aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '69fc3a47d0'
${ noResults }
boundary/internal/auth/oidc/aud_claim.go

90 lines
2.5 KiB
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package oidc
import (
"context"
"github.com/hashicorp/boundary/internal/auth/oidc/store"
"github.com/hashicorp/boundary/internal/errors"
"google.golang.org/protobuf/proto"
)
// defaultAudClaimTableName defines the default table name for an AudClaim
const defaultAudClaimTableName = "auth_oidc_aud_claim"
// AudClaim defines an audience claim for an OIDC auth method. It is assigned
// to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to
// its AudClaims. AudClaims are value objects of an AuthMethod, therefore
// there's no need for oplog metadata, since only the AuthMethod will have
// metadata because it's the root aggregate.
//
// see aud claim in the oidc spec:
// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type AudClaim struct {
*store.AudClaim
tableName string
}
// NewAudClaim creates a new in memory audience claim assigned to an OIDC
// AuthMethod. It supports no options. If an AuthMethod as assigned AudClaims,
// then ID tokens issued from the provider must contain one of the assigned
// audiences to be valid.
//
// For more info on oidc aud claims, see the oidc spec:
// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func NewAudClaim(ctx context.Context, authMethodId string, audClaim string) (*AudClaim, error) {
const op = "oidc.NewAudClaim"
c := &AudClaim{
AudClaim: &store.AudClaim{
OidcMethodId: authMethodId,
Aud: audClaim,
},
}
if err := c.validate(ctx, op); err != nil {
return nil, err // intentionally not wrapped
}
return c, nil
}
// validate the AudClaim. On success, it will return nil.
func (c *AudClaim) validate(ctx context.Context, caller errors.Op) error {
if c.OidcMethodId == "" {
return errors.New(ctx, errors.InvalidParameter, caller, "missing oidc auth method id")
}
if c.Aud == "" {
return errors.New(ctx, errors.InvalidParameter, caller, "missing aud claim")
}
return nil
}
// AllocAudClaim make an empty one in memory.
func AllocAudClaim() AudClaim {
return AudClaim{
AudClaim: &store.AudClaim{},
}
}
// Clone an AudClaim
func (c *AudClaim) Clone() *AudClaim {
cp := proto.Clone(c.AudClaim)
return &AudClaim{
AudClaim: cp.(*store.AudClaim),
}
}
// TableName returns the table name.
func (c *AudClaim) TableName() string {
if c.tableName != "" {
return c.tableName
}
return defaultAudClaimTableName
}
// SetTableName sets the table name.
func (c *AudClaim) SetTableName(n string) {
c.tableName = n
}
Reference in new issue View Git Blame Copy Permalink