Move OIDC IDToken verifier behind interface

providers/adfs_test.go

@@ -43,7 +43,7 @@ func newSignedTestADFSToken(tokenClaims adfsClaims) (string, error) {
 }
 
 func testADFSProvider(hostname string) *ADFSProvider {
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: []string{"aud"},
 		ClientID:       "https://test.myapp.com",
 	}

providers/azure_test.go

@@ -41,7 +41,7 @@ type azureOAuthPayload struct {
 }
 
 func testAzureProvider(hostname string, opts options.AzureOptions) *AzureProvider {
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: []string{"aud"},
 		ClientID:       "cd6d4fae-f6a6-4a34-8454-2c6b598e9532",
 	}

providers/keycloak_oidc_test.go

@@ -45,7 +45,7 @@ func newTestKeycloakOIDCSetup() (*httptest.Server, *KeycloakOIDCProvider) {
 }
 
 func newKeycloakOIDCProvider(serverURL *url.URL, opts options.KeycloakOptions) *KeycloakOIDCProvider {
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: []string{defaultAudienceClaim},
 		ClientID:       mockClientID,
 	}

providers/oidc_test.go

@@ -27,7 +27,7 @@ type redeemTokenResponse struct {
 }
 
 func newOIDCProvider(serverURL *url.URL, skipNonce bool) *OIDCProvider {
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: []string{"aud"},
 		ClientID:       "https://test.myapp.com",
 	}

providers/provider_data.go

@@ -47,7 +47,7 @@ type ProviderData struct {
 	UserClaim            string
 	EmailClaim           string
 	GroupsClaim          string
-	Verifier             *internaloidc.IDTokenVerifier
+	Verifier             internaloidc.IDTokenVerifier
 
 	// Universal Group authorization data structure
 	// any provider can set to consume

providers/provider_data_test.go

@@ -202,7 +202,7 @@ func TestProviderData_verifyIDToken(t *testing.T) {
 
 			provider := &ProviderData{}
 			if tc.Verifier {
-				verificationOptions := &internaloidc.IDTokenVerificationOptions{
+				verificationOptions := internaloidc.IDTokenVerificationOptions{
 					AudienceClaims: []string{"aud"},
 					ClientID:       oidcClientID,
 				}
@@ -409,7 +409,7 @@ func TestProviderData_buildSessionFromClaims(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			g := NewWithT(t)
 
-			verificationOptions := &internaloidc.IDTokenVerificationOptions{
+			verificationOptions := internaloidc.IDTokenVerificationOptions{
 				AudienceClaims: []string{"aud"},
 				ClientID:       oidcClientID,
 			}
@@ -478,7 +478,7 @@ func TestProviderData_checkNonce(t *testing.T) {
 			g.Expect(err).ToNot(HaveOccurred())
 			tc.Session.IDToken = rawIDToken
 
-			verificationOptions := &internaloidc.IDTokenVerificationOptions{
+			verificationOptions := internaloidc.IDTokenVerificationOptions{
 				AudienceClaims: []string{"aud"},
 				ClientID:       oidcClientID,
 			}

providers/providers.go

@@ -160,7 +160,7 @@ func providerRequiresOIDCProviderVerifier(providerType options.ProviderType) (bo
 	}
 }
 
-func newOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Provider, *internaloidc.IDTokenVerifier, error) {
+func newOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Provider, internaloidc.IDTokenVerifier, error) {
 	// If the issuer isn't set, default it for platforms where it makes sense
 	if providerConfig.OIDCConfig.IssuerURL == "" {
 		switch providerConfig.Type {
@@ -183,13 +183,13 @@ func newOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Provider, *
 	}
 }
 
-func newDiscoveryOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Provider, *internaloidc.IDTokenVerifier, error) {
+func newDiscoveryOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Provider, internaloidc.IDTokenVerifier, error) {
 	// Configure discoverable provider data.
 	provider, err := oidc.NewProvider(context.TODO(), providerConfig.OIDCConfig.IssuerURL)
 	if err != nil {
 		return nil, nil, err
 	}
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: providerConfig.OIDCConfig.AudienceClaims,
 		ClientID:       providerConfig.ClientID,
 		ExtraAudiences: providerConfig.OIDCConfig.ExtraAudiences,
@@ -203,7 +203,7 @@ func newDiscoveryOIDCProviderVerifier(providerConfig options.Provider) (*oidc.Pr
 	return provider, verifier, nil
 }
 
-func newInsecureSkipIssuerVerificationOIDCVerifier(providerConfig options.Provider) (*internaloidc.IDTokenVerifier, error) {
+func newInsecureSkipIssuerVerificationOIDCVerifier(providerConfig options.Provider) (internaloidc.IDTokenVerifier, error) {
 	// go-oidc doesn't let us pass bypass the issuer check this in the oidc.NewProvider call
 	// (which uses discovery to get the URLs), so we'll do a quick check ourselves and if
 	// we get the URLs, we'll just use the non-discovery path.
@@ -241,7 +241,7 @@ func newInsecureSkipIssuerVerificationOIDCVerifier(providerConfig options.Provid
 	return newSkipDiscoveryOIDCVerifier(providerConfig)
 }
 
-func newSkipDiscoveryOIDCVerifier(providerConfig options.Provider) (*internaloidc.IDTokenVerifier, error) {
+func newSkipDiscoveryOIDCVerifier(providerConfig options.Provider) (internaloidc.IDTokenVerifier, error) {
 	var errs []error
 
 	// Construct a manual IDTokenVerifier from issuer URL & JWKS URI
@@ -262,7 +262,7 @@ func newSkipDiscoveryOIDCVerifier(providerConfig options.Provider) (*internaloid
 	}
 
 	keySet := oidc.NewRemoteKeySet(context.TODO(), providerConfig.OIDCConfig.JwksURL)
-	verificationOptions := &internaloidc.IDTokenVerificationOptions{
+	verificationOptions := internaloidc.IDTokenVerificationOptions{
 		AudienceClaims: providerConfig.OIDCConfig.AudienceClaims,
 		ClientID:       providerConfig.ClientID,
 		ExtraAudiences: providerConfig.OIDCConfig.ExtraAudiences,