Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: export token expired error #342

Merged
merged 1 commit into from
Jun 27, 2022
+24 −7
Merged

feat: export token expired error #342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion oidc/verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,18 @@ const (
issuerGoogleAccountsNoScheme = "accounts.google.com"
)

// TokenExpiredError indicates that Verify failed because the token was expired. This
// error does NOT indicate that the token is not also invalid for other reasons. Other
// checks might have failed if the expiration check had not failed.
type TokenExpiredError struct {
// Expiry is the time when the token expired.
Expiry time.Time
}

func (e *TokenExpiredError) Error() string {
return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
}

// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
// of JSON web tokens. This is expected to be backed by a remote key set through
// provider metadata discovery or an in-memory set of keys delivered out-of-band.
Expand Down Expand Up @@ -260,7 +272,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
nowTime := now()

if t.Expiry.Before(nowTime) {
return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
return nil, &TokenExpiredError{Expiry: t.Expiry}
}

// If nbf claim is provided in token, ensure that it is indeed in the past.
Expand Down
17 changes: 11 additions & 6 deletions oidc/verify_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package oidc
import (
"context"
"crypto"
"errors"
"io"
"net/http"
"net/http/httptest"
Expand Down Expand Up @@ -72,8 +73,8 @@ func TestVerify(t *testing.T) {
config: Config{
SkipClientIDCheck: true,
},
signKey: newRSAKey(t),
wantErr: true,
signKey: newRSAKey(t),
wantErrAs: &TokenExpiredError{},
},
{
name: "unexpired token",
Expand Down Expand Up @@ -530,8 +531,9 @@ type verificationTest struct {
// testing invalid signatures.
verificationKey *signingKey

config Config
wantErr bool
config Config
wantErr bool
wantErrAs error
}

func (v verificationTest) runGetToken(t *testing.T) (*IDToken, error) {
Expand All @@ -557,10 +559,13 @@ func (v verificationTest) runGetToken(t *testing.T) (*IDToken, error) {

func (v verificationTest) run(t *testing.T) {
_, err := v.runGetToken(t)
if err != nil && !v.wantErr {
if err != nil && !v.wantErr && v.wantErrAs == nil {
t.Errorf("%v", err)
}
if err == nil && v.wantErr {
if err == nil && (v.wantErr || v.wantErrAs != nil) {
t.Errorf("expected error")
}
if v.wantErrAs != nil && !errors.As(err, &v.wantErrAs) {
t.Errorf("expected error %q but got %q", v.wantErrAs, err)
}
}