Update github.com/coreos/go-oidc

This commit is contained in:
Bobby Rullo 2016-05-04 09:47:11 -07:00
parent a6812d18a5
commit 82bdf9051c
9 changed files with 65 additions and 14 deletions

10
Godeps/Godeps.json generated
View File

@ -485,23 +485,23 @@
},
{
"ImportPath": "github.com/coreos/go-oidc/http",
"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
},
{
"ImportPath": "github.com/coreos/go-oidc/jose",
"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
},
{
"ImportPath": "github.com/coreos/go-oidc/key",
"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
},
{
"ImportPath": "github.com/coreos/go-oidc/oauth2",
"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
},
{
"ImportPath": "github.com/coreos/go-oidc/oidc",
"Rev": "d7cb66526fffc811d602b6770581064f4b66b507"
"Rev": "5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b"
},
{
"ImportPath": "github.com/coreos/go-semver/semver",

View File

@ -2,7 +2,6 @@ package jose
import (
"fmt"
"strings"
)
type Verifier interface {
@ -17,7 +16,7 @@ type Signer interface {
}
func NewVerifier(jwk JWK) (Verifier, error) {
if strings.ToUpper(jwk.Type) != "RSA" {
if jwk.Type != "RSA" {
return nil, fmt.Errorf("unsupported key type %q", jwk.Type)
}

View File

@ -7,7 +7,6 @@ import (
_ "crypto/sha256"
"errors"
"fmt"
"strings"
)
type VerifierHMAC struct {
@ -21,7 +20,7 @@ type SignerHMAC struct {
}
func NewVerifierHMAC(jwk JWK) (*VerifierHMAC, error) {
if strings.ToUpper(jwk.Alg) != "HS256" {
if jwk.Alg != "" && jwk.Alg != "HS256" {
return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg)
}

View File

@ -5,7 +5,6 @@ import (
"crypto/rand"
"crypto/rsa"
"fmt"
"strings"
)
type VerifierRSA struct {
@ -20,7 +19,7 @@ type SignerRSA struct {
}
func NewVerifierRSA(jwk JWK) (*VerifierRSA, error) {
if strings.ToUpper(jwk.Alg) != "RS256" {
if jwk.Alg != "" && jwk.Alg != "RS256" {
return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg)
}

View File

@ -20,7 +20,7 @@ type PublicKey struct {
}
func (k *PublicKey) MarshalJSON() ([]byte, error) {
return json.Marshal(k.jwk)
return json.Marshal(&k.jwk)
}
func (k *PublicKey) UnmarshalJSON(data []byte) error {

View File

@ -56,6 +56,7 @@ const (
const (
GrantTypeAuthCode = "authorization_code"
GrantTypeClientCreds = "client_credentials"
GrantTypeUserCreds = "password"
GrantTypeImplicit = "implicit"
GrantTypeRefreshToken = "refresh_token"
@ -140,6 +141,11 @@ func NewClient(hc phttp.Client, cfg Config) (c *Client, err error) {
return
}
// Return the embedded HTTP client
func (c *Client) HttpClient() phttp.Client {
return c.hc
}
// Generate the url for initial redirect to oauth provider.
func (c *Client) AuthCodeURL(state, accessType, prompt string) string {
v := c.commonURLValues()
@ -220,6 +226,30 @@ func (c *Client) ClientCredsToken(scope []string) (result TokenResponse, err err
return parseTokenResponse(resp)
}
// UserCredsToken posts the username and password to obtain a token scoped to the OAuth2 client via the "password" grant_type
// May not be supported by all OAuth2 servers.
func (c *Client) UserCredsToken(username, password string) (result TokenResponse, err error) {
v := url.Values{
"scope": {strings.Join(c.scope, " ")},
"grant_type": {GrantTypeUserCreds},
"username": {username},
"password": {password},
}
req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
if err != nil {
return
}
resp, err := c.hc.Do(req)
if err != nil {
return
}
defer resp.Body.Close()
return parseTokenResponse(resp)
}
// RequestToken requests a token from the Token Endpoint with the specified grantType.
// If 'grantType' == GrantTypeAuthCode, then 'value' should be the authorization code.
// If 'grantType' == GrantTypeRefreshToken, then 'value' should be the refresh token.

View File

@ -11,6 +11,11 @@ import (
"github.com/coreos/go-oidc/key"
)
// DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no
// Cache-Control header is provided by the JWK Set document endpoint.
const DefaultPublicKeySetTTL = 24 * time.Hour
// NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo {
return &remotePublicKeyRepo{hc: hc, ep: ep}
}
@ -20,6 +25,11 @@ type remotePublicKeyRepo struct {
ep string
}
// Get returns a PublicKeySet fetched from the JWK Set document endpoint. A TTL
// is set on the Key Set to avoid it having to be re-retrieved for every
// encryption event. This TTL is typically controlled by the endpoint returning
// a Cache-Control header, but defaults to 24 hours if no Cache-Control header
// is found.
func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
req, err := http.NewRequest("GET", r.ep, nil)
if err != nil {
@ -48,7 +58,7 @@ func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
return nil, err
}
if !ok {
return nil, errors.New("HTTP cache headers not set")
ttl = DefaultPublicKeySetTTL
}
exp := time.Now().UTC().Add(ttl)

View File

@ -6,6 +6,7 @@ import (
"fmt"
"net/http"
"net/url"
"strings"
"sync"
"time"
@ -618,7 +619,11 @@ func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProvide
}
func (r *httpProviderConfigGetter) Get() (cfg ProviderConfig, err error) {
req, err := http.NewRequest("GET", r.issuerURL+discoveryConfigPath, nil)
// If the Issuer value contains a path component, any terminating / MUST be removed before
// appending /.well-known/openid-configuration.
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
discoveryURL := strings.TrimSuffix(r.issuerURL, "/") + discoveryConfigPath
req, err := http.NewRequest("GET", discoveryURL, nil)
if err != nil {
return
}

View File

@ -67,6 +67,15 @@ func (t *AuthenticatedTransport) verifiedJWT() (jose.JWT, error) {
return t.jwt, nil
}
// SetJWT sets the JWT held by the Transport.
// This is useful for cases in which you want to set an initial JWT.
func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT) {
t.mu.Lock()
defer t.mu.Unlock()
t.jwt = jwt
}
func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error) {
jwt, err := t.verifiedJWT()
if err != nil {