search

keratin / authn-go

Go client library for Keratin AuthN
https://github.com/keratin/authn-server
GNU Lesser General Public License v3.0
32 stars 10 forks source link

auth_time claim inaccessible from ClaimsFrom #20

Closed jeffreylo closed 2 years ago

jeffreylo commented 2 years ago

https://github.com/keratin/authn-go/pull/18 still doesn’t completely address extraction of the custom auth_time claim of authn-server’s Identity Token as it only returns the standard verified claims defined by go-jose.

This may require a change to ClaimsFrom, ClaimsFromWithAudience, IDTokenVerifier, and the JWTClaimsExtractor interface to return the Claims from the identities package in authn-server: https://github.com/keratin/authn-server/blob/main/app/tokens/identities/identity.go#L16-L19. Assuming https://github.com/keratin/authn-go/blob/master/authn/authn.go#L11 is still a desired outcome, this might be an opportunity to factor out jwt.Claims and replace with identities.Claims.

e.g., the patch could look something like this:

modified   authn/authn.go
@@ -5,6 +5,7 @@ import (
    "net/http"
    "time"

+   "github.com/keratin/authn-server/app/tokens/identities"
    jwt "gopkg.in/square/go-jose.v2/jwt"
 )

@@ -68,13 +69,13 @@ func (ac *Client) SubjectFromWithAudience(idToken string, audience jwt.Audience)
 // if and only if the token is a valid JWT that passes all
 // verification requirements. If the JWT does not verify, the returned
 // error will explain why. This is for debugging purposes.
-func (ac *Client) ClaimsFrom(idToken string) (*jwt.Claims, error) {
+func (ac *Client) ClaimsFrom(idToken string) (*identities.Claims, error) {
    return ac.claimsFromVerifier(idToken, ac.verifier)
 }

 // ClaimsFromWithAudience works like ClaimsFrom but allows
 // specifying a different JWT audience.
-func (ac *Client) ClaimsFromWithAudience(idToken string, audience jwt.Audience) (*jwt.Claims, error) {
+func (ac *Client) ClaimsFromWithAudience(idToken string, audience jwt.Audience) (*identities.Claims, error) {
    verifier, err := newIDTokenVerifierWithAudiences(ac.config.Issuer, audience, ac.kchain)
    if err != nil {
        return nil, err
cainlevy commented 2 years ago

this sounds like a backwards compatible plan that would return a superset of the current claims, right?

jeffreylo commented 2 years ago

Correct. As I understand it, identities.Claims embeds the original jwt.Claims, augmenting with AuthTime: https://github.com/keratin/authn-server/blob/b2b9bdaea5b19c143aca8df02aef61e7e183d7af/app/tokens/identities/identity.go#L16-L19