- 17 Apr, 2018 2 commits
-
-
Eric Chiang authored
*: Update MAINTAINERS file
-
rithu john authored
-
- 17 Jan, 2018 1 commit
-
-
Eric Chiang authored
NewVerifier: fix defaulting of RS256
-
- 16 Jan, 2018 1 commit
-
-
Eric Chiang authored
When NewVerifier was introduced, it forgot to default the SupportedSigningAlgs value in the verification config. This means an attacker can pass a token signed with any asymmetric "alg" value. This isn't a P0 because the public key set from the provider should only return asymmetric keys, so an attacker can't sneak a token signed with a symmetric algorithm like HS512. RS256 is also the weakest hash supported by square/go-jose, so you can't downgrade to a weaker signing hash. Additionally, using jose.ParseSigned ensures tokens encrypted with algorithms like A128GCM are rejected. Additionally NewVerifier isn't expected to be used commonly. It's mostly for testing (though that doesn't reduce the severity). Unify the verifier creation code and make it impossible to pass an empty list of SupportedSigningAlgs. No new tests because the Verify path is already tested.
-
- 04 Jan, 2018 2 commits
-
-
Eric Chiang authored
automated PR: update CoC
-
Eric Chiang authored
-
- 20 Nov, 2017 2 commits
-
-
Eric Chiang authored
add id token support to verify access token hashes, fixes #126
-
gotwarlost authored
-
- 26 Oct, 2017 1 commit
-
-
Eric Chiang authored
*: expose KeySet, NewRemoteKeySet, and NewVerifier
-
- 21 Oct, 2017 1 commit
-
-
Eric Chiang authored
Expose internal types to let users create IDTokenVerifiers without using metadata discovery (/.well-known/openid-configuration). This expands support to providers that don't implement discovery, and lets users deliver verification keys out-of-band.
-
- 20 Oct, 2017 1 commit
-
-
Eric Chiang authored
-
- 02 Oct, 2017 1 commit
-
-
Eric Chiang authored
[nit] fix error message typo
-
- 01 Oct, 2017 1 commit
-
-
Stephan Renatus authored
-
- 11 Jul, 2017 2 commits
-
-
Eric Chiang authored
fix(http): Allows 0 as an `Expires` header value
-
Taylor Thomas authored
This is allowed by the RFC and is common with a few OIDC providers. Partially addresses #136 as a temporary solution until k8s uses the top level package
-
- 16 Jun, 2017 1 commit
-
-
Chance Zibolski authored
Check response content-type to improve message if cannot decode as JSON
-
- 22 May, 2017 1 commit
-
-
Chance Zibolski authored
If the Content-Type is not "application/json", add extra text indicating that the response was not JSON before propagating the unmarshal error to the caller.
-
- 09 May, 2017 1 commit
-
-
Eric Chiang authored
*: various cleanups and improved unit testing
-
- 02 May, 2017 1 commit
-
-
Eric Chiang authored
Problems with this: * Code that didn't originate an oauth2 flow would always have to skip nonce checks. * Code that checks nonces is likely to be dependent on the context of the Verify call, for example an HTTP request in a handler. The hook doesn't provide this context since its global to the verifier. * The weirdness of this being conditional to if the nonce was present. Overall I think it's simpler to let the user do the nonce verification.
-
- 26 Apr, 2017 1 commit
-
-
Eric Chiang authored
Biggest cleanup is that the remoteKeySet now does the key ID matching instead of the idTokenVerifier. On the testing side, added tests that actually exercise the expected caching behavior.
-
- 25 Apr, 2017 1 commit
-
-
Eric Chiang authored
README: fix verifier initialization example
-
- 20 Apr, 2017 1 commit
-
-
Eric Chiang authored
-
- 07 Mar, 2017 2 commits
-
-
Eric Chiang authored
oidc: allow `none` in TokenEndpointAuthMethodsSupported
-
Curtis Allen authored
OPEN ID connect allows for `none` to be a member of TokenEndpointAuthMethodsSupported see https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 Fixes #137
-
- 02 Mar, 2017 2 commits
-
-
Eric Chiang authored
*: use std library's context package
-
Eric Chiang authored
-
- 28 Feb, 2017 1 commit
-
-
Eric Chiang authored
-
- 30 Jan, 2017 1 commit
-
-
rithu leena john authored
special case google accounts issuer validation
-
- 27 Jan, 2017 2 commits
-
-
Eric Chiang authored
Google sometimes returns "accounts.google.com" instead of "https://accounts.google.com". Special case this. Originally we merged a new verification flag, but since this should only be used with Google, and should always be on with Google, it makes more sense for us to detect this case transparently. Fixes #125
-
Eric Chiang authored
add an option to allow the issuer claim to be schemaless
-
- 26 Jan, 2017 1 commit
-
-
Eric Chiang authored
This is because Google often returns "account.google.com" instead of the spec compliant "https://account.google.com".
-
- 19 Jan, 2017 1 commit
-
-
rithu leena john authored
*: Update ID token Validation according to OIDC spec.
-
- 18 Jan, 2017 1 commit
-
-
rithu john authored
-
- 06 Jan, 2017 2 commits
-
-
rithu leena john authored
*: check if ID token has expired.
-
rithu john authored
-
- 28 Dec, 2016 1 commit
-
-
rithu leena john authored
example: Correct go run command in README.
-
- 27 Dec, 2016 1 commit
-
-
rithu john authored
-
- 29 Nov, 2016 2 commits
-
-
rithu leena john authored
pass context to all requests
-
Eric Chiang authored
-
- 28 Nov, 2016 1 commit
-
-
Eric Chiang authored
Use a token-aware HTTP client for UserInfo
-