Skip to content

Commit

Permalink
oidc: don't parse JWT twice
Browse files Browse the repository at this point in the history
  • Loading branch information
ericchiang committed Sep 1, 2022
1 parent 51187a7 commit e5d768d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
14 changes: 11 additions & 3 deletions oidc/jwks.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,15 +113,23 @@ func (i *inflight) result() ([]jose.JSONWebKey, error) {
return i.keys, i.err
}

// paresdJWTKey is a context key that allows common setups to avoid parsing the
// JWT twice. It holds a *jose.JSONWebSignature value.
var parsedJWTKey contextKey

// VerifySignature validates a payload against a signature from the jwks_uri.
//
// Users MUST NOT call this method directly and should use an IDTokenVerifier
// instead. This method skips critical validations such as 'alg' values and is
// only exported to implement the KeySet interface.
func (r *RemoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
jws, err := jose.ParseSigned(jwt)
if err != nil {
return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
jws, ok := ctx.Value(parsedJWTKey).(*jose.JSONWebSignature)
if !ok {
var err error
jws, err = jose.ParseSigned(jwt)
if err != nil {
return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
}
}
return r.verify(ctx, jws)
}
Expand Down
1 change: 1 addition & 0 deletions oidc/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok

t.sigAlgorithm = sig.Header.Algorithm

ctx = context.WithValue(ctx, parsedJWTKey, jws)
gotPayload, err := v.keySet.VerifySignature(ctx, rawIDToken)
if err != nil {
return nil, fmt.Errorf("failed to verify signature: %v", err)
Expand Down

0 comments on commit e5d768d

Please sign in to comment.