From 591f293c8bcf464ed62701321d3f27de31ceb621 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 28 May 2025 12:14:11 -0600
Subject: refactor: parse headers injected by envoy

---
 pkg/authz/id_token.go      | 38 ++++++++++++++++++++++++++------------
 pkg/authz/id_token_test.go |  1 +
 2 files changed, 27 insertions(+), 12 deletions(-)

(limited to 'pkg')

diff --git a/pkg/authz/id_token.go b/pkg/authz/id_token.go
index ccc96de..3271af8 100644
--- a/pkg/authz/id_token.go
+++ b/pkg/authz/id_token.go
@@ -5,21 +5,35 @@ import (
 	"encoding/json"
 	"errors"
 	"strings"
-	"time"
 )
 
+type CustomClaims struct {
+	Name       string   `json:"name"`
+	Nickname   string   `json:"nickname"`
+	Email      string   `json:"email"`
+	ProfileURL string   `json:"profile"`
+	Picture    string   `json:"picture"`
+	Groups     []string `json:"groups_direct"`
+}
+
 type IDToken struct {
-	// Audience      []string  `json:"aud"`
-	Email         string    `json:"email"`
-	EmailVerified bool      `json:"email_verified"`
-	ExpiredAt     int64     `json:"exp"`
-	IssuedAt      int64     `json:"iat"`
-	Issuer        string    `json:"iss"`
-	Name          string    `json:"name"`
-	Nickname      string    `json:"nickname"`
-	Picture       string    `json:"picture"`
-	Subject       string    `json:"sub"`
-	UpdatedAt     time.Time `json:"updated_at"`
+	Issuer       string                 `json:"iss"`
+	Subject      string                 `json:"sub"`
+	Audience     any                    `json:"aud"`
+	Expiry       any                    `json:"exp"`
+	IssuedAt     any                    `json:"iat"`
+	NotBefore    any                    `json:"nbf"`
+	Nonce        string                 `json:"nonce"`
+	AtHash       string                 `json:"at_hash"`
+	ClaimNames   map[string]string      `json:"_claim_names"`
+	ClaimSources map[string]ClaimSource `json:"_claim_sources"`
+
+	CustomClaims
+}
+
+type ClaimSource struct {
+	Endpoint    string `json:"endpoint"`
+	AccessToken string `json:"access_token"`
 }
 
 func NewIDToken(raw string) (*IDToken, error) {
diff --git a/pkg/authz/id_token_test.go b/pkg/authz/id_token_test.go
index 22aabc4..054c48b 100644
--- a/pkg/authz/id_token_test.go
+++ b/pkg/authz/id_token_test.go
@@ -15,6 +15,7 @@ func TestIDToken(t *testing.T) {
 	t.Run("when the token is valid", func(t *testing.T) {
 		user := mockoidc.DefaultUser()
 		_, rawIDToken := idp.CreateTokensFor(user)
+		t.Logf("id_token: %v\n", rawIDToken)
 		token, err := NewIDToken(rawIDToken)
 
 		require.NoError(t, err)
-- 
cgit v1.2.3