err error) {
+	v := url.Values{
+		"scope":      {strings.Join(c.scope, " ")},
+		"grant_type": {GrantTypeUserCreds},
+		"username":   {username},
+		"password":   {password},
+	}
+
+	req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+	if err != nil {
+		return
+	}
+
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	return parseTokenResponse(resp)
+}
+
 // RequestToken requests a token from the Token Endpoint with the specified grantType.
 // If 'grantType' == GrantTypeAuthCode, then 'value' should be the authorization code.
 // If 'grantType' == GrantTypeRefreshToken, then 'value' should be the refresh token.
--- a/vendor/github.com/coreos/go-oidc/oidc/key.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/key.go
@ -11,6 +11,11 @@ import (
 	"github.com/coreos/go-oidc/key"
 )

+// DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no
+// Cache-Control header is provided by the JWK Set document endpoint.
+const DefaultPublicKeySetTTL = 24 * time.Hour
+
+// NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
 func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo {
 	return &remotePublicKeyRepo{hc: hc, ep: ep}
 }
@ -20,6 +25,11 @@ type remotePublicKeyRepo struct {
 	ep string
 }

+// Get returns a PublicKeySet fetched from the JWK Set document endpoint. A TTL
+// is set on the Key Set to avoid it having to be re-retrieved for every
+// encryption event. This TTL is typically controlled by the endpoint returning
+// a Cache-Control header, but defaults to 24 hours if no Cache-Control header
+// is found.
 func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
 	req, err := http.NewRequest("GET", r.ep, nil)
 	if err != nil {
@ -48,7 +58,7 @@ func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
 		return nil, err
 	}
 	if !ok {
-		return nil, errors.New("HTTP cache headers not set")
+		ttl = DefaultPublicKeySetTTL
 	}

 	exp := time.Now().UTC().Add(ttl)
--- a/vendor/github.com/coreos/go-oidc/oidc/provider.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/provider.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"sync"
 	"time"

@ -618,7 +619,11 @@ func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProvide
 }

 func (r *httpProviderConfigGetter) Get() (cfg ProviderConfig, err error) {
-	req, err := http.NewRequest("GET", r.issuerURL+discoveryConfigPath, nil)
+	// If the Issuer value contains a path component, any terminating / MUST be removed before
+	// appending /.well-known/openid-configuration.
+	// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
+	discoveryURL := strings.TrimSuffix(r.issuerURL, "/") + discoveryConfigPath
+	req, err := http.NewRequest("GET", discoveryURL, nil)
 	if err != nil {
 		return
 	}
--- a/vendor/github.com/coreos/go-oidc/oidc/transport.go
+++ b/vendor/github.com/coreos/go-oidc/oidc/transport.go
@ -67,6 +67,15 @@ func (t *AuthenticatedTransport) verifiedJWT() (jose.JWT, error) {
 	return t.jwt, nil
 }

+// SetJWT sets the JWT held by the Transport.
+// This is useful for cases in which you want to set an initial JWT.
+func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+
+	t.jwt = jwt
+}
+
 func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	jwt, err := t.verifiedJWT()
 	if err != nil {