Skip to content

Commit

Permalink
handle Expired token as standalone func
Browse files Browse the repository at this point in the history
  • Loading branch information
akiioto committed Oct 24, 2024
1 parent e6fc4bf commit 551089f
Showing 1 changed file with 26 additions and 19 deletions.
45 changes: 26 additions & 19 deletions pkg/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,27 @@ func (tokenProcessor *TokenProcessor) Issuer() string {
func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context, verifier TokenVerifierInterface, claims ClaimsInterface) error {
logger := tokenProcessor.logger
token, err := verifier.Verify(ctx, tokenProcessor.rawToken)
if err != nil {
token, err = tokenProcessor.handleExpiredToken(ctx, logger, err)
if err != nil {
return fmt.Errorf("failed to verify token: %w", err)
}
}

logger.Debugw("Getting claims from token")
err = token.Claims(claims)
if err != nil {
return fmt.Errorf("failed to get claims from token: %w", err)
}
logger.Debugw("Got claims from token", "claims", fmt.Sprintf("%+v", claims))
err = claims.ValidateExpectations(tokenProcessor.issuer)
if err != nil {
return fmt.Errorf("failed to validate claims: %w", err)
}
return nil
}

func (tokenProcessor *TokenProcessor) handleExpiredToken(ctx context.Context, logger LoggerInterface, err error) (Token, error) {
var tokenExpiryError *oidc.TokenExpiredError
if errors.As(err, &tokenExpiryError) {
expiryTime := tokenExpiryError.Expiry
Expand All @@ -396,31 +416,18 @@ func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context

provider, err := NewProviderFromDiscovery(ctx, logger, tokenProcessor.issuer.IssuerURL)
if err != nil {
return fmt.Errorf("failed to create provider: %w", err)
return Token{}, fmt.Errorf("failed to create provider: %w", err)
}

newVerifier := provider.NewVerifier(logger, newVerifierConfig)
token, err = newVerifier.Verify(ctx, tokenProcessor.rawToken)
token, err := newVerifier.Verify(ctx, tokenProcessor.rawToken)
if err != nil {
return fmt.Errorf("failed to verify token after skipping expiry check: %w", err)
return Token{}, fmt.Errorf("failed to verify token after skipping expiry check: %w", err)
}
return token, nil
} else {
return fmt.Errorf("token expired more than %v ago: %w", gracePeriod, err)
return Token{}, fmt.Errorf("token expired more than %v ago: %w", gracePeriod, err)
}
}
if err != nil {
return fmt.Errorf("failed to verify token: %w", err)
}

logger.Debugw("Getting claims from token")
err = token.Claims(claims)
if err != nil {
return fmt.Errorf("failed to get claims from token: %w", err)
}
logger.Debugw("Got claims from token", "claims", fmt.Sprintf("%+v", claims))
err = claims.ValidateExpectations(tokenProcessor.issuer)
if err != nil {
return fmt.Errorf("failed to validate claims: %w", err)
}
return nil
return Token{}, err
}

0 comments on commit 551089f

Please sign in to comment.