blob: 005dcc5dc47cf2580914a11f9af645f3d3b31406 [file] [log] [blame]
// Copyright 2020 The LUCI Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package openid
import (
// UserFromIDToken validates the ID token and extracts user information from it.
// Returns the partially validated token and auth.User extracted from it.
// The caller is still responsible to verify token's Audience field.
func UserFromIDToken(ctx context.Context, token string, discovery *DiscoveryDoc) (*IDToken, *auth.User, error) {
// Validate the discovery doc has necessary fields to proceed.
switch {
case discovery.Issuer == "":
return nil, nil, errors.Reason("openid: bad discovery doc, empty issuer").Err()
case discovery.JwksURI == "":
return nil, nil, errors.Reason("openid: bad discovery doc, empty jwks_uri").Err()
// Grab the signing keys needed to verify the token. This is almost always
// hitting the local process cache and thus must be fast.
signingKeys, err := discovery.SigningKeys(ctx)
if err != nil {
return nil, nil, err
// Unpack the ID token to grab the user information from it.
verifiedToken, err := VerifyIDToken(ctx, token, signingKeys, discovery.Issuer)
if err != nil {
return nil, nil, err
// Ignore non https:// URLs for pictures. We serve all pages over HTTPS and
// don't want to break this rule just for a pretty picture.
picture := verifiedToken.Picture
if picture != "" && !strings.HasPrefix(picture, "https://") {
picture = ""
// Build the identity string from the email. This essentially validates it
// against a regexp.
id, err := identity.MakeIdentity("user:" + verifiedToken.Email)
if err != nil {
return nil, nil, err
return verifiedToken, &auth.User{
Identity: id,
Email: verifiedToken.Email,
Name: verifiedToken.Name,
Picture: picture,
}, nil