refactor(proof/oidc): readability + maintainability sweep#68
Merged
Conversation
Add concise godocs to every private type, struct, and helper the package exposes internally: options/defaultOptions, cachedKeySet, keySetRequest, the source.go clone family, claimPathKey, cloneClaimValue, validateHTTPSURL, signingAlgorithms, unverifiedIssuer, audienceAllowed, forwardClaims, mergedForwardedClaims, tokenClaim, setClaim, keySet, keySetCacheKey, fetchKeySet, constrainKeySet, verificationKey, keyAllowsVerification, and unauthenticated. Several godocs name the security invariant they preserve — HTTPS-only issuer/JWKS URLs, symmetric-algorithm refusal, maxJWKSBytes cap, forwarded-claim allow-list, fail-closed empty-key-set check, JWK use/key_ops gating — to match the inline-comment style about to land on Verifier.VerifyToken. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Annotate each gate in the OIDC JWT trust path so the security invariant it preserves is explicit. Mirrors the access/jwt/verifier.go style from PR #61. The annotations cover: empty-token rejection (signal amplification), unverified-issuer partial parse (lookup-then-verify rationale), trusted issuer lookup (untrusted-issuer defense), provider-issuer consistency (config-swap defense), revalidation of the resolved provider (corrupt trust-store row), the jwt.Parse omnibus (forgery, expiration bypass, time confusion, key-use smuggling), explicit non-empty subject check (blank-subject confusion), and audience match (audience confusion). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lift the 616-LOC verifier_test.go into four files mirroring the production layout: provider_test.go (Provider.Validate), source_test.go (StaticProviderSource), verifier_test.go (Verifier.VerifyToken only), helpers_test.go (fixtures + testIssuer + tokenRequest + failingProviderSource + fixedTime). No test logic changes; each function is lifted verbatim. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ource Make StaticProviderSource's implementation of ProviderSource a compile-time check so an accidental method signature drift breaks the build rather than a downstream caller. Store-side ProviderSource and ProviderTrustStore assertions already live in store/memory/oidc_test.go and store/postgres/oidc_test.go. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Eighth slice of the multi-session readability sweep (after
access/#61,authz/#62,exchange/#63,http/#64,management/#65,onboarding/#66,proof/apikey/#67). Second of three PRs coveringproof/. Same 10-criteria bar.proof/oidc/is the JWT trust gate for externally-issued OIDC tokens. The signature work this PR carries is annotating that gate.Security inline comments on
Verifier.VerifyTokenproof/oidc/verifier.go::VerifyTokenis analogous toaccess/jwt/verifier.go(PR #61) but lacked the per-check security annotations. Each branch now carries a comment naming the attack class it defends against:jwt.Parseomnibus — forgery, expiration bypass, time confusion, key-use smuggling.Test split
verifier_test.go(616 LOC) split per-domain mirroring the production layout:provider_test.go—Provider.Validatetests.source_test.go—StaticProviderSourcetests.verifier_test.go—Verifier.VerifyTokentests only.helpers_test.go— fixtures,testIssuer,tokenRequest,failingProviderSource,fixedTime.Other oidc changes
options,defaultOptions,cachedKeySet,keySetRequest, thesource.goclone family,claimPathKey,cloneClaimValue,validateHTTPSURL,signingAlgorithms,unverifiedIssuer,audienceAllowed,forwardClaims,mergedForwardedClaims,tokenClaim,setClaim,keySet,keySetCacheKey,fetchKeySet,constrainKeySet,verificationKey,keyAllowsVerification,unauthenticated.var _ ProviderSource = (*StaticProviderSource)(nil)assertion added tosource.go. Store-sideProviderSource/ProviderTrustStoreassertions already live in the store packages'_test.gofiles.Explicitly NOT changed
ProviderSourcestays as an interface. The plan considered demoting it to a function type but it has three implementations (StaticProviderSource,store/memory.Store,store/postgres.Store) and is embedded byProviderTrustStore. The premature-port demotion rule (one method + one implementation) does not apply.doc.go/options.go/source.go/types.go/verifier.go) is coherent.failingProviderSourceis appropriate.Commits
refactor(proof/oidc): godocs on private types and helpersrefactor(proof/oidc): security inline comments on Verifier.VerifyTokentest(proof/oidc): split verifier_test.go per domainrefactor(proof/oidc): compile-time port assertion for StaticProviderSourceTest plan
moon run root:check --summary minimal— format, lint, build, unit, Testcontainers integration all green.🤖 Generated with Claude Code