var synchronizeTokenIDVerifierForTest … const wellKnownEndpointPath … type Options … type CAContentProvider … // initVerifier creates a new ID token verifier for the given configuration and issuer URL. On success, calls setVerifier with the // resulting verifier. func initVerifier(ctx context.Context, config *oidc.Config, iss string, audiences sets.Set[string]) (*idTokenVerifier, error) { … } type asyncIDTokenVerifier … // newAsyncIDTokenVerifier creates a new asynchronous token verifier. The // verifier is available immediately, but may remain uninitialized for some time // after creation. func newAsyncIDTokenVerifier(ctx context.Context, c *oidc.Config, iss string, audiences sets.Set[string]) *asyncIDTokenVerifier { … } // verifier returns the underlying ID token verifier, or nil if one is not yet initialized. func (a *asyncIDTokenVerifier) verifier() *idTokenVerifier { … } type jwtAuthenticator … type idTokenVerifier … func (a *jwtAuthenticator) setVerifier(v *idTokenVerifier) { … } func (a *jwtAuthenticator) idTokenVerifier() (*idTokenVerifier, bool) { … } func AllValidSigningAlgorithms() []string { … } var allowedSigningAlgs … type AuthenticatorTokenWithHealthCheck … // New returns an authenticator that is asynchronously initialized when opts.KeySet is not set. // The input lifecycleCtx is used to: // - terminate background goroutines that are needed for asynchronous initialization // - as the base context for any requests that are made (i.e. for key fetching) // Thus, once the lifecycleCtx is canceled, the authenticator must not be used. // A caller may check if the authenticator is healthy by calling the HealthCheck method. func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error) { … } type errorHolder … type discoveryURLRoundTripper … func (t *discoveryURLRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { … } // untrustedIssuer extracts an untrusted "iss" claim from the given JWT token, // or returns an error if the token can not be parsed. Since the JWT is not // verified, the returned issuer should not be trusted. func untrustedIssuer(token string) (string, error) { … } func hasCorrectIssuer(iss, tokenData string) bool { … } type endpoint … type claimResolver … // newClaimResolver creates a new resolver for distributed claims. // the input ctx is retained and is used as the base context for background requests such as key fetching. func newClaimResolver(ctx context.Context, claim string, client *http.Client, config *oidc.Config, audiences sets.Set[string]) *claimResolver { … } // Verifier returns either the verifier for the specified issuer, or error. func (r *claimResolver) Verifier(iss string) (*idTokenVerifier, error) { … } // expand extracts the distributed claims from claim names and claim sources. // The extracted claim value is pulled up into the supplied claims. // // Distributed claims are of the form as seen below, and are defined in the // OIDC Connect Core 1.0, section 5.6.2. // See: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims // // { // ... (other normal claims)... // "_claim_names": { // "groups": "src1" // }, // "_claim_sources": { // "src1": { // "endpoint": "https://www.example.com", // "access_token": "f005ba11" // }, // }, // } func (r *claimResolver) expand(ctx context.Context, c claims) error { … } // resolve requests distributed claims from all endpoints passed in, // and inserts the lookup results into allClaims. func (r *claimResolver) resolve(ctx context.Context, endpoint endpoint, allClaims claims) error { … } func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) { … } // verifyAudience verifies the audience field in the ID token matches the expected audience. // This is added based on https://github.com/coreos/go-oidc/blob/b203e58c24394ddf5e816706a7645f01280245c7/oidc/verify.go#L275-L281 // with the difference that we allow multiple audiences. // // AuthenticationConfiguration has a audienceMatchPolicy field, but the only supported value now is "MatchAny". // So, The default match behavior is to match at least one of the audiences in the ID token. func (v *idTokenVerifier) verifyAudience(t *oidc.IDToken) error { … } func (a *jwtAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { … } func (a *jwtAuthenticator) HealthCheck() error { … } func (a *jwtAuthenticator) getUsername(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) { … } func (a *jwtAuthenticator) getGroups(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) ([]string, error) { … } func (a *jwtAuthenticator) getUID(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (string, error) { … } func (a *jwtAuthenticator) getExtra(ctx context.Context, c claims, claimsUnstructured *unstructured.Unstructured) (map[string][]string, error) { … } func getCredentialID(c claims) string { … } // getClaimJWT gets a distributed claim JWT from url, using the supplied access // token as bearer token. If the access token is "", the authorization header // will not be set. // TODO: Allow passing in JSON hints to the IDP. func getClaimJWT(ctx context.Context, client *http.Client, url, accessToken string) (string, error) { … } type stringOrArray … func (s *stringOrArray) UnmarshalJSON(b []byte) error { … } type claims … func (c claims) unmarshalClaim(name string, v interface{ … } func (c claims) hasClaim(name string) bool { … } // convertCELValueToStringList converts the CEL value to a string list. // The CEL value needs to be either a string or a list of strings. // "", [] are treated as not being present and will return nil. // Empty string in a list of strings is treated as not being present and will be filtered out. func convertCELValueToStringList(val ref.Val) ([]string, error) { … } type messageFunc … // checkValidationRulesEvaluation checks if the validation rules evaluation results // are valid. If the validation rules evaluation results are not valid, it returns // an error with an optional message that was set in the validation rule. func checkValidationRulesEvaluation(results []authenticationcel.EvaluationResult, messageFn messageFunc) error { … } func convertObjectToUnstructured(obj interface{ … } func convertUserInfoToUnstructured(info user.Info) (*unstructured.Unstructured, error) { … }