Merge pull request #158 from joeatwork/share-token-code

server: Share token code

Merge pull request #158 from joeatwork/share-token-code
server: Share token code
70eb87d8 · Joe Bowers · fd814dd6 · b1e43698 · 70eb87d8 · 70eb87d8
Commit 70eb87d8 authored Oct 19, 2015 by Joe Bowers
10 changed files
--- a/build
+++ b/build
@@ -20,7 +20,9 @@ fi

 rm -rf $GOPATH/src/github.com/coreos/dex
 mkdir -p $GOPATH/src/github.com/coreos/
-ln -s ${PWD} $GOPATH/src/github.com/coreos/dex
+
+# Only attempt to link dex into godeps if it isn't already there
+[ -d $GOPATH/src/github.com/coreos/dex ] || ln -s ${PWD} $GOPATH/src/github.com/coreos/dex

 LD_FLAGS="-X main.version=$(git rev-parse HEAD)"
 go build -o bin/dex-worker -ldflags="$LD_FLAGS" github.com/coreos/dex/cmd/dex-worker

--- a/server/password.go
+++ b/server/password.go
@@ -66,31 +66,49 @@ func (h *SendResetPasswordEmailHandler) handleGET(w http.ResponseWriter, r *http
 		log.Errorf("could not exchange sessionKey: %v", err)
 	}
 	data := sendResetPasswordEmailData{}
-	h.fillData(r, &data)
+	if err := h.fillData(r, &data); err != nil {
+		writeAPIError(w, http.StatusBadRequest, err)
+	}
+
+	if data.ClientID == "" {
+		writeAPIError(w, http.StatusBadRequest, newAPIError(errorInvalidRequest,
+			"missing required parameters"))
+		return
+	}
+
 	execTemplate(w, h.tpl, data)
 }

-func (h *SendResetPasswordEmailHandler) fillData(r *http.Request, data *sendResetPasswordEmailData) {
+func (h *SendResetPasswordEmailHandler) fillData(r *http.Request, data *sendResetPasswordEmailData) *apiError {
 	data.Email = r.FormValue("email")
-	clientID := r.FormValue("client_id")
+	data.ClientID = r.FormValue("client_id")
 	redirectURL := r.FormValue("redirect_uri")

-	if redirectURL != "" && clientID != "" {
-		if parsed, ok := h.validateRedirectURL(clientID, redirectURL); ok {
-			data.ClientID = clientID
+	if redirectURL != "" && data.ClientID != "" {
+		if parsed, ok := h.validateRedirectURL(data.ClientID, redirectURL); ok {
 			data.RedirectURL = redirectURL
 			data.RedirectURLParsed = parsed
+		} else {
+			return newAPIError(errorInvalidRequest, "invalid redirect url")
 		}
 	}

+	return nil
 }

 func (h *SendResetPasswordEmailHandler) handlePOST(w http.ResponseWriter, r *http.Request) {
 	data := sendResetPasswordEmailData{}
-	h.fillData(r, &data)
+	if err := h.fillData(r, &data); err != nil {
+		writeAPIError(w, http.StatusBadRequest, err)
+	}
+
+	if data.ClientID == "" {
+		writeAPIError(w, http.StatusBadRequest, newAPIError(errorInvalidRequest, "client id missing"))
+		return
+	}

 	if !user.ValidEmail(data.Email) {
-		h.errPage(w, "Please supply a valid email addresss.", http.StatusBadRequest, &data)
+		h.errPage(w, "Please supply a valid email address.", http.StatusBadRequest, &data)
 		return
 	}


--- a/server/password_test.go
+++ b/server/password_test.go
--- a/test
+++ b/test
@@ -14,7 +14,7 @@ COVER=${COVER:-"-cover"}

 source ./build

-TESTABLE="connector db integration pkg/crypto pkg/flag pkg/http pkg/net pkg/time pkg/html functional/repo server session user/api"
+TESTABLE="connector db integration pkg/crypto pkg/flag pkg/http pkg/net pkg/time pkg/html functional/repo server session user user/api"
 FORMATTABLE="$TESTABLE cmd/dexctl cmd/dex-worker cmd/dex-overlord examples/app functional pkg/log"

 # user has not provided PKG override

--- a/user/email/email.go
+++ b/user/email/email.go
@@ -76,18 +76,19 @@ func (u *UserEmailer) SendResetPasswordEmail(email string, redirectURL url.URL,
 	}

 	signer, err := u.signerFn()
-	if err != nil {
-		log.Errorf("error getting signer: %v", err)
+	if err != nil || signer == nil {
+		log.Errorf("error getting signer: %v (%v)", err, signer)
 		return nil, err
 	}

 	passwordReset := user.NewPasswordReset(usr, pwi.Password, u.issuerURL,
 		clientID, redirectURL, u.tokenValidityWindow)
-	token, err := passwordReset.Token(signer)
+	jwt, err := jose.NewSignedJWT(passwordReset.Claims, signer)
 	if err != nil {
-		log.Errorf("error getting tokenizing PasswordReset: %v", err)
+		log.Errorf("error constructing or signing PasswordReset JWT: %v", err)
 		return nil, err
 	}
+	token := jwt.Encode()

 	resetURL := u.passwordResetURL
 	q := resetURL.Query()
@@ -124,15 +125,17 @@ func (u *UserEmailer) SendEmailVerification(userID, clientID string, redirectURL
 	ev := user.NewEmailVerification(usr, clientID, u.issuerURL, redirectURL, u.tokenValidityWindow)

 	signer, err := u.signerFn()
-	if err != nil {
-		log.Errorf("error getting signer: %v", err)
+	if err != nil || signer == nil {
+		log.Errorf("error getting signer: %v (signer: %v)", err, signer)
 		return nil, err
 	}

-	token, err := ev.Token(signer)
+	jwt, err := jose.NewSignedJWT(ev.Claims, signer)
 	if err != nil {
+		log.Errorf("error constructing or signing EmailVerification JWT: %v", err)
 		return nil, err
 	}
+	token := jwt.Encode()

 	verifyURL := u.verifyEmailURL
 	q := verifyURL.Query()

--- a/user/email_verification.go
+++ b/user/email_verification.go
 package user

 import (
-	"errors"
 	"fmt"
 	"net/url"
 	"time"
@@ -13,15 +12,6 @@ import (
 	"github.com/coreos/go-oidc/oidc"
 )

-const (
-	// Claim representing where a user should be sent after verifying their email address.
-	ClaimEmailVerificationCallback = "http://coreos.com/email/verification-callback"
-
-	// ClaimEmailVerificationEmail represents the email to be verified. Note
-	// that we are intentionally not using the "email" claim for this purpose.
-	ClaimEmailVerificationEmail = "http://coreos.com/email/verificationEmail"
-)
-
 var (
 	clock = clockwork.NewRealClock()
 )
@@ -29,7 +19,6 @@ var (
 // NewEmailVerification creates an object which can be sent to a user in serialized form to verify that they control an email address.
 // The clientID is the ID of the registering user. The callback is where a user should land after verifying their email.
 func NewEmailVerification(user User, clientID string, issuer url.URL, callback url.URL, expires time.Duration) EmailVerification {
-
 	claims := oidc.NewClaims(issuer.String(), user.ID, clientID, clock.Now(), clock.Now().Add(expires))
 	claims.Add(ClaimEmailVerificationCallback, callback.String())
 	claims.Add(ClaimEmailVerificationEmail, user.Email)
@@ -37,90 +26,46 @@ func NewEmailVerification(user User, clientID string, issuer url.URL, callback u
 }

 type EmailVerification struct {
-	claims jose.Claims
-}
-
-// Token serializes the EmailVerification into a signed JWT.
-func (e EmailVerification) Token(signer jose.Signer) (string, error) {
-	if signer == nil {
-		return "", errors.New("no signer")
-	}
-
-	jwt, err := jose.NewSignedJWT(e.claims, signer)
-	if err != nil {
-		return "", err
-	}
-
-	return jwt.Encode(), nil
+	Claims jose.Claims
 }

-// ParseAndVerifyEmailVerificationToken parses a string into a an EmailVerification, verifies the signature, and ensures that required claims are present.
-// In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimEmailVerificationCallback and ClaimEmailVerificationEmail.
-func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []key.PublicKey) (EmailVerification, error) {
-	jwt, err := jose.ParseJWT(token)
-	if err != nil {
-		return EmailVerification{}, err
-	}
-
-	claims, err := jwt.Claims()
-	if err != nil {
-		return EmailVerification{}, err
-	}
-
-	clientID, ok, err := claims.StringClaim("aud")
+// Assumes that parseAndVerifyTokenClaims has already been called on claims
+func verifyEmailVerificationClaims(claims jose.Claims) (EmailVerification, error) {
+	email, ok, err := claims.StringClaim(ClaimEmailVerificationEmail)
 	if err != nil {
 		return EmailVerification{}, err
 	}
-	if !ok {
-		return EmailVerification{}, errors.New("no aud(client ID) claim")
+	if !ok || email == "" {
+		return EmailVerification{}, fmt.Errorf("no %q claim", ClaimEmailVerificationEmail)
 	}

 	cb, ok, err := claims.StringClaim(ClaimEmailVerificationCallback)
 	if err != nil {
 		return EmailVerification{}, err
 	}
-	if cb == "" {
+	if !ok || cb == "" {
 		return EmailVerification{}, fmt.Errorf("no %q claim", ClaimEmailVerificationCallback)
 	}
 	if _, err := url.Parse(cb); err != nil {
 		return EmailVerification{}, fmt.Errorf("callback URL not parseable: %v", cb)
 	}

-	email, ok, err := claims.StringClaim(ClaimEmailVerificationEmail)
-	if err != nil {
-		return EmailVerification{}, err
-	}
-	if email == "" {
-		return EmailVerification{}, fmt.Errorf("no %q claim", ClaimEmailVerificationEmail)
-	}
+	return EmailVerification{claims}, nil
+}

-	sub, ok, err := claims.StringClaim("sub")
+// ParseAndVerifyEmailVerificationToken parses a string into a an EmailVerification, verifies the signature, and ensures that required claims are present.
+// In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimEmailVerificationCallback and ClaimEmailVerificationEmail.
+func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []key.PublicKey) (EmailVerification, error) {
+	tokenClaims, err := parseAndVerifyTokenClaims(token, issuer, keys)
 	if err != nil {
 		return EmailVerification{}, err
 	}
-	if sub == "" {
-		return EmailVerification{}, errors.New("no sub claim")
-	}
-
-	noop := func() error { return nil }
-
-	keysFunc := func() []key.PublicKey {
-		return keys
-	}
-
-	verifier := oidc.NewJWTVerifier(issuer.String(), clientID, noop, keysFunc)
-	if err := verifier.Verify(jwt); err != nil {
-		return EmailVerification{}, err
-	}
-
-	return EmailVerification{
-		claims: claims,
-	}, nil

+	return verifyEmailVerificationClaims(tokenClaims.Claims)
 }

 func (e EmailVerification) UserID() string {
-	uid, ok, err := e.claims.StringClaim("sub")
+	uid, ok, err := e.Claims.StringClaim("sub")
 	if !ok || err != nil {
 		panic("EmailVerification: no sub claim. This should be impossible.")
 	}
@@ -128,7 +73,7 @@ func (e EmailVerification) UserID() string {
 }

 func (e EmailVerification) Email() string {
-	email, ok, err := e.claims.StringClaim(ClaimEmailVerificationEmail)
+	email, ok, err := e.Claims.StringClaim(ClaimEmailVerificationEmail)
 	if !ok || err != nil {
 		panic("EmailVerification: no email claim. This should be impossible.")
 	}
@@ -136,7 +81,7 @@ func (e EmailVerification) Email() string {
 }

 func (e EmailVerification) Callback() *url.URL {
-	cb, ok, err := e.claims.StringClaim(ClaimEmailVerificationCallback)
+	cb, ok, err := e.Claims.StringClaim(ClaimEmailVerificationCallback)
 	if !ok || err != nil {
 		panic("EmailVerification: no callback claim. This should be impossible.")
 	}

--- a/user/email_verification_test.go
+++ b/user/email_verification_test.go
@@ -59,7 +59,7 @@ func TestNewEmailVerification(t *testing.T) {
 		}
 		ev := NewEmailVerification(tt.user, tt.clientID, tt.issuer, *cbURL, tt.expires)

-		if diff := pretty.Compare(tt.want, ev.claims); diff != "" {
+		if diff := pretty.Compare(tt.want, ev.Claims); diff != "" {
 			t.Errorf("case %d: Compare(want, got): %v", i, diff)
 		}

@@ -127,10 +127,11 @@ func TestEmailVerificationParseAndVerify(t *testing.T) {

 	for i, tt := range tests {

-		token, err := tt.ev.Token(tt.signer)
+		jwt, err := jose.NewSignedJWT(tt.ev.Claims, tt.signer)
 		if err != nil {
-			t.Errorf("case %d: non-nil error creating token: %v", i, err)
+			t.Fatalf("Failed to generate JWT, error=%v", err)
 		}
+		token := jwt.Encode()

 		ev, err := ParseAndVerifyEmailVerificationToken(token, *issuer,
 			[]key.PublicKey{*key.NewPublicKey(privKey.JWK())})
@@ -148,7 +149,7 @@ func TestEmailVerificationParseAndVerify(t *testing.T) {

 		}

-		if diff := pretty.Compare(tt.ev.claims, ev.claims); diff != "" {
+		if diff := pretty.Compare(tt.ev.Claims, ev.Claims); diff != "" {
 			t.Errorf("case %d: Compare(want, got): %v", i, diff)
 		}
 	}

--- a/user/password.go
+++ b/user/password.go
@@ -26,14 +26,6 @@ const (
 	// since the bcrypt library will silently ignore portions of
 	// a password past the first 72 characters.
 	maxSecretLength = 72
-
-	// ClaimPasswordResetCallback represents where a user should be sent after
-	// resetting their password.
-	ClaimPasswordResetCallback = "http://coreos.com/password/reset-callback"
-
-	// ClaimPasswordResetPassword represents the hash of the password to be
-	// reset; in other words, the old password.
-	ClaimPasswordResetPassword = "http://coreos.com/password/old-hash"
 )

 var (
@@ -224,56 +216,22 @@ func NewPasswordInfoRepoFromFile(loc string) (PasswordInfoRepo, error) {

 func NewPasswordReset(user User, password Password, issuer url.URL, clientID string, callback url.URL, expires time.Duration) PasswordReset {
 	claims := oidc.NewClaims(issuer.String(), user.ID, clientID, clock.Now(), clock.Now().Add(expires))
-	claims.Add(ClaimPasswordResetCallback, callback.String())
 	claims.Add(ClaimPasswordResetPassword, string(password))
+	claims.Add(ClaimPasswordResetCallback, callback.String())
 	return PasswordReset{claims}
 }

 type PasswordReset struct {
-	claims jose.Claims
-}
-
-// Token serializes the PasswordReset into a signed JWT.
-func (e PasswordReset) Token(signer jose.Signer) (string, error) {
-	if signer == nil {
-		return "", errors.New("no signer")
-	}
-
-	jwt, err := jose.NewSignedJWT(e.claims, signer)
-	if err != nil {
-		return "", err
-	}
-
-	return jwt.Encode(), nil
+	Claims jose.Claims
 }

-// ParseAndVerifyPasswordResetToken parses a string into a an PasswordReset, verifies the signature, and ensures that required claims are present.
-// In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimPasswordResetCallback, ClaimPasswordResetEmail and ClaimPasswordResetPassword.
-func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.PublicKey) (PasswordReset, error) {
-	jwt, err := jose.ParseJWT(token)
-	if err != nil {
-		return PasswordReset{}, err
-	}
-
-	claims, err := jwt.Claims()
-	if err != nil {
-		return PasswordReset{}, err
-	}
-
+// Assumes that parseAndVerifyTokenClaims has already been called on claims
+func verifyPasswordResetClaims(claims jose.Claims) (PasswordReset, error) {
 	cb, ok, err := claims.StringClaim(ClaimPasswordResetCallback)
 	if err != nil {
 		return PasswordReset{}, err
 	}
-	var clientID string
-	if ok && cb != "" {
-		clientID, ok, err = claims.StringClaim("aud")
-		if err != nil {
-			return PasswordReset{}, err
-		}
-		if !ok || clientID == "" {
-			return PasswordReset{}, errors.New("no aud(client ID) claim")
-		}
-	}
+
 	if _, err := url.Parse(cb); err != nil {
 		return PasswordReset{}, fmt.Errorf("callback URL not parseable: %v", cb)
 	}
@@ -282,37 +240,26 @@ func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.P
 	if err != nil {
 		return PasswordReset{}, err
 	}
-	if pw == "" {
+	if !ok || pw == "" {
 		return PasswordReset{}, fmt.Errorf("no %q claim", ClaimPasswordResetPassword)
 	}

-	sub, ok, err := claims.StringClaim("sub")
-	if err != nil {
-		return PasswordReset{}, err
-	}
-	if sub == "" {
-		return PasswordReset{}, errors.New("no sub claim")
-	}
-
-	noop := func() error { return nil }
-
-	keysFunc := func() []key.PublicKey {
-		return keys
-	}
+	return PasswordReset{claims}, nil
+}

-	verifier := oidc.NewJWTVerifier(issuer.String(), clientID, noop, keysFunc)
-	if err := verifier.Verify(jwt); err != nil {
+// ParseAndVerifyPasswordResetToken parses a string into a an PasswordReset, verifies the signature, and ensures that required claims are present.
+// In addition to the usual claims required by the OIDC spec, "aud" and "sub" must be present as well as ClaimPasswordResetCallback, ClaimPasswordResetEmail and ClaimPasswordResetPassword.
+func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.PublicKey) (PasswordReset, error) {
+	tokenClaims, err := parseAndVerifyTokenClaims(token, issuer, keys)
+	if err != nil {
 		return PasswordReset{}, err
 	}

-	return PasswordReset{
-		claims: claims,
-	}, nil
-
+	return verifyPasswordResetClaims(tokenClaims.Claims)
 }

 func (e PasswordReset) UserID() string {
-	uid, ok, err := e.claims.StringClaim("sub")
+	uid, ok, err := e.Claims.StringClaim("sub")
 	if !ok || err != nil {
 		panic("PasswordReset: no sub claim. This should be impossible.")
 	}
@@ -320,7 +267,7 @@ func (e PasswordReset) UserID() string {
 }

 func (e PasswordReset) Password() Password {
-	pw, ok, err := e.claims.StringClaim(ClaimPasswordResetPassword)
+	pw, ok, err := e.Claims.StringClaim(ClaimPasswordResetPassword)
 	if !ok || err != nil {
 		panic("PasswordReset: no password claim. This should be impossible.")
 	}
@@ -328,7 +275,7 @@ func (e PasswordReset) Password() Password {
 }

 func (e PasswordReset) Callback() *url.URL {
-	cb, ok, err := e.claims.StringClaim(ClaimPasswordResetCallback)
+	cb, ok, err := e.Claims.StringClaim(ClaimPasswordResetCallback)
 	if err != nil {
 		panic("PasswordReset: error getting string claim. This should be impossible.")
 	}

--- a/user/password_test.go
+++ b/user/password_test.go
@@ -124,7 +124,7 @@ func TestNewPasswordReset(t *testing.T) {
 		}
 		ev := NewPasswordReset(tt.user, tt.password, tt.issuer, tt.clientID, *cbURL, tt.expires)

-		if diff := pretty.Compare(tt.want, ev.claims); diff != "" {
+		if diff := pretty.Compare(tt.want, ev.Claims); diff != "" {
 			t.Errorf("case %d: Compare(want, got): %v", i, diff)
 		}

@@ -145,12 +145,13 @@ func TestPasswordResetParseAndVerify(t *testing.T) {
 	password := Password("passy")

 	goodPR := NewPasswordReset(user, password, *issuer, client, *callback, expires)
-	goodPRNoCB := NewPasswordReset(user, password, *issuer, "", url.URL{}, expires)
+	goodPRNoCB := NewPasswordReset(user, password, *issuer, client, url.URL{}, expires)
 	expiredPR := NewPasswordReset(user, password, *issuer, client, *callback, -expires)
 	wrongIssuerPR := NewPasswordReset(user, password, *otherIssuer, client, *callback, expires)
 	noSubPR := NewPasswordReset(User{}, password, *issuer, client, *callback, expires)
 	noPWPR := NewPasswordReset(user, Password(""), *issuer, client, *callback, expires)
 	noClientPR := NewPasswordReset(user, password, *issuer, "", *callback, expires)
+	noClientNoCBPR := NewPasswordReset(user, password, *issuer, "", url.URL{}, expires)

 	privKey, err := key.GeneratePrivateKey()
 	if err != nil {
@@ -211,14 +212,20 @@ func TestPasswordResetParseAndVerify(t *testing.T) {
 			signer:  signer,
 			wantErr: true,
 		},
+		{
+			ev:      noClientNoCBPR,
+			signer:  signer,
+			wantErr: true,
+		},
 	}

 	for i, tt := range tests {

-		token, err := tt.ev.Token(tt.signer)
+		jwt, err := jose.NewSignedJWT(tt.ev.Claims, tt.signer)
 		if err != nil {
-			t.Errorf("case %d: non-nil error creating token: %v", i, err)
+			t.Fatalf("Failed to generate JWT, error=%v", err)
 		}
+		token := jwt.Encode()

 		ev, err := ParseAndVerifyPasswordResetToken(token, *issuer,
 			[]key.PublicKey{*key.NewPublicKey(privKey.JWK())})
@@ -236,7 +243,7 @@ func TestPasswordResetParseAndVerify(t *testing.T) {

 		}

-		if diff := pretty.Compare(tt.ev.claims, ev.claims); diff != "" {
+		if diff := pretty.Compare(tt.ev.Claims, ev.Claims); diff != "" {
 			t.Errorf("case %d: Compare(want, got): %v", i, diff)
 		}
 	}

--- a/user/user.go
+++ b/user/user.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"net/mail"
+	"net/url"
 	"os"
 	"sort"

@@ -15,10 +16,30 @@ import (

 	"github.com/coreos/dex/repo"
 	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/key"
+	"github.com/coreos/go-oidc/oidc"
 )

 const (
 	MaxEmailLength = 200
+
+	// ClaimPasswordResetPassword represents the hash of the password to be
+	// reset; in other words, the old password
+	ClaimPasswordResetPassword = "http://coreos.com/password/old-hash"
+
+	// ClaimEmailVerificationEmail represents the email to be verified. Note
+	// that we are intentionally not using the "email" claim for this purpose.
+	ClaimEmailVerificationEmail = "http://coreos.com/email/verificationEmail"
+
+	// ClaimPasswordResetCallback represents where a user should be sent after
+	// resetting their password.
+	ClaimPasswordResetCallback = "http://coreos.com/password/reset-callback"
+
+	// Claim representing where a user should be sent after verifying their email address.
+	ClaimEmailVerificationCallback = "http://coreos.com/email/verification-callback"
+
+	// Claim representing where a user should be sent after responding to an invitation
+	ClaimInvitationCallback = "http://coreos.com/invitation/callback"
 )

 type UserIDGenerator func() (string, error)
@@ -422,3 +443,53 @@ func (u *RemoteIdentity) UnmarshalJSON(data []byte) error {

 	return nil
 }
+
+type TokenClaims struct {
+	Claims jose.Claims
+}
+
+// Returns TokenClaims if and only if
+// - the given token string is an appropriately formatted JWT
+// - the JWT contains nonempty "aud" and "sub" claims
+// - the JWT can be verified for the client associated with the "aud" claim
+//   using the given keys
+func parseAndVerifyTokenClaims(token string, issuer url.URL, keys []key.PublicKey) (TokenClaims, error) {
+	jwt, err := jose.ParseJWT(token)
+	if err != nil {
+		return TokenClaims{}, err
+	}
+
+	claims, err := jwt.Claims()
+	if err != nil {
+		return TokenClaims{}, err
+	}
+
+	clientID, ok, err := claims.StringClaim("aud")
+	if err != nil {
+		return TokenClaims{}, err
+	}
+	if !ok || clientID == "" {
+		return TokenClaims{}, errors.New("no aud(client ID) claim")
+	}
+
+	sub, ok, err := claims.StringClaim("sub")
+	if err != nil {
+		return TokenClaims{}, err
+	}
+	if !ok || sub == "" {
+		return TokenClaims{}, errors.New("no sub claim")
+	}
+
+	noop := func() error { return nil }
+
+	keysFunc := func() []key.PublicKey {
+		return keys
+	}
+
+	verifier := oidc.NewJWTVerifier(issuer.String(), clientID, noop, keysFunc)
+	if err := verifier.Verify(jwt); err != nil {
+		return TokenClaims{}, err
+	}
+
+	return TokenClaims{claims}, nil
+}