Bump go-oidc to latest v2

157c359f · Andy Lindeman · 3dd1bac8 · 157c359f · 157c359f · 157c359f
Commit 157c359f authored Jun 20, 2019 by Andy Lindeman
12 changed files
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/boltdb/bolt v1.3.1 // indirect
 	github.com/cockroachdb/cmux v0.0.0-20170110192607-30d10be49292 // indirect
 	github.com/coreos/etcd v3.2.9+incompatible
-	github.com/coreos/go-oidc v0.0.0-20170307191026-be73733bb8cc
+	github.com/coreos/go-oidc v2.0.0+incompatible
 	github.com/coreos/go-semver v0.2.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 // indirect
 	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect

--- a/go.sum
+++ b/go.sum
@@ -8,8 +8,8 @@ github.com/cockroachdb/cmux v0.0.0-20170110192607-30d10be49292 h1:dzj1/xcivGjNPw
 github.com/cockroachdb/cmux v0.0.0-20170110192607-30d10be49292/go.mod h1:qRiX68mZX1lGBkTWyp3CLcenw9I94W2dLeRvMzcn9N4=
 github.com/coreos/etcd v3.2.9+incompatible h1:3TbjfK5+aSRLTU/KgBC1xlgA2dn2ddYQngRqX6HFwlQ=
 github.com/coreos/etcd v3.2.9+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc v0.0.0-20170307191026-be73733bb8cc h1:9yuvA19Q5WFkLwJcMDoYm8m89ilzqZ5zEHqdvU+Zbds=
-github.com/coreos/go-oidc v0.0.0-20170307191026-be73733bb8cc/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
+github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0 h1:3Jm3tLmsgAYcjC+4Up7hJrFBPr+n7rAqYeSw/SZazuY=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 h1:3jFq2xL4ZajGK4aZY8jz+DAF0FHjI51BXjjSwCzS1Dk=

--- a/server/server_test.go
+++ b/server/server_test.go
@@ -16,7 +16,6 @@ import (
 	"reflect"
 	"sort"
 	"strings"
-	"sync"
 	"testing"
 	"time"

@@ -541,23 +540,6 @@ func TestOAuth2CodeFlow(t *testing.T) {
 	}
 }

-type nonceSource struct {
-	nonce string
-	once  sync.Once
-}
-
-func (n *nonceSource) ClaimNonce(nonce string) error {
-	if n.nonce != nonce {
-		return errors.New("invalid nonce")
-	}
-	ok := false
-	n.once.Do(func() { ok = true })
-	if !ok {
-		return errors.New("invalid nonce")
-	}
-	return nil
-}
-
 func TestOAuth2ImplicitFlow(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -623,11 +605,8 @@ func TestOAuth2ImplicitFlow(t *testing.T) {
 		t.Fatalf("failed to create client: %v", err)
 	}

-	src := &nonceSource{nonce: nonce}
-
 	idTokenVerifier := p.Verifier(&oidc.Config{
-		ClientID:   client.ID,
-		ClaimNonce: src.ClaimNonce,
+		ClientID: client.ID,
 	})

 	oauth2Config = &oauth2.Config{
@@ -646,13 +625,17 @@ func TestOAuth2ImplicitFlow(t *testing.T) {
 		if err != nil {
 			return fmt.Errorf("failed to parse fragment: %v", err)
 		}
-		idToken := v.Get("id_token")
-		if idToken == "" {
+		rawIDToken := v.Get("id_token")
+		if rawIDToken == "" {
 			return errors.New("no id_token in fragment")
 		}
-		if _, err := idTokenVerifier.Verify(ctx, idToken); err != nil {
+		idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
+		if err != nil {
 			return fmt.Errorf("failed to verify id_token: %v", err)
 		}
+		if idToken.Nonce != nonce {
+			return fmt.Errorf("failed to verify id_token: nonce was %v, but want %v", idToken.Nonce, nonce)
+		}
 		return nil
 	}


--- a/vendor/github.com/coreos/go-oidc/MAINTAINERS
+++ b/vendor/github.com/coreos/go-oidc/MAINTAINERS
-Bobby Rullo <bobby.rullo@coreos.com> (@bobbyrullo)
-Ed Rooth <ed.rooth@coreos.com> (@sym3tri)
-Eric Chiang <eric.chiang@coreos.com> (@ericchiang)
+Eric Chiang <echiang@redhat.com> (@ericchiang)
+Rithu Leena John <rjohn@redhat.com> (@rithujohn191)
--- a/vendor/github.com/coreos/go-oidc/README.md
+++ b/vendor/github.com/coreos/go-oidc/README.md
@@ -38,7 +38,7 @@ func handleRedirect(w http.ResponseWriter, r *http.Request) {
 The on responses, the provider can be used to verify ID Tokens.

 ```go
-var verifier = provider.Verifier()
+var verifier = provider.Verifier(&oidc.Config{ClientID: clientID})

 func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
    // Verify state and errors.

--- a/vendor/github.com/coreos/go-oidc/code-of-conduct.md
+++ b/vendor/github.com/coreos/go-oidc/code-of-conduct.md
+## CoreOS Community Code of Conduct
+
+### Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing others' private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently applying these
+principles to every aspect of managing this project. Project maintainers who do
+not follow or enforce the Code of Conduct may be permanently removed from the
+project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer, Brandon Philips
+<brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
+
+This Code of Conduct is adapted from the Contributor Covenant
+(http://contributor-covenant.org), version 1.2.0, available at
+http://contributor-covenant.org/version/1/2/0/
+
+### CoreOS Events Code of Conduct
+
+CoreOS events are working conferences intended for professional networking and
+collaboration in the CoreOS community. Attendees are expected to behave
+according to professional standards and in accordance with their employer’s
+policies on appropriate workplace behavior.
+
+While at CoreOS events or related social networking opportunities, attendees
+should not engage in discriminatory or offensive speech or actions including
+but not limited to gender, sexuality, race, age, disability, or religion.
+Speakers should be especially aware of these concerns.
+
+CoreOS does not condone any statements by speakers contrary to these standards.
+CoreOS reserves the right to deny entrance and/or eject from an event (without
+refund) any individual found to be engaging in discriminatory or offensive
+speech or actions.
+
+Please bring any concerns to the immediate attention of designated on-site
+staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
--- a/vendor/github.com/coreos/go-oidc/gen.go
+++ b/vendor/github.com/coreos/go-oidc/gen.go
-// +build ignore
-
-// This file is used to generate keys for tests.
-
-package main
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"text/template"
-
-	jose "gopkg.in/square/go-jose.v2"
-)
-
-type key struct {
-	name string
-	new  func() (crypto.Signer, error)
-}
-
-var keys = []key{
-	{
-		"ECDSA_256", func() (crypto.Signer, error) {
-			return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		},
-	},
-	{
-		"ECDSA_384", func() (crypto.Signer, error) {
-			return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-		},
-	},
-	{
-		"ECDSA_521", func() (crypto.Signer, error) {
-			return ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
-		},
-	},
-	{
-		"RSA_1024", func() (crypto.Signer, error) {
-			return rsa.GenerateKey(rand.Reader, 1024)
-		},
-	},
-	{
-		"RSA_2048", func() (crypto.Signer, error) {
-			return rsa.GenerateKey(rand.Reader, 2048)
-		},
-	},
-	{
-		"RSA_4096", func() (crypto.Signer, error) {
-			return rsa.GenerateKey(rand.Reader, 4096)
-		},
-	},
-}
-
-func newJWK(k key, prefix, ident string) (privBytes, pubBytes []byte, err error) {
-	priv, err := k.new()
-	if err != nil {
-		return nil, nil, fmt.Errorf("generate %s: %v", k.name, err)
-	}
-	pub := priv.Public()
-
-	privKey := &jose.JSONWebKey{Key: priv}
-	thumbprint, err := privKey.Thumbprint(crypto.SHA256)
-	if err != nil {
-		return nil, nil, fmt.Errorf("computing thumbprint: %v", err)
-	}
-
-	keyID := hex.EncodeToString(thumbprint)
-	privKey.KeyID = keyID
-	pubKey := &jose.JSONWebKey{Key: pub, KeyID: keyID}
-
-	privBytes, err = json.MarshalIndent(privKey, prefix, ident)
-	if err != nil {
-		return
-	}
-	pubBytes, err = json.MarshalIndent(pubKey, prefix, ident)
-	return
-}
-
-type keyData struct {
-	Name string
-	Priv string
-	Pub  string
-}
-
-var tmpl = template.Must(template.New("").Parse(`// +build !golint
-
-// This file contains statically created JWKs for tests created by gen.go
-
-package oidc
-
-import (
-	"encoding/json"
-
-	jose "gopkg.in/square/go-jose.v2"
-)
-
-func mustLoadJWK(s string) jose.JSONWebKey {
-	var jwk jose.JSONWebKey
-	if err := json.Unmarshal([]byte(s), &jwk); err != nil {
-		panic(err)
-	}
-	return jwk
-}
-
-var (
-{{- range $i, $key := .Keys }}
-	testKey{{ $key.Name }} = mustLoadJWK(` + "`" + `{{ $key.Pub }}` + "`" + `)
-	testKey{{ $key.Name }}_Priv = mustLoadJWK(` + "`" + `{{ $key.Priv }}` + "`" + `)
-{{ end -}}
-)
-`))
-
-func main() {
-	var tmplData struct {
-		Keys []keyData
-	}
-	for _, k := range keys {
-		for i := 0; i < 4; i++ {
-			log.Printf("generating %s", k.name)
-			priv, pub, err := newJWK(k, "\t", "\t")
-			if err != nil {
-				log.Fatal(err)
-			}
-			name := fmt.Sprintf("%s_%d", k.name, i)
-
-			tmplData.Keys = append(tmplData.Keys, keyData{
-				Name: name,
-				Priv: string(priv),
-				Pub:  string(pub),
-			})
-		}
-	}
-
-	buff := new(bytes.Buffer)
-	if err := tmpl.Execute(buff, tmplData); err != nil {
-		log.Fatalf("excuting template: %v", err)
-	}
-
-	if err := ioutil.WriteFile("jose_test.go", buff.Bytes(), 0644); err != nil {
-		log.Fatal(err)
-	}
-}
--- a/vendor/github.com/coreos/go-oidc/jwks.go
+++ b/vendor/github.com/coreos/go-oidc/jwks.go
@@ -2,7 +2,7 @@ package oidc

 import (
 	"context"
-	"encoding/json"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -23,6 +23,20 @@ import (
 // updated.
 const keysExpiryDelta = 30 * time.Second

+// NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP
+// GETs to fetch JSON web token sets hosted at a remote URL. This is automatically
+// used by NewProvider using the URLs returned by OpenID Connect discovery, but is
+// exposed for providers that don't support discovery or to prevent round trips to the
+// discovery URL.
+//
+// The returned KeySet is a long lived verifier that caches keys based on cache-control
+// headers. Reuse a common remote key set instead of creating new ones as needed.
+//
+// The behavior of the returned KeySet is undefined once the context is canceled.
+func NewRemoteKeySet(ctx context.Context, jwksURL string) KeySet {
+	return newRemoteKeySet(ctx, jwksURL, time.Now)
+}
+
 func newRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet {
 	if now == nil {
 		now = time.Now
@@ -38,147 +52,168 @@ type remoteKeySet struct {
 	// guard all other fields
 	mu sync.Mutex

-	// inflightCtx suppresses parallel execution of updateKeys and allows
+	// inflight suppresses parallel execution of updateKeys and allows
 	// multiple goroutines to wait for its result.
-	// Its Err() method returns any errors encountered during updateKeys.
-	//
-	// If nil, there is no inflight updateKeys request.
-	inflightCtx *inflight
+	inflight *inflight

 	// A set of cached keys and their expiry.
 	cachedKeys []jose.JSONWebKey
 	expiry     time.Time
 }

-// inflight is used to wait on some in-flight request from multiple goroutines
+// inflight is used to wait on some in-flight request from multiple goroutines.
 type inflight struct {
-	done chan struct{}
+	doneCh chan struct{}
+
+	keys []jose.JSONWebKey
 	err  error
 }

-// Done returns a channel that is closed when the inflight request finishes.
-func (i *inflight) Done() <-chan struct{} {
-	return i.done
+func newInflight() *inflight {
+	return &inflight{doneCh: make(chan struct{})}
 }

-// Err returns any error encountered during request execution. May be nil.
-func (i *inflight) Err() error {
-	return i.err
+// wait returns a channel that multiple goroutines can receive on. Once it returns
+// a value, the inflight request is done and result() can be inspected.
+func (i *inflight) wait() <-chan struct{} {
+	return i.doneCh
 }

-// Cancel signals completion of the inflight request with error err.
-// Must be called only once for particular inflight instance.
-func (i *inflight) Cancel(err error) {
+// done can only be called by a single goroutine. It records the result of the
+// inflight request and signals other goroutines that the result is safe to
+// inspect.
+func (i *inflight) done(keys []jose.JSONWebKey, err error) {
+	i.keys = keys
 	i.err = err
-	close(i.done)
+	close(i.doneCh)
 }

-func (r *remoteKeySet) keysWithIDFromCache(keyIDs []string) ([]jose.JSONWebKey, bool) {
-	r.mu.Lock()
-	keys, expiry := r.cachedKeys, r.expiry
-	r.mu.Unlock()
+// result cannot be called until the wait() channel has returned a value.
+func (i *inflight) result() ([]jose.JSONWebKey, error) {
+	return i.keys, i.err
+}

-	// Have the keys expired?
-	if expiry.Add(keysExpiryDelta).Before(r.now()) {
-		return nil, false
+func (r *remoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
+	jws, err := jose.ParseSigned(jwt)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
 	}
+	return r.verify(ctx, jws)
+}
+
+func (r *remoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
+	// We don't support JWTs signed with multiple signatures.
+	keyID := ""
+	for _, sig := range jws.Signatures {
+		keyID = sig.Header.KeyID
+		break
+	}
+
+	keys, expiry := r.keysFromCache()

-	var signingKeys []jose.JSONWebKey
+	// Don't check expiry yet. This optimizes for when the provider is unavailable.
 	for _, key := range keys {
-		if contains(keyIDs, key.KeyID) {
-			signingKeys = append(signingKeys, key)
+		if keyID == "" || key.KeyID == keyID {
+			if payload, err := jws.Verify(&key); err == nil {
+				return payload, nil
+			}
 		}
 	}

-	if len(signingKeys) == 0 {
-		// Are the keys about to expire?
-		if r.now().Add(keysExpiryDelta).After(expiry) {
-			return nil, false
-		}
+	if !r.now().Add(keysExpiryDelta).After(expiry) {
+		// Keys haven't expired, don't refresh.
+		return nil, errors.New("failed to verify id token signature")
 	}

-	return signingKeys, true
-}
-func (r *remoteKeySet) keysWithID(ctx context.Context, keyIDs []string) ([]jose.JSONWebKey, error) {
-	keys, ok := r.keysWithIDFromCache(keyIDs)
-	if ok {
-		return keys, nil
+	keys, err := r.keysFromRemote(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("fetching keys %v", err)
 	}

-	var inflightCtx *inflight
-	func() {
-		r.mu.Lock()
-		defer r.mu.Unlock()
-
-		// If there's not a current inflight request, create one.
-		if r.inflightCtx == nil {
-			inflightCtx := &inflight{make(chan struct{}), nil}
-			r.inflightCtx = inflightCtx
-
-			go func() {
-				// TODO(ericchiang): Upstream Kubernetes request that we recover every time
-				// we spawn a goroutine, because panics in a goroutine will bring down the
-				// entire program. There's no way to recover from another goroutine's panic.
-				//
-				// Most users actually want to let the panic propagate and bring down the
-				// program because it implies some unrecoverable state.
-				//
-				// Add a context key to allow the recover behavior.
-				//
-				// See: https://github.com/coreos/go-oidc/issues/89
-
-				// Sync keys and close inflightCtx when that's done.
-				// Use the remoteKeySet's context instead of the requests context
-				// because a re-sync is unique to the keys set and will span multiple
-				// requests.
-				inflightCtx.Cancel(r.updateKeys(r.ctx))
-
-				r.mu.Lock()
-				defer r.mu.Unlock()
-				r.inflightCtx = nil
-			}()
+	for _, key := range keys {
+		if keyID == "" || key.KeyID == keyID {
+			if payload, err := jws.Verify(&key); err == nil {
+				return payload, nil
+			}
 		}
+	}
+	return nil, errors.New("failed to verify id token signature")
+}

-		inflightCtx = r.inflightCtx
-	}()
+func (r *remoteKeySet) keysFromCache() (keys []jose.JSONWebKey, expiry time.Time) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	return r.cachedKeys, r.expiry
+}
+
+// keysFromRemote syncs the key set from the remote set, records the values in the
+// cache, and returns the key set.
+func (r *remoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, error) {
+	// Need to lock to inspect the inflight request field.
+	r.mu.Lock()
+	// If there's not a current inflight request, create one.
+	if r.inflight == nil {
+		r.inflight = newInflight()
+
+		// This goroutine has exclusive ownership over the current inflight
+		// request. It releases the resource by nil'ing the inflight field
+		// once the goroutine is done.
+		go func() {
+			// Sync keys and finish inflight when that's done.
+			keys, expiry, err := r.updateKeys()
+
+			r.inflight.done(keys, err)
+
+			// Lock to update the keys and indicate that there is no longer an
+			// inflight request.
+			r.mu.Lock()
+			defer r.mu.Unlock()
+
+			if err == nil {
+				r.cachedKeys = keys
+				r.expiry = expiry
+			}
+
+			// Free inflight so a different request can run.
+			r.inflight = nil
+		}()
+	}
+	inflight := r.inflight
+	r.mu.Unlock()

 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
-	case <-inflightCtx.Done():
-		if err := inflightCtx.Err(); err != nil {
-			return nil, err
-		}
+	case <-inflight.wait():
+		return inflight.result()
 	}
-
-	// Since we've just updated keys, we don't care about the cache miss.
-	keys, _ = r.keysWithIDFromCache(keyIDs)
-	return keys, nil
 }

-func (r *remoteKeySet) updateKeys(ctx context.Context) error {
+func (r *remoteKeySet) updateKeys() ([]jose.JSONWebKey, time.Time, error) {
 	req, err := http.NewRequest("GET", r.jwksURL, nil)
 	if err != nil {
-		return fmt.Errorf("oidc: can't create request: %v", err)
+		return nil, time.Time{}, fmt.Errorf("oidc: can't create request: %v", err)
 	}

-	resp, err := doRequest(ctx, req)
+	resp, err := doRequest(r.ctx, req)
 	if err != nil {
-		return fmt.Errorf("oidc: get keys failed %v", err)
+		return nil, time.Time{}, fmt.Errorf("oidc: get keys failed %v", err)
 	}
 	defer resp.Body.Close()

 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return fmt.Errorf("oidc: read response body: %v", err)
+		return nil, time.Time{}, fmt.Errorf("unable to read response body: %v", err)
 	}
+
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
+		return nil, time.Time{}, fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
 	}

 	var keySet jose.JSONWebKeySet
-	if err := json.Unmarshal(body, &keySet); err != nil {
-		return fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
+	err = unmarshalResp(resp, body, &keySet)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
 	}

 	// If the server doesn't provide cache control headers, assume the
@@ -189,11 +224,5 @@ func (r *remoteKeySet) updateKeys(ctx context.Context) error {
 	if err == nil && e.After(expiry) {
 		expiry = e
 	}
-
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.cachedKeys = keySet.Keys
-	r.expiry = expiry
-
-	return nil
+	return keySet.Keys, expiry, nil
 }
--- a/vendor/github.com/coreos/go-oidc/oidc.go
+++ b/vendor/github.com/coreos/go-oidc/oidc.go
@@ -3,10 +3,15 @@ package oidc

 import (
 	"context"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"hash"
 	"io/ioutil"
+	"mime"
 	"net/http"
 	"strings"
 	"time"
@@ -30,6 +35,11 @@ const (
 	ScopeOfflineAccess = "offline_access"
 )

+var (
+	errNoAtHash      = errors.New("id token did not have an access token hash")
+	errInvalidAtHash = errors.New("access token hash does not match value in ID token")
+)
+
 // ClientContext returns a new Context that carries the provided HTTP client.
 //
 // This method sets the same context key used by the golang.org/x/oauth2 package,
@@ -63,7 +73,7 @@ type Provider struct {
 	// Raw claims returned by the server.
 	rawClaims []byte

-	remoteKeySet *remoteKeySet
+	remoteKeySet KeySet
 }

 type cachedKeys struct {
@@ -93,18 +103,23 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()
+
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("unable to read response body: %v", err)
 	}
+
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("%s: %s", resp.Status, body)
 	}
-	defer resp.Body.Close()
+
 	var p providerJSON
-	if err := json.Unmarshal(body, &p); err != nil {
+	err = unmarshalResp(resp, body, &p)
+	if err != nil {
 		return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err)
 	}
+
 	if p.Issuer != issuer {
 		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
 	}
@@ -114,7 +129,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 		tokenURL:     p.TokenURL,
 		userInfoURL:  p.UserInfoURL,
 		rawClaims:    body,
-		remoteKeySet: newRemoteKeySet(ctx, p.JWKSURL, time.Now),
+		remoteKeySet: NewRemoteKeySet(ctx, p.JWKSURL),
 	}, nil
 }

@@ -232,9 +247,18 @@ type IDToken struct {

 	// Initial nonce provided during the authentication redirect.
 	//
-	// If present, this package ensures this is a valid nonce.
+	// This package does NOT provided verification on the value of this field
+	// and it's the user's responsibility to ensure it contains a valid value.
 	Nonce string

+	// at_hash claim, if set in the ID token. Callers can verify an access token
+	// that corresponds to the ID token using the VerifyAccessToken method.
+	AccessTokenHash string
+
+	// signature algorithm used for ID token, needed to compute a verification hash of an
+	// access token
+	sigAlgorithm string
+
 	// Raw payload of the id_token.
 	claims []byte
 }
@@ -260,6 +284,34 @@ func (i *IDToken) Claims(v interface{}) error {
 	return json.Unmarshal(i.claims, v)
 }

+// VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token
+// matches the hash in the id token. It returns an error if the hashes  don't match.
+// It is the caller's responsibility to ensure that the optional access token hash is present for the ID token
+// before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
+func (i *IDToken) VerifyAccessToken(accessToken string) error {
+	if i.AccessTokenHash == "" {
+		return errNoAtHash
+	}
+	var h hash.Hash
+	switch i.sigAlgorithm {
+	case RS256, ES256, PS256:
+		h = sha256.New()
+	case RS384, ES384, PS384:
+		h = sha512.New384()
+	case RS512, ES512, PS512:
+		h = sha512.New()
+	default:
+		return fmt.Errorf("oidc: unsupported signing algorithm %q", i.sigAlgorithm)
+	}
+	h.Write([]byte(accessToken)) // hash documents that Write will never return an error
+	sum := h.Sum(nil)[:h.Size()/2]
+	actual := base64.RawURLEncoding.EncodeToString(sum)
+	if actual != i.AccessTokenHash {
+		return errInvalidAtHash
+	}
+	return nil
+}
+
 type idToken struct {
 	Issuer   string   `json:"iss"`
 	Subject  string   `json:"sub"`
@@ -267,6 +319,7 @@ type idToken struct {
 	Expiry   jsonTime `json:"exp"`
 	IssuedAt jsonTime `json:"iat"`
 	Nonce    string   `json:"nonce"`
+	AtHash   string   `json:"at_hash"`
 }

 type audience []string
@@ -285,13 +338,6 @@ func (a *audience) UnmarshalJSON(b []byte) error {
 	return nil
 }

-func (a audience) MarshalJSON() ([]byte, error) {
-	if len(a) == 1 {
-		return json.Marshal(a[0])
-	}
-	return json.Marshal([]string(a))
-}
-
 type jsonTime time.Time

 func (j *jsonTime) UnmarshalJSON(b []byte) error {
@@ -314,6 +360,15 @@ func (j *jsonTime) UnmarshalJSON(b []byte) error {
 	return nil
 }

-func (j jsonTime) MarshalJSON() ([]byte, error) {
-	return json.Marshal(time.Time(j).Unix())
+func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
+	err := json.Unmarshal(body, &v)
+	if err == nil {
+		return nil
+	}
+	ct := r.Header.Get("Content-Type")
+	mediaType, _, parseErr := mime.ParseMediaType(ct)
+	if parseErr == nil && mediaType == "application/json" {
+		return fmt.Errorf("got Content-Type = application/json, but could not unmarshal as JSON: %v", err)
+	}
+	return fmt.Errorf("expected Content-Type = application/json, got %q: %v", ct, err)
 }
--- a/vendor/github.com/coreos/go-oidc/test
+++ b/vendor/github.com/coreos/go-oidc/test
@@ -11,5 +11,6 @@ LINTABLE=$( go list -tags=golint -f '

 go test -v -i -race github.com/coreos/go-oidc/...
 go test -v -race github.com/coreos/go-oidc/...
-golint $LINTABLE
+golint -set_exit_status $LINTABLE
 go vet github.com/coreos/go-oidc/...
+go build -v ./example/...
--- a/vendor/github.com/coreos/go-oidc/verify.go
+++ b/vendor/github.com/coreos/go-oidc/verify.go
@@ -19,13 +19,54 @@ const (
 	issuerGoogleAccountsNoScheme = "accounts.google.com"
 )

+// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
+// of JSON web tokens. This is expected to be backed by a remote key set through
+// provider metadata discovery or an in-memory set of keys delivered out-of-band.
+type KeySet interface {
+	// VerifySignature parses the JSON web token, verifies the signature, and returns
+	// the raw payload. Header and claim fields are validated by other parts of the
+	// package. For example, the KeySet does not need to check values such as signature
+	// algorithm, issuer, and audience since the IDTokenVerifier validates these values
+	// independently.
+	//
+	// If VerifySignature makes HTTP requests to verify the token, it's expected to
+	// use any HTTP client associated with the context through ClientContext.
+	VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
+}
+
 // IDTokenVerifier provides verification for ID Tokens.
 type IDTokenVerifier struct {
-	keySet *remoteKeySet
+	keySet KeySet
 	config *Config
 	issuer string
 }

+// NewVerifier returns a verifier manually constructed from a key set and issuer URL.
+//
+// It's easier to use provider discovery to construct an IDTokenVerifier than creating
+// one directly. This method is intended to be used with provider that don't support
+// metadata discovery, or avoiding round trips when the key set URL is already known.
+//
+// This constructor can be used to create a verifier directly using the issuer URL and
+// JSON Web Key Set URL without using discovery:
+//
+//		keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs")
+//		verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)
+//
+// Since KeySet is an interface, this constructor can also be used to supply custom
+// public key sources. For example, if a user wanted to supply public keys out-of-band
+// and hold them statically in-memory:
+//
+//		// Custom KeySet implementation.
+//		keySet := newStatisKeySet(publicKeys...)
+//
+//		// Verifier uses the custom KeySet implementation.
+//		verifier := oidc.NewVerifier("https://auth.example.com", keySet, config)
+//
+func NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier {
+	return &IDTokenVerifier{keySet: keySet, config: config, issuer: issuerURL}
+}
+
 // Config is the configuration for an IDTokenVerifier.
 type Config struct {
 	// Expected audience of the token. For a majority of the cases this is expected to be
@@ -34,12 +75,6 @@ type Config struct {
 	//
 	// If not provided, users must explicitly set SkipClientIDCheck.
 	ClientID string
-	// Method to verify the ID Token nonce. If a nonce is present and this method
-	// is nil, users must explicitly set SkipNonceCheck.
-	//
-	// If the ID Token nonce is empty, for example if the client didn't provide a nonce in
-	// the initial redirect, this may be nil.
-	ClaimNonce func(nonce string) error
 	// If specified, only this set of algorithms may be used to sign the JWT.
 	//
 	// Since many providers only support RS256, SupportedSigningAlgs defaults to this value.
@@ -49,8 +84,6 @@ type Config struct {
 	SkipClientIDCheck bool
 	// If true, token expiry is not checked.
 	SkipExpiryCheck bool
-	// If true, nonce claim is not checked. Must be true if ClaimNonce field is empty.
-	SkipNonceCheck bool

 	// Time function to check Token expiry. Defaults to time.Now
 	Now func() time.Time
@@ -61,21 +94,7 @@ type Config struct {
 // The returned IDTokenVerifier is tied to the Provider's context and its behavior is
 // undefined once the Provider's context is canceled.
 func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
-
-	return newVerifier(p.remoteKeySet, config, p.issuer)
-}
-
-func newVerifier(keySet *remoteKeySet, config *Config, issuer string) *IDTokenVerifier {
-	// If SupportedSigningAlgs is empty defaults to only support RS256.
-	if len(config.SupportedSigningAlgs) == 0 {
-		config.SupportedSigningAlgs = []string{RS256}
-	}
-
-	return &IDTokenVerifier{
-		keySet: keySet,
-		config: config,
-		issuer: issuer,
-	}
+	return NewVerifier(p.issuer, p.remoteKeySet, config)
 }

 func parseJWT(p string) ([]byte, error) {
@@ -102,6 +121,8 @@ func contains(sli []string, ele string) bool {
 // Verify parses a raw ID Token, verifies it's been signed by the provider, preforms
 // any additional checks depending on the Config, and returns the payload.
 //
+// Verify does NOT do nonce validation, which is the callers responsibility.
+//
 // See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 //
 //    oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
@@ -120,7 +141,7 @@ func contains(sli []string, ele string) bool {
 func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) {
 	jws, err := jose.ParseSigned(rawIDToken)
 	if err != nil {
-		return nil, fmt.Errorf("oidc: mallformed jwt: %v", err)
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
 	}

 	// Throw out tokens with invalid claims before trying to verify the token. This lets
@@ -135,13 +156,14 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 	}

 	t := &IDToken{
-		Issuer:   token.Issuer,
-		Subject:  token.Subject,
-		Audience: []string(token.Audience),
-		Expiry:   time.Time(token.Expiry),
-		IssuedAt: time.Time(token.IssuedAt),
-		Nonce:    token.Nonce,
-		claims:   payload,
+		Issuer:          token.Issuer,
+		Subject:         token.Subject,
+		Audience:        []string(token.Audience),
+		Expiry:          time.Time(token.Expiry),
+		IssuedAt:        time.Time(token.IssuedAt),
+		Nonce:           token.Nonce,
+		AccessTokenHash: token.AtHash,
+		claims:          payload,
 	}

 	// Check issuer.
@@ -165,7 +187,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 				return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
 			}
 		} else {
-			return nil, fmt.Errorf("oidc: Invalid configuration. ClientID must be provided or SkipClientIDCheck must be set.")
+			return nil, fmt.Errorf("oidc: invalid configuration, clientID must be provided or SkipClientIDCheck must be set")
 		}
 	}

@@ -181,37 +203,29 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		}
 	}

-	// If a set of required algorithms has been provided, ensure that the signatures use those.
-	var keyIDs, gotAlgs []string
-	for _, sig := range jws.Signatures {
-		if len(v.config.SupportedSigningAlgs) == 0 || contains(v.config.SupportedSigningAlgs, sig.Header.Algorithm) {
-			keyIDs = append(keyIDs, sig.Header.KeyID)
-		} else {
-			gotAlgs = append(gotAlgs, sig.Header.Algorithm)
-		}
-	}
-	if len(keyIDs) == 0 {
-		return nil, fmt.Errorf("oidc: no signatures use a supported algorithm, expected %q got %q", v.config.SupportedSigningAlgs, gotAlgs)
+	switch len(jws.Signatures) {
+	case 0:
+		return nil, fmt.Errorf("oidc: id token not signed")
+	case 1:
+	default:
+		return nil, fmt.Errorf("oidc: multiple signatures on id token not supported")
 	}

-	// Get keys from the remote key set. This may trigger a re-sync.
-	keys, err := v.keySet.keysWithID(ctx, keyIDs)
-	if err != nil {
-		return nil, fmt.Errorf("oidc: get keys for id token: %v", err)
-	}
-	if len(keys) == 0 {
-		return nil, fmt.Errorf("oidc: no keys match signature ID(s) %q", keyIDs)
+	sig := jws.Signatures[0]
+	supportedSigAlgs := v.config.SupportedSigningAlgs
+	if len(supportedSigAlgs) == 0 {
+		supportedSigAlgs = []string{RS256}
 	}

-	// Try to use a key to validate the signature.
-	var gotPayload []byte
-	for _, key := range keys {
-		if p, err := jws.Verify(&key); err == nil {
-			gotPayload = p
-		}
+	if !contains(supportedSigAlgs, sig.Header.Algorithm) {
+		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
 	}
-	if len(gotPayload) == 0 {
-		return nil, fmt.Errorf("oidc: failed to verify id token")
+
+	t.sigAlgorithm = sig.Header.Algorithm
+
+	gotPayload, err := v.keySet.VerifySignature(ctx, rawIDToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify signature: %v", err)
 	}

 	// Ensure that the payload returned by the square actually matches the payload parsed earlier.
@@ -219,19 +233,6 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		return nil, errors.New("oidc: internal error, payload parsed did not match previous payload")
 	}

-	// Check the nonce after we've verified the token. We don't want to allow unverified
-	// payloads to trigger a nonce lookup.
-	// If SkipNonceCheck is not set ClaimNonce cannot be Nil.
-	if !v.config.SkipNonceCheck && t.Nonce != "" {
-		if v.config.ClaimNonce != nil {
-			if err := v.config.ClaimNonce(t.Nonce); err != nil {
-				return nil, err
-			}
-		} else {
-			return nil, fmt.Errorf("oidc: Invalid configuration. ClaimNonce must be provided or SkipNonceCheck must be set.")
-		}
-	}
-
 	return t, nil
 }


--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -11,7 +11,7 @@ github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes
 github.com/coreos/etcd/etcdserver/etcdserverpb
 github.com/coreos/etcd/mvcc/mvccpb
 github.com/coreos/etcd/pkg/tlsutil
-# github.com/coreos/go-oidc v0.0.0-20170307191026-be73733bb8cc
+# github.com/coreos/go-oidc v2.0.0+incompatible
 github.com/coreos/go-oidc
 # github.com/felixge/httpsnoop v1.0.0
 github.com/felixge/httpsnoop