Documentation
¶
Overview ¶
Package oidc validates OIDC tokens for the STS exchange flow.
Uses coreos/go-oidc for discovery, JWKS caching, key rotation, and JWT verification. The issuer allowlist is the security boundary — only pre-approved issuers trigger network requests.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrEmptyAudience is returned when the validator is created with an empty audience. ErrEmptyAudience = errors.New("audience is required") // ErrEmptyToken is returned when Validate is called with an empty token string. ErrEmptyToken = errors.New("token is empty") // ErrMalformedToken is returned when the token cannot be parsed as a JWT. ErrMalformedToken = errors.New("malformed token") // ErrMissingIssuer is returned when the token has no issuer claim. ErrMissingIssuer = errors.New("token missing issuer claim") // ErrIssuerDenied is returned when the token issuer is not in the allowed list. ErrIssuerDenied = errors.New("issuer not in allowed list") // ErrEmptyIssuers is returned when NewValidator is called with no allowed issuers. ErrEmptyIssuers = errors.New("at least one allowed issuer is required") )
Functions ¶
This section is empty.
Types ¶
type Claims ¶
type Claims struct {
Issuer string // Token issuer (e.g. https://token.actions.githubusercontent.com).
Subject string // Token subject (e.g. repo:org/repo:ref:refs/heads/main).
Audience []string // Intended audience; must include the configured audience.
ExpiresAt time.Time // Token expiration time.
IssuedAt time.Time // Token issuance time.
Custom map[string]any // Non-standard claims (repository, ref, actor, etc.).
}
Claims holds the validated token data consumed by authorization and audit.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator validates tokens from a fixed set of allowed issuers.
func NewValidator ¶
NewValidator creates a validator for the given audience and allowed issuers. Both are required — a production STS must never accept arbitrary issuers.
Click to show internal directories.
Click to hide internal directories.