Skip to content

Commit

Permalink
feat: upgrade golang-jwt version for apple provider (#583)
Browse files Browse the repository at this point in the history
  • Loading branch information
burkayanduv authored Nov 25, 2024
1 parent e55b014 commit 0c63ed9
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 20 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.18

require (
github.com/go-chi/chi/v5 v5.1.0
github.com/golang-jwt/jwt/v4 v4.2.0
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/gorilla/mux v1.6.2
github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1
github.com/gorilla/sessions v1.1.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
Expand Down
2 changes: 1 addition & 1 deletion providers/apple/apple.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"strings"
"time"

"github.com/golang-jwt/jwt/v4"
"github.com/golang-jwt/jwt/v5"
"github.com/markbates/goth"
"golang.org/x/oauth2"
)
Expand Down
23 changes: 7 additions & 16 deletions providers/apple/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"fmt"
"time"

"github.com/golang-jwt/jwt/v4"
"github.com/golang-jwt/jwt/v5"
"github.com/lestrrat-go/jwx/jwk"
"github.com/markbates/goth"
"golang.org/x/oauth2"
Expand Down Expand Up @@ -48,7 +48,7 @@ func (s Session) Marshal() string {
}

type IDTokenClaims struct {
jwt.StandardClaims
jwt.RegisteredClaims
AccessTokenHash string `json:"at_hash"`
AuthTime int `json:"auth_time"`
Email string `json:"email"`
Expand Down Expand Up @@ -80,27 +80,18 @@ func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string,
idToken, err := jwt.ParseWithClaims(idToken.(string), &IDTokenClaims{}, func(t *jwt.Token) (interface{}, error) {
kid := t.Header["kid"].(string)
claims := t.Claims.(*IDTokenClaims)
vErr := new(jwt.ValidationError)
if !claims.VerifyAudience(p.clientId, true) {
vErr.Inner = fmt.Errorf("audience is incorrect")
vErr.Errors |= jwt.ValidationErrorAudience
}
if !claims.VerifyIssuer(AppleAudOrIss, true) {
vErr.Inner = fmt.Errorf("issuer is incorrect")
vErr.Errors |= jwt.ValidationErrorIssuer
}
if vErr.Errors > 0 {
return nil, vErr
validator := jwt.NewValidator(jwt.WithAudience(p.clientId), jwt.WithIssuer(AppleAudOrIss))
err := validator.Validate(claims)
if err != nil {
return nil, err
}

// per OpenID Connect Core 1.0 §3.2.2.9, Access Token Validation
hash := sha256.Sum256([]byte(s.AccessToken))
halfHash := hash[0:(len(hash) / 2)]
encodedHalfHash := base64.RawURLEncoding.EncodeToString(halfHash)
if encodedHalfHash != claims.AccessTokenHash {
vErr.Inner = fmt.Errorf(`identity token invalid`)
vErr.Errors |= jwt.ValidationErrorClaimsInvalid
return nil, vErr
return nil, fmt.Errorf(`identity token invalid`)
}

// get the public key for verifying the identity token signature
Expand Down

0 comments on commit 0c63ed9

Please sign in to comment.