This was brought up @liggitt in kubernetes/kubernetes#28036

A panic in a goroutine kills all goroutines, and if you don't start the goroutine there's no way to recover from it. The Kubernetes API Server has a policy that all goroutines handle panics[1] so one method can't take down the whole process. In this case it's been requested that the provider config syncing use a recover statement.

However panicing also means that the something in the syncing has gone terribly wrong, and recoving could result in the OIDC client behaving badly. Do we restart the syncing, propagate the error back up the main goroutine some way, or just log an error that the program might not be working?

Find some way of either adding a recover or allow Kubernetes to start the goroutine itself.

[0] kubernetes/kubernetes#28036
[1] https://godoc.org/k8s.io/kubernetes/pkg/util/runtime#HandleCrash.

Currently using this package to implement github and bitbucket oauth2 clients. Noticed that some server response errors are either being misreported or lacking detail during the token exchange.

Full request dump here

When using an incorrect client secret:

Bitbucket:

• Returns an error_description field which is optional in the oauth2 spec but this package doesn't support.

GitHub

• Returns a 200 status when it serves an error so the error is never detected by this package.
• Returns an error_description field (same problem as bitbucket).
• Returns errors x-www-form-urlencoded not JSON encoded so would result in an unrecognized error.

There is client and application example, any plan to add simple server example showing us how to host a OIDC server/identity provider by this library?

Brought up in dexidp/dex#336. The OAuth2 spec requires the client ID and secret to be URL encoded before being used in base auth.

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password.

Maybe something like this

type JWKSet struct {
    Keys []JWK `json:"key"`
}

func (keySet *JWKSet) Verify(jwt JWT) error {
    id, ok := jwt.KeyID()
    if !ok {
        return fmt.Errorf("jose: JWT does not have a '%s' value", HeaderKeyID)
    }
    for _, jwk := range keySet.Keys {
        if jwk.ID == id {
            verifier, err := NewVerifier(jwk)
            if err != nil {
                return err
            }
            return verifier.Verify(jwt.Signature, jwt.Data())
        }
    }
    return errors.New("jose: no key in JWK Set which matches the ID of JWT signing key")
}

I am trying to get Cloudfoundry UAA to work as an OIDC provider for Kubernetes. Unfortunately, for UAA it appears the JWT Key modulus isn't base64url encoded and is only base64 encoded. While I have created an issue for this in the UAA repository, I was wondering if it would hurt anything to attempt to base64 decode the modulus whenever base64url decoding failed. Thoughts?

Ref kubernetes/kubernetes#20476

From the OIDC spec:

The returned Issuer location MUST be a URI RFC 3986 with a scheme component that MUST be https, a host component, and optionally, port and path components and no query or fragment components.

And from RFC 3986. The tailing slash is allowed.

However, I met such error when adding a tailing slash to the issuer url in the ProviderConfig:

--- FAIL: TestHTTPProviderConfigGetter (0.00s)
    provider_test.go:570: test 4: unexpected error: failed to parse issuer: parse https://foo.com%2F: percent-encoded characters in host
FAIL

See issue #17 and #28

see @gtank's work here

Currently the only way to create a signed JWT is to use the jose.Claims object. However for dexidp/dex#418 we want to explicitly avoid this and operate on raw payloads (byte slices).

Add the ability to construct a signed JWT from a raw payload.

Hi,

This is not an issue, but just to inform a library I found, which may be interest to you

https://github.com/square/go-jose

Looks well maintained and comprehensive.

Cheers,
bsr

Currently it treats it as a single string. and the error message is unclear (what's the expected valued and actual value?)

/cc @polvi

eg.

ClaimsSub = "sub"
...
func (c *Claims) GetSub() string

That way, we'd get automatic decoding/encoding of base64 when serialize to and from JSON.

Azure AD v2.0 provides OIDC config via:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Issuer in the config json is returned as
https://login.microsoftonline.com/{tenantid}/v2.0

As a result NewProvider() method fails.

From dexidp/dex#100

Per the oidc spec, https is required for issuer's address.. But we want to support http for development environment. A compromise can be that only localhost and 127.0.0.1 are allowed for http scheme.

Maybe add a field to the client config that permis http:// but have the client enforce https:// otherwise?

type ClientConfig struct {
    HTTPClient     phttp.Client
    Credentials    ClientCredentials
    Scope          []string
    RedirectURL    string
    ProviderConfig ProviderConfig
    KeySet         key.PublicKeySet

    // InsecureAllowNoTLS controls if the client enforces the use of "https" as the scheme
    // when communicating with the identity provider.
    InsecureAllowNoTLS bool
}

EDIT: A lot of this needs to go in the Valid function for ClientMetadata and ProviderConfig. Maybe adding a ValidAllowHTTP method? Do we need to check this anywhere else?

https://github.com/coreos/go-oidc/blob/master/oauth2/oauth2.go#L335

Add field's tag(json:"XXX,omitempty"), so oidc server can use this struct to marshal json.

After turning on the race detector for #27, saw this warning when running the unit tests

Note: I was on go1.5.1 linux/amd64

$ ./test 
building bin/oidc-example-app...
building bin/oidc-example-cli...
done
Running tests...
ok      github.com/coreos/go-oidc/http  1.012s  coverage: 62.4% of statements
ok      github.com/coreos/go-oidc/jose  1.012s  coverage: 56.4% of statements
==================
WARNING: DATA RACE
Read by goroutine 21:
  github.com/coreos/go-oidc/key.(*staticReadableKeySetRepo).Get()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:18 +0x4a
  github.com/coreos/go-oidc/key.sync()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:91 +0x91
  github.com/coreos/go-oidc/key.(*KeySetSyncer).Run.func1()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:38 +0x11f

Previous write by goroutine 20:
  github.com/coreos/go-oidc/key.TestKeySyncerSync()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:100 +0x19d5
  testing.tRunner()
      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Goroutine 21 (running) created at:
  github.com/coreos/go-oidc/key.(*KeySetSyncer).Run()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:75 +0x8a
  github.com/coreos/go-oidc/key.TestKeySyncerSync()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:96 +0x18a2
  testing.tRunner()
      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Goroutine 20 (running) created at:
  testing.RunTests()
      /tmp/workdir/go/src/testing/testing.go:561 +0xaa3
  testing.(*M).Run()
      /tmp/workdir/go/src/testing/testing.go:494 +0xe4
  main.main()
      github.com/coreos/go-oidc/key/_test/_testmain.go:138 +0x384
==================
==================
WARNING: DATA RACE
Read by goroutine 21:
  github.com/coreos/go-oidc/key.(*staticReadableKeySetRepo).Get()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:18 +0x5d
  github.com/coreos/go-oidc/key.sync()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:91 +0x91
  github.com/coreos/go-oidc/key.(*KeySetSyncer).Run.func1()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:38 +0x11f

Previous write by goroutine 20:
  github.com/coreos/go-oidc/key.TestKeySyncerSync()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:101 +0x1a19
  testing.tRunner()
      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Goroutine 21 (running) created at:
  github.com/coreos/go-oidc/key.(*KeySetSyncer).Run()
      github.com/coreos/go-oidc/key/_test/_obj_test/sync.go:75 +0x8a
  github.com/coreos/go-oidc/key.TestKeySyncerSync()
      /home/eric/src/github.com/coreos/go-oidc/key/sync_test.go:96 +0x18a2
  testing.tRunner()
      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Goroutine 20 (running) created at:
  testing.RunTests()
      /tmp/workdir/go/src/testing/testing.go:561 +0xaa3
  testing.(*M).Run()
      /tmp/workdir/go/src/testing/testing.go:494 +0xe4
  main.main()
      github.com/coreos/go-oidc/key/_test/_testmain.go:138 +0x384
==================
PASS
coverage: 80.8% of statements
Found 2 data race(s)
FAIL    github.com/coreos/go-oidc/key   1.010s
ok      github.com/coreos/go-oidc/oauth2    1.011s  coverage: 36.5% of statements
ok      github.com/coreos/go-oidc/oidc  2.543s  coverage: 65.1% of statements

I was able to build the cli/main.go example. I setup openid provider with Google and specified the id and secret. I was unable to verify with the provider.

clientID := fs.String("client-id", "", "")
clientSecret := fs.String("client-secret", "", "")
discovery := fs.String("discovery", "https://accounts.google.com", "")

I added the id to the first string and secret for the first string. What is the second string argument for clientID and clientSecret.

I did get a response back from the provider but it appears that I didn't specify my email/password. Where do you specify that?

See response from provider
fetching provider config from https://accounts.google.com...fetched provider config from https://accounts.google.com: oidc.ProviderConfig{Issuer:(_url.URL)(0xstuff), AuthEndpoint:(_url.URL)(0xstuff), TokenEndpoint:(_url.URL)(0xstuff), UserInfoEndpoint:(_url.URL)(0xstuff), KeysEndpoint:(_url.URL)(0xstuff), RegistrationEndpoint:(_url.URL)(nil), ScopesSupported:[]string{"openid", "email", "profile"}, ResponseTypesSupported:[]string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"}, ResponseModesSupported:[]string(nil), GrantTypesSupported:[]string(nil), ACRValuesSupported:[]string(nil), SubjectTypesSupported:[]string{"public"}, IDTokenSigningAlgValues:[]string{"RS256"}, IDTokenEncryptionAlgValues:[]string(nil), IDTokenEncryptionEncValues:[]string(nil), UserInfoSigningAlgValues:[]string(nil), UserInfoEncryptionAlgValues:[]string(nil), UserInfoEncryptionEncValues:[]string(nil), ReqObjSigningAlgValues:[]string(nil), ReqObjEncryptionAlgValues:[]string(nil), ReqObjEncryptionEncValues:[]string(nil), TokenEndpointAuthMethodsSupported:[]string{"client_secret_post", "client_secret_basic"}, TokenEndpointAuthSigningAlgValuesSupported:[]string(nil), DisplayValuesSupported:[]string(nil), ClaimTypesSupported:[]string(nil), ClaimsSupported:[]string{"aud", "email", "email_verified", "exp", "family_name", "given_name", "iat", "iss", "locale", "name", "picture", "sub"}, ServiceDocs:(_url.URL)(nil), ClaimsLocalsSupported:[]string(nil), UILocalsSupported:[]string(nil), ClaimsParameterSupported:false, RequestParameterSupported:false, RequestURIParamaterSupported:false, RequireRequestURIRegistration:false, Policy:(_url.URL)(nil), TermsOfService:(_url.URL)(nil), ExpiresAt:time.Time{sec:63592531749, nsec:562120021, loc:(_time.Location)(0xstuff)}}

unable to verify auth code with issuer: client_credentials grant type is not supported

Has most of what we need; what's not in there, just move from here.

It's more feature-complete and might have had more eyes on it. Worth investigating, since it would let us move away from PKCS1v15 RSA.

https://github.com/square/go-jose

jose/sig_hmac.go:Verify doesn't use a constant time function to compare signatures and it introduces a timing side channel that can be used to forge signed tokens.

Should use hmac.Equal instead of bytes.Equal.

A bit of a snafu with FetchProviderConfig...

https://fullung.auth0.com/.well-known/openid-configuration has issuer:https://fullung.auth0.com/ but https://fullung.auth0.com//.well-known/openid-configuration (double slash intentional) is a 404.

This is a problem because provider.go simply does:

req, err := http.NewRequest("GET", r.issuerURL+discoveryConfigPath, nil)

and later:

if !urlEqual(cfg.Issuer.String(), r.issuerURL)

Probably want to change provider.go to do:

if !urlEqual(cfg.Issuer.String(), r.issuerURL) && !urlEqual(cfg.Issuer.String(), r.issuerURL+"/") {

Not sure that getting Auth0 to fix their endpoint is going to happen and there might be other OpenID providers out there that made the same mistake.

Thoughts appreciated.

Since our jose implementation assumes that headers are map[string]string, it doesn't work for standard header claims like "jwk".

Example JWT header:

{
  "alg": "RS256",
  "jwk": {
    "kty": "RSA",
    "n": "4f5wg5l2hKsTeNem_V41fGnJm6gOdrj8ym3rFkEU_wT8RDtnSgFEZOQpHEgQ7JL38xUfU0Y3g6aYw9QT0hJ7mCpz9Er5qLaMXJwZxzHzAahlfA0icqabvJOMvQtzD6uQv6wPEyZtDTWiQi9AXwBpHssPnpYGIn20ZZuNlX2BrClciHhCPUIIZOQn_MmqTD31jSyjoQoV7MhhMTATKJx2XrHhR-1DcKJzQBSTAGnpYVaqpsARap-nwRipr3nUTuxyGohBTSmjJ2usSeQXHI3bODIRe1AuTyHceAbewn8b462yEWKARdpd9AjQW5SIVPfdsz5B6GlYQ5LdYKtznTuy7w",
    "e": "AQAB"
  },
  "kid": "1"
}

Broken program:

package main

import (
    "log"

    "github.com/coreos/go-oidc/jose"
)

var rawJWT = "eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJuIjoiNGY1d2c1bDJoS3NUZU5lbV9WNDFmR25KbTZnT2Ryajh5bTNyRmtFVV93VDhSRHRuU2dGRVpPUXBIRWdRN0pMMzh4VWZVMFkzZzZhWXc5UVQwaEo3bUNwejlFcjVxTGFNWEp3Wnh6SHpBYWhsZkEwaWNxYWJ2Sk9NdlF0ekQ2dVF2NndQRXladERUV2lRaTlBWHdCcEhzc1BucFlHSW4yMFpadU5sWDJCckNsY2lIaENQVUlJWk9Rbl9NbXFURDMxalN5am9Rb1Y3TWhoTVRBVEtKeDJYckhoUi0xRGNLSnpRQlNUQUducFlWYXFwc0FSYXAtbndSaXByM25VVHV4eUdvaEJUU21qSjJ1c1NlUVhISTNiT0RJUmUxQXVUeUhjZUFiZXduOGI0NjJ5RVdLQVJkcGQ5QWpRVzVTSVZQZmRzejVCNkdsWVE1TGRZS3R6blR1eTd3IiwiZSI6IkFRQUIifSwia2lkIjoiMSJ9.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjE0MDAxIiwic3ViIjoiaWQtb2YtdGVzdC11c2VyIiwiYXVkIjoiMTIzNCIsImV4cCI6MTQ2MTEwODcyNCwiaWF0IjoxNDYxMTA1MTI0LCJlbWFpbCI6ImphbmUuZG9lQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJKYW5lIERvZSIsImZhbWlseV9uYW1lIjoiRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJsb2NhbGUiOiJ1cyJ9.OCJ5Xn5_K1pktAhZTSZojvmgl3YxO8sTuExu0GeAEAD034it4nYAl4cIzad_jQTdkHYFY61lRdX5xdA064NJV0M4VoTwIJem2HktDRrbVIOkT5j8MrqdASZ8wLfIZi8CuSQGL0Ra7WcUMCD0Y7MNXOyZxHLtedwlSx9k2Qo5A_bnL7VqhBiClLklMWUvXZaI2BFi2wzuTRIXdcGIJYOmbAXwSoi3mbLG2UfhjP9sCdEmRroxUJRDy-U-oKjBlIbTS-kVM1sQk7biSjQeyYWNzVzR84PW3YvIhoyTItQ9M1ET_aT7e1U7wfaDAlS_f-wAlMcYejjwYwLs5jCKmp3jxQ"

func main() {
    if _, err := jose.ParseJWT(rawJWT); err != nil {
        log.Fatal(err)
    }
}

This key size is hardcoded. While 1024-bit keys aren't currently broken, they are notably weaker than we should choose for a new system.

I suggest that for now we bump this to 2048, and in the future consider moving to elliptic curve signatures.

We've set up a v1 branch so users can depend on specific versions of go-oidc. (Also so we can make breaking changes in the future.)

The new import for v1 will be:

go get gopkg.in/coreos/go-oidc.v1/oidc

As development continues changes will go in the v2 branch. Important changes will be cherry picked back into the v1 branch.

pretty sparse at the moment

oidc.Identity is too limited in functionality. Without replacing it as a type, users of go-oidc not able to add additional attributes to an Identity.

I need to modify dex to add Additional Claims to the JWT. To accomplish this, I replaced the oidc.Identity type in dex with a new dex specific type. The result turned out to be oidc.Identity with one additional field.

I don't see any advantages to doing the mechanical work of replacing the type within dex. I also assume any other users of the go-oidc package will eventually run into a similar issue. So rather than continue down the path of looking at replacing oidc.Identity in dex, I would like to make the existing type less limited.

In the same vein as #50. Go's oauth2 package is better maintained and has been tested against a wide array of oauth2 providers. We already have to ensure that dex works with this client, is there a reason against using it?

The cacheControlMaxHeader function returns TTLs that overflow. I added a log at this line https://github.com/coreos/go-oidc/blob/master/http/http.go#L82 to show what the TTL was while repeatedly cURLing my app that authenticates against Dex. These logs show dramatically varying TTLs for the exact same cURL over about a five second span:

TTL:  683899h59m13.171574784s
TTL:  -770445h54m21.828425216s
TTL:  -2223611h3m7.828425216s
TTL:  1397448h29m34.8811264s

After more digging, it looks like the Cache-Control: max-age= header is being sent int nanoseconds instead of seconds, as the spec for the header requires. I tested that dividing age by 10^9 before parsing as a duration fixes the issue and returns sensible values for the TTL in the order of 2h48m. This is not an issue with go-oidc but most likely with the OIDC provider.

I added links to all of the godocs for the packages but it would be great to have a doc.go that provides a few examples and a top-level intro to each package.

reported in openshift/origin#5025 (comment)

==================

WARNING: DATA RACE

Read by goroutine 53:

  github.com/coreos/go-oidc/oidc.(*Client).VerifyJWT()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:285 +0x261

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.(*OIDCAuthenticator).AuthenticateToken()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_obj_test/oidc.go:140 +0x1bb

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.TestOIDCAuthentication()

      /home/travis/gopath/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go:378 +0x1654

  testing.tRunner()

      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Previous write by goroutine 90:

  github.com/coreos/go-oidc/oidc.(*providerConfigRepo).Set()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:194 +0x86

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).sync()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:111 +0x15a

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).(github.com/coreos/go-oidc/oidc.sync)-fm()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:95 +0x3b

  github.com/coreos/go-oidc/oidc.(*pcsStepNext).step()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:136 +0x7c

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).Run.func1()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:95 +0x1c9

Goroutine 53 (running) created at:

  testing.RunTests()

      /tmp/workdir/go/src/testing/testing.go:561 +0xaa3

  testing.(*M).Run()

      /tmp/workdir/go/src/testing/testing.go:494 +0xe4

  main.main()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_testmain.go:106 +0x384

Goroutine 90 (running) created at:

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).Run()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:100 +0x122

  github.com/coreos/go-oidc/oidc.(*Client).SyncProviderConfig()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:158 +0x391

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.New()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_obj_test/oidc.go:124 +0xfbc

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.TestOIDCAuthentication()

      /home/travis/gopath/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go:373 +0x14f6

  testing.tRunner()

      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

==================

==================

WARNING: DATA RACE

Read by goroutine 53:

  github.com/coreos/go-oidc/oidc.(*Client).maybeSyncKeys()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:181 +0x18c

  github.com/coreos/go-oidc/oidc.(*Client).(github.com/coreos/go-oidc/oidc.maybeSyncKeys)-fm()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:285 +0x3b

  github.com/coreos/go-oidc/oidc.(*JWTVerifier).Verify()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/verification.go:150 +0x439

  github.com/coreos/go-oidc/oidc.(*Client).VerifyJWT()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:287 +0x4c4

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.(*OIDCAuthenticator).AuthenticateToken()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_obj_test/oidc.go:140 +0x1bb

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.TestOIDCAuthentication()

      /home/travis/gopath/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go:378 +0x1654

  testing.tRunner()

      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

Previous write by goroutine 90:

  github.com/coreos/go-oidc/oidc.(*providerConfigRepo).Set()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:194 +0x86

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).sync()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:111 +0x15a

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).(github.com/coreos/go-oidc/oidc.sync)-fm()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:95 +0x3b

  github.com/coreos/go-oidc/oidc.(*pcsStepNext).step()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:136 +0x7c

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).Run.func1()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:95 +0x1c9

Goroutine 53 (running) created at:

  testing.RunTests()

      /tmp/workdir/go/src/testing/testing.go:561 +0xaa3

  testing.(*M).Run()

      /tmp/workdir/go/src/testing/testing.go:494 +0xe4

  main.main()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_testmain.go:106 +0x384

Goroutine 90 (running) created at:

  github.com/coreos/go-oidc/oidc.(*ProviderConfigSyncer).Run()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go:100 +0x122

  github.com/coreos/go-oidc/oidc.(*Client).SyncProviderConfig()

      /home/travis/gopath/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go:158 +0x391

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.New()

      github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/_test/_obj_test/oidc.go:124 +0xfbc

  github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc.TestOIDCAuthentication()

      /home/travis/gopath/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/Godeps/_workspace/src/k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go:373 +0x14f6

  testing.tRunner()

      /tmp/workdir/go/src/testing/testing.go:456 +0xdc

==================

In the method RefreshToken, there is a line to parse the response from an OpenID provider. The current implementation expects an id_token. However in the Openid spec it states that id_token is not required on the response.

Is it possible to add another example to show how to use this library to implement a standalone oidc server?

The go net/http/httptest package should only be used in test builds. In particular, that package adds the httptest.serve flag which leaks into binaries depending on go-oidc (e.g. kubernetes/kubernetes#21114)

From what I can tell, the HandlerClient that uses httptest is only used in testing, so I suggest moving it to a test-only package (such as go-oidc/http/testing or go-oidc/http/httptest)

According to the OpenID Connect specification section 2. ID Token the exp and iat claims are REQUIRED and specified as JSON number representing the number of seconds from 1970-01-01T0:0:0Z.

The current implementation converts the timestamps from golang Time, to Unix int64 and then finally converts that to a float64. When doing this the numbers come across as 1.456478332e+09 instead of 1456478332.

Other implementations, like mod_auth_openidc for Apache used by among others OpenStack, does not understand Unix timestamps represented as 64-bit floating point numbers.

I would argue that it breaks the spec by using float64, even though it does not explicitly say "integer" rathern than just JSON numbers.

Is there any reason for why the 64-bit integers are converted to 64-bit floating point numbers?

ATM, capnslog turns off the standard library logger[0] on init. So anyone who imports go-oidc is unintentionally disabling logging for basically everything.

Discovered when investigating dexidp/dex#543

[0] https://github.com/coreos/pkg/blob/3ac0863d7acf3bc44daf49afef8919af12f704ef/capnslog/log_hijack.go#L24-L26

line 101 of example/app/main.go negates --redirect-url command line arg.

mux.HandleFunc(pathCallback, handleCallbackFunc(c))

should be changed to

mux.HandleFunc(cbURL.Path, handleCallbackFunc(c))

"unable to verify auth code with issuer: invalid_client: The client MUST NOT use more than one authentication method in each request."

it is not clear to me why I'm seeing this error. I have the auth code returned but cannot get the access token (If I used postman, I get the AT). I switched to public cert so that PKI is not the issue. I also look at the code and the spec and not sure where I'm missing.

I was able to get example/web/main.go to work.

I have 1 question:
Once the results are obtained post login, is there a way to send the results to a server and forging -- can Google auth server send the credentials to the redirect server?

Right now after creating a client we then spawn a goroutine to sync the provider config. This has two problems:

1. If things work well, there's a small amount of time when the client doesn't have a config.
2. If the client can't reach the OIDC provider, errors are printed to the log but there's no error to check.

The client needs to have an option to block on the first sync to ensure it can reach the OIDC provider.

This is discussed in #35 but I'm opening this issue so other issues can reference it.

Brought this up in #68.

Defining a type like so

func (b *Bar) MarshalJSON() ([]byte, error) {
    // ...
}

Means that this is an error

b := Bar{}
json.Marshal(b) // Passing concrete type, not pointer

However defining MarshalJSON on the concrete type causes json.Marshal to work fine on either the concrete type or pointer.

func (f Foo) MarshalJSON() ([]byte, error) {
    // ...
}

f := Foo{}
json.Marshal(&f) // Passing pointer, this totally works. 

See example here: https://play.golang.org/p/fv5MFSk15X

I propose moving all of our definitions to define MarshalJSON on a concrete receiver rather than a pointer.

Discussed in kubernetes/kubernetes#30457.

The IDTokenVerifier preforms very poorly when verifying ID Tokens signed by a key it doesn't recognize. This is usually not a problem, but can be an issue when it's being spammed by ID Tokens that are explicitly not issued by the provider.

Brought up in dexidp/dex#212

id_token_alg_values_supported

should be

id_token_signing_alg_values_supported

Relevant part of the spec: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

This is an optimization brought up in kubernetes/kubernetes#30457.

There are certain claim values, such as an invalid issuer, that can be rejected before verifying the signature (a much heavier operation).