const issuerGoogleAccounts … const issuerGoogleAccountsNoScheme … type KeySet … type IDTokenVerifier … // NewVerifier returns a verifier manually constructed from a key set and issuer URL. // // It's easier to use provider discovery to construct an IDTokenVerifier than creating // one directly. This method is intended to be used with provider that don't support // metadata discovery, or avoiding round trips when the key set URL is already known. // // This constructor can be used to create a verifier directly using the issuer URL and // JSON Web Key Set URL without using discovery: // // keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs") // verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config) // // Since KeySet is an interface, this constructor can also be used to supply custom // public key sources. For example, if a user wanted to supply public keys out-of-band // and hold them statically in-memory: // // // Custom KeySet implementation. // keySet := newStatisKeySet(publicKeys...) // // // Verifier uses the custom KeySet implementation. // verifier := oidc.NewVerifier("https://auth.example.com", keySet, config) // func NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier { … } type Config … // Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs. // // The returned IDTokenVerifier is tied to the Provider's context and its behavior is // undefined once the Provider's context is canceled. func (p *Provider) Verifier(config *Config) *IDTokenVerifier { … } func parseJWT(p string) ([]byte, error) { … } func contains(sli []string, ele string) bool { … } // Returns the Claims from the distributed JWT token func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src claimSource) ([]byte, error) { … } func parseClaim(raw []byte, name string, v interface{ … } // Verify parses a raw ID Token, verifies it's been signed by the provider, preforms // any additional checks depending on the Config, and returns the payload. // // Verify does NOT do nonce validation, which is the callers responsibility. // // See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation // // oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code")) // if err != nil { // // handle error // } // // // Extract the ID Token from oauth2 token. // rawIDToken, ok := oauth2Token.Extra("id_token").(string) // if !ok { // // handle error // } // // token, err := verifier.Verify(ctx, rawIDToken) // func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) { … } // Nonce returns an auth code option which requires the ID Token created by the // OpenID Connect provider to contain the specified nonce. func Nonce(nonce string) oauth2.AuthCodeOption { … }