oidc

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 26, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package oidc validates OIDC tokens for the STS exchange flow.

Uses coreos/go-oidc for discovery, JWKS caching, key rotation, and JWT verification. The issuer allowlist is the security boundary — only pre-approved issuers trigger network requests.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrEmptyAudience is returned when the validator is created with an empty audience.
	ErrEmptyAudience = errors.New("audience is required")
	// ErrEmptyToken is returned when Validate is called with an empty token string.
	ErrEmptyToken = errors.New("token is empty")
	// ErrMalformedToken is returned when the token cannot be parsed as a JWT.
	ErrMalformedToken = errors.New("malformed token")
	// ErrMissingIssuer is returned when the token has no issuer claim.
	ErrMissingIssuer = errors.New("token missing issuer claim")
	// ErrIssuerDenied is returned when the token issuer is not in the allowed list.
	ErrIssuerDenied = errors.New("issuer not in allowed list")
	// ErrEmptyIssuers is returned when NewValidator is called with no allowed issuers.
	ErrEmptyIssuers = errors.New("at least one allowed issuer is required")
)

Functions

This section is empty.

Types

type Claims

type Claims struct {
	Issuer    string         // Token issuer (e.g. https://token.actions.githubusercontent.com).
	Subject   string         // Token subject (e.g. repo:org/repo:ref:refs/heads/main).
	Audience  []string       // Intended audience; must include the configured audience.
	ExpiresAt time.Time      // Token expiration time.
	IssuedAt  time.Time      // Token issuance time.
	Custom    map[string]any // Non-standard claims (repository, ref, actor, etc.).
}

Claims holds the validated token data consumed by authorization and audit.

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

Validator validates tokens from a fixed set of allowed issuers.

func NewValidator

func NewValidator(audience string, allowedIssuers []string) (*Validator, error)

NewValidator creates a validator for the given audience and allowed issuers. Both are required — a production STS must never accept arbitrary issuers.

func (*Validator) Validate

func (o *Validator) Validate(ctx context.Context, rawToken string) (*Claims, error)

Validate verifies the OIDC token signature, claims, and expiry. It checks the issuer against the allowlist before performing network-based verification. Returns extracted claims on success or an error if validation fails.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL