keratin · cainlevy · Jun 28, 2022 · Jun 14, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@ Based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## HEAD
 
+## 1.2.0
+
+* Add `authn.ClaimsFrom` and `authn.ClaimsFromWithAudience` to support
+  extraction of identity token claims.
+
 ## 1.1.0
 
 ### Added

diff --git a/authn/authn.go b/authn/authn.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/keratin/authn-server/app/tokens/identities"
 	jwt "gopkg.in/square/go-jose.v2/jwt"
 )
 
@@ -68,13 +69,13 @@ func (ac *Client) SubjectFromWithAudience(idToken string, audience jwt.Audience)
 // if and only if the token is a valid JWT that passes all
 // verification requirements. If the JWT does not verify, the returned
 // error will explain why. This is for debugging purposes.
-func (ac *Client) ClaimsFrom(idToken string) (*jwt.Claims, error) {
+func (ac *Client) ClaimsFrom(idToken string) (*identities.Claims, error) {
 	return ac.claimsFromVerifier(idToken, ac.verifier)
 }
 
 // ClaimsFromWithAudience works like ClaimsFrom but allows
 // specifying a different JWT audience.
-func (ac *Client) ClaimsFromWithAudience(idToken string, audience jwt.Audience) (*jwt.Claims, error) {
+func (ac *Client) ClaimsFromWithAudience(idToken string, audience jwt.Audience) (*identities.Claims, error) {
 	verifier, err := newIDTokenVerifierWithAudiences(ac.config.Issuer, audience, ac.kchain)
 	if err != nil {
 		return nil, err
@@ -90,7 +91,7 @@ func (ac *Client) subjectFromVerifier(idToken string, verifier JWTClaimsExtracto
 	return claims.Subject, nil
 }
 
-func (ac *Client) claimsFromVerifier(idToken string, verifier JWTClaimsExtractor) (*jwt.Claims, error) {
+func (ac *Client) claimsFromVerifier(idToken string, verifier JWTClaimsExtractor) (*identities.Claims, error) {
 	claims, err := verifier.GetVerifiedClaims(idToken)
 	if err != nil {
 		return nil, err

diff --git a/authn/interfaces.go b/authn/interfaces.go
@@ -1,8 +1,8 @@
 package authn
 
 import (
+	"github.com/keratin/authn-server/app/tokens/identities"
 	jose "gopkg.in/square/go-jose.v2"
-	jwt "gopkg.in/square/go-jose.v2/jwt"
 )
 
 // Provides a JSON Web Key from a Key ID
@@ -14,5 +14,5 @@ type JWKProvider interface {
 
 // Extracts verified in-built claims from a jwt idToken
 type JWTClaimsExtractor interface {
-	GetVerifiedClaims(idToken string) (*jwt.Claims, error)
+	GetVerifiedClaims(idToken string) (*identities.Claims, error)
 }
diff --git a/authn/verifier.go b/authn/verifier.go
@@ -5,12 +5,11 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/keratin/authn-server/app/tokens/identities"
 	jwt "gopkg.in/square/go-jose.v2/jwt"
 )
 
-var (
-	ErrNoKey = errors.New("No keys found")
-)
+var ErrNoKey = errors.New("No keys found")
 
 // A JWT Claims extractor (JWTClaimsExtractor) implementation
 // which extracts claims from Authn idToken
@@ -42,7 +41,7 @@ func newIDTokenVerifierWithAudiences(issuer string, audiences jwt.Audience, keyc
 }
 
 // Gets verified claims from an Authn idToken
-func (verifier *idTokenVerifier) GetVerifiedClaims(idToken string) (*jwt.Claims, error) {
+func (verifier *idTokenVerifier) GetVerifiedClaims(idToken string) (*identities.Claims, error) {
 	var err error
 
 	claims, err := verifier.claims(idToken)
@@ -60,7 +59,7 @@ func (verifier *idTokenVerifier) GetVerifiedClaims(idToken string) (*jwt.Claims,
 
 // Gets claims object from an idToken using the key from keychain
 // Key from keychain is fetched using KeyID found in idToken's header
-func (verifier *idTokenVerifier) claims(idToken string) (*jwt.Claims, error) {
+func (verifier *idTokenVerifier) claims(idToken string) (*identities.Claims, error) {
 	var err error
 
 	idJwt, err := jwt.ParseSigned(idToken)
@@ -82,7 +81,7 @@ func (verifier *idTokenVerifier) claims(idToken string) (*jwt.Claims, error) {
 	}
 	key := keys[0]
 
-	claims := &jwt.Claims{}
+	claims := &identities.Claims{}
 	err = idJwt.Claims(key, claims)
 	if err != nil {
 		return nil, err
@@ -92,7 +91,7 @@ func (verifier *idTokenVerifier) claims(idToken string) (*jwt.Claims, error) {
 }
 
 // Verify the claims against the configured values
-func (verifier *idTokenVerifier) verify(claims *jwt.Claims) error {
+func (verifier *idTokenVerifier) verify(claims *identities.Claims) error {
 	var err error
 
 	// Validate rest of the claims

diff --git a/authn/verifier_test.go b/authn/verifier_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/keratin/authn-server/app/tokens/identities"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	jose "gopkg.in/square/go-jose.v2"
@@ -34,12 +35,15 @@ func TestIDTokenVerifier(t *testing.T) {
 	// factory defaults
 	randInt, err := rand.Int(rand.Reader, big.NewInt(99999))
 	require.NoError(t, err)
-	defaultClaims := jwt.Claims{
-		Issuer:   issuer,
-		Audience: jwt.Audience{audience},
-		Subject:  randInt.String(),
-		Expiry:   jwt.NewNumericDate(time.Now().Add(time.Hour)),
-		IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Minute)),
+	defaultClaims := identities.Claims{
+		AuthTime: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
+		Claims: jwt.Claims{
+			Issuer:   issuer,
+			Audience: jwt.Audience{audience},
+			Subject:  randInt.String(),
+			Expiry:   jwt.NewNumericDate(time.Now().Add(time.Hour)),
+			IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Minute)),
+		},
 	}
 	defaultSigner, err := jose.NewSigner(
 		jose.SigningKey{Algorithm: jose.RS256, Key: defaultJWK},

diff --git a/go.mod b/go.mod
@@ -3,8 +3,8 @@ module github.com/keratin/authn-go
 go 1.12
 
 require (
+	github.com/keratin/authn-server v1.15.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/stretchr/testify v1.3.0
-	golang.org/x/crypto v0.0.0-20170619204222-adbae1b6b6fb // indirect
-	gopkg.in/square/go-jose.v2 v2.1.3
+	github.com/stretchr/testify v1.5.1
+	gopkg.in/square/go-jose.v2 v2.3.1
 )