package auth
import (
"context"
"errors"
"net/http"
"strings"
"github.com/coreos/go-oidc/v3/oidc"
)
type OIDCVerifier struct {
Provider *oidc.Provider
Verifier *oidc.IDTokenVerifier
}
func NewOIDCVerifier(ctx context.Context, issuer, clientID string) (*OIDCVerifier, error) {
// Discovery: GET {issuer}/.well-known/openid-configuration
p, err := oidc.NewProvider(ctx, issuer)
if err != nil {
return nil, err
}
// Verifier validates signature, iss, aud(ClientID), exp, etc.
v := p.Verifier(&oidc.Config{ClientID: clientID})
return &OIDCVerifier{Provider: p, Verifier: v}, nil
}
func (o *OIDCVerifier) VerifyBearer(ctx context.Context, r *http.Request) (*oidc.IDToken, error) {
authz := r.Header.Get("Authorization")
if authz == "" {
return nil, errors.New("missing Authorization header")
}
raw := strings.TrimSpace(strings.TrimPrefix(authz, "Bearer"))
if raw == authz { // prefix not found
return nil, errors.New("expected Bearer token")
}
// Verify JWT using provider JWKS + claim checks.
return o.Verifier.Verify(ctx, raw)
}
