generated from broadinstitute/golang-project-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
init_verifier.go
36 lines (31 loc) · 1.23 KB
/
init_verifier.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package gha_oidc_auth
import (
"context"
"github.com/broadinstitute/sherlock/internal/config"
"github.com/coreos/go-oidc"
)
var verifier *oidc.IDTokenVerifier
type extraConfigurationClaims struct {
IdTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
}
func InitVerifier(ctx context.Context) error {
provider, err := oidc.NewProvider(ctx, config.Config.MustString("auth.githubActionsOIDC.issuer"))
if err != nil {
return err
}
var claims extraConfigurationClaims
if err = provider.Claims(&claims); err != nil {
return err
}
verifier = provider.Verifier(&oidc.Config{
// The ClientID gets compared to the "aud" claim of the returned OIDC token.
// GitHub Actions actually allows customization of the "aud" claim when the ID token is created, so
// we can't rely on it as an actual security measure. What we're trying to do is match based the
// nonstandard "actor_id" claim to a stored GitHub user ID, so we can safely ignore the "aud" claim.
SkipClientIDCheck: true,
// The library says it defaults to RS256, but GitHub includes this information at its configuration
// endpoint, so we'll grab it to be safe.
SupportedSigningAlgs: claims.IdTokenSigningAlgValuesSupported,
})
return nil
}