Skip ClientID Check

- adding the option to skip the client id check, defaults to false

Author: gambol99

key/doc.go

@@ -1,2 +1,2 @@
-// Package key is DEPRECATED. Use github.com/coreos/go-oidc instead.
+// Package key is DEPRECATED. Use github.com/gambol99/go-oidc instead.
 package key

key/key.go

@@ -8,7 +8,7 @@ import (
 	"io"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 func NewPublicKey(jwk jose.JWK) *PublicKey {

key/key_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 func TestPrivateRSAKeyJWK(t *testing.T) {

key/manager.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/jonboulle/clockwork"
 
-	"github.com/coreos/go-oidc/jose"
 	"github.com/coreos/pkg/health"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 type PrivateKeyManager interface {

key/manager_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/jonboulle/clockwork"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 var (

oauth2/oauth2.go

@@ -12,7 +12,7 @@ import (
 	"strconv"
 	"strings"
 
-	phttp "github.com/coreos/go-oidc/http"
+	phttp "github.com/gambol99/go-oidc/http"
 )
 
 // ResponseTypesEqual compares two response_type values. If either

oauth2/oauth2_test.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 	"testing"
 
-	phttp "github.com/coreos/go-oidc/http"
+	phttp "github.com/gambol99/go-oidc/http"
 )
 
 func TestResponseTypesEqual(t *testing.T) {

oidc/client.go

@@ -10,10 +10,10 @@ import (
 	"sync"
 	"time"
 
-	phttp "github.com/coreos/go-oidc/http"
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/key"
-	"github.com/coreos/go-oidc/oauth2"
+	phttp "github.com/gambol99/go-oidc/http"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/key"
+	"github.com/gambol99/go-oidc/oauth2"
 )
 
 const (
@@ -408,7 +408,7 @@ func emailsToStrings(addrs []mail.Address) []string {
 //
 // NOTE(ericchiang): For development purposes Valid does not mandate 'https' for
 // URLs fields where the OIDC spec requires it. This may change in future releases
-// of this package. See: https://github.com/coreos/go-oidc/issues/34
+// of this package. See: https://github.com/gambol99/go-oidc/issues/34
 func (m *ClientMetadata) Valid() error {
 	if len(m.RedirectURIs) == 0 {
 		return errors.New("zero redirect URLs")
@@ -556,12 +556,13 @@ func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error {
 }
 
 type ClientConfig struct {
-	HTTPClient     phttp.Client
-	Credentials    ClientCredentials
-	Scope          []string
-	RedirectURL    string
-	ProviderConfig ProviderConfig
-	KeySet         key.PublicKeySet
+	Credentials       ClientCredentials
+	HTTPClient        phttp.Client
+	KeySet            key.PublicKeySet
+	ProviderConfig    ProviderConfig
+	RedirectURL       string
+	Scope             []string
+	SkipClientIDCheck bool
 }
 
 func NewClient(cfg ClientConfig) (*Client, error) {
@@ -579,6 +580,7 @@ func NewClient(cfg ClientConfig) (*Client, error) {
 		redirectURL:    ru.String(),
 		providerConfig: newProviderConfigRepo(cfg.ProviderConfig),
 		keySet:         cfg.KeySet,
+		skipClientID:   cfg.SkipClientIDCheck,
 	}
 
 	if c.httpClient == nil {
@@ -593,19 +595,21 @@ func NewClient(cfg ClientConfig) (*Client, error) {
 	return &c, nil
 }
 
+// Client is the oidc client
 type Client struct {
-	httpClient     phttp.Client
-	providerConfig *providerConfigRepo
-	credentials    ClientCredentials
-	redirectURL    string
-	scope          []string
-	keySet         key.PublicKeySet
-	providerSyncer *ProviderConfigSyncer
-
+	credentials     ClientCredentials
+	httpClient      phttp.Client
+	keySet          key.PublicKeySet
 	keySetSyncMutex sync.RWMutex
 	lastKeySetSync  time.Time
+	providerConfig  *providerConfigRepo
+	providerSyncer  *ProviderConfigSyncer
+	redirectURL     string
+	scope           []string
+	skipClientID    bool
 }
 
+// Healthy checks the provider is healthy
 func (c *Client) Healthy() error {
 	now := time.Now().UTC()
 
@@ -622,6 +626,7 @@ func (c *Client) Healthy() error {
 	return nil
 }
 
+// OAuthClient returns a oauth2 client
 func (c *Client) OAuthClient() (*oauth2.Client, error) {
 	cfg := c.providerConfig.Get()
 	authMethod, err := chooseAuthMethod(cfg)
@@ -771,18 +776,21 @@ func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error) {
 	return jwt, c.VerifyJWT(jwt)
 }
 
+// VerifyJWT verifies the JWT tokens
 func (c *Client) VerifyJWT(jwt jose.JWT) error {
 	var keysFunc func() []key.PublicKey
-	if kID, ok := jwt.KeyID(); ok {
-		keysFunc = c.keysFuncWithID(kID)
+	if kid, ok := jwt.KeyID(); ok {
+		keysFunc = c.keysFuncWithID(kid)
 	} else {
 		keysFunc = c.keysFuncAll()
 	}
 
 	v := NewJWTVerifier(
 		c.providerConfig.Get().Issuer.String(),
 		c.credentials.ID,
-		c.maybeSyncKeys, keysFunc)
+		c.maybeSyncKeys,
+		keysFunc,
+		c.skipClientID)
 
 	return v.Verify(jwt)
 }

oidc/client_race_test.go

@@ -59,7 +59,7 @@ func TestProviderSyncRace(t *testing.T) {
 	}
 
 	if !cli.providerConfig.Get().Empty() {
-		t.Errorf("want c.ProviderConfig == nil, got c.ProviderConfig=%#v")
+		t.Errorf("want c.ProviderConfig == nil, got c.ProviderConfig=%#v", cli.providerConfig)
 	}
 
 	// SyncProviderConfig beings a goroutine which writes to the client's provider config.

oidc/client_test.go

@@ -8,9 +8,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/key"
-	"github.com/coreos/go-oidc/oauth2"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/key"
+	"github.com/gambol99/go-oidc/oauth2"
 	"github.com/kylelemons/godebug/pretty"
 )
 

oidc/doc.go

@@ -1,2 +1,2 @@
-// Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.
+// Package oidc is DEPRECATED. Use github.com/gambol99/go-oidc instead.
 package oidc

oidc/identity.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 type Identity struct {

oidc/identity_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 func TestIdentityFromClaims(t *testing.T) {

oidc/key.go

@@ -6,9 +6,9 @@ import (
 	"net/http"
 	"time"
 
-	phttp "github.com/coreos/go-oidc/http"
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/key"
+	phttp "github.com/gambol99/go-oidc/http"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/key"
 )
 
 // DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no

oidc/provider.go

@@ -14,8 +14,8 @@ import (
 	"github.com/coreos/pkg/timeutil"
 	"github.com/jonboulle/clockwork"
 
-	phttp "github.com/coreos/go-oidc/http"
-	"github.com/coreos/go-oidc/oauth2"
+	phttp "github.com/gambol99/go-oidc/http"
+	"github.com/gambol99/go-oidc/oauth2"
 )
 
 const (
@@ -325,7 +325,7 @@ func contains(sli []string, ele string) bool {
 //
 // NOTE(ericchiang): For development purposes Valid does not mandate 'https' for
 // URLs fields where the OIDC spec requires it. This may change in future releases
-// of this package. See: https://github.com/coreos/go-oidc/issues/34
+// of this package. See: https://github.com/gambol99/go-oidc/issues/34
 func (p ProviderConfig) Valid() error {
 	grantTypes := p.GrantTypesSupported
 	if len(grantTypes) == 0 {

oidc/provider_test.go

@@ -17,8 +17,8 @@ import (
 	"github.com/kylelemons/godebug/diff"
 	"github.com/kylelemons/godebug/pretty"
 
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oauth2"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/oauth2"
 )
 
 func TestProviderConfigDefaults(t *testing.T) {

oidc/transport.go

@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"sync"
 
-	phttp "github.com/coreos/go-oidc/http"
-	"github.com/coreos/go-oidc/jose"
+	phttp "github.com/gambol99/go-oidc/http"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 type TokenRefresher interface {

oidc/transport_test.go

@@ -6,7 +6,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 type staticTokenRefresher struct {

oidc/util.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 // RequestTokenExtractor funcs extract a raw encoded token from a request.

oidc/util_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 func TestCookieTokenExtractorInvalid(t *testing.T) {