Refactor token exchange to remove unused custom claims and enhance thumbprint calculation options

Author: hupe1980

_example/main.go

@@ -48,8 +48,7 @@ func main() {
 
 		// Parse the JSON payload
 		var payload struct {
-			IDToken      string         `json:"id_token"`
-			CustomClaims map[string]any `json:"custom_claims"`
+			IDToken string `json:"id_token"`
 		}
 
 		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
@@ -64,7 +63,7 @@ func main() {
 		}
 
 		// Exchange the token
-		accessToken, err := tokenBridge.ExchangeToken(r.Context(), payload.IDToken, payload.CustomClaims)
+		accessToken, err := tokenBridge.ExchangeToken(r.Context(), payload.IDToken)
 		if err != nil {
 			http.Error(w, fmt.Sprintf("Failed to exchange token: %v", err), http.StatusInternalServerError)
 			return

oidc.go

@@ -37,6 +37,12 @@ type OIDCVerifierOptions struct {
 	// Now is a function that returns the current time, which can be used for expiry and validity checks.
 	// If not provided, the default time function (time.Now) is used.
 	Now func() time.Time
+
+	// CalculateThumbprintOptions is an optional configuration for calculating the thumbprint.
+	// It allows customization of the TLS configuration and dialer used to establish the connection.
+	// This is useful for scenarios where you need to specify custom TLS settings or a custom dialer.
+	// If nil, default settings will be used.
+	CalculateThumbprintOptions *CalculateThumbprintOptions
 }
 
 // OIDCVerifier is responsible for verifying OpenID Connect ID tokens.
@@ -102,8 +108,9 @@ func NewOIDCVerifier(ctx context.Context, issuerURL *url.URL, clientIDs []string
 	transport := opts.Transport
 	if len(opts.Thumbprints) > 0 {
 		transport = &thumbprintValidatingTransport{
-			transport:   opts.Transport,
-			thumbprints: opts.Thumbprints,
+			transport:                  opts.Transport,
+			thumbprints:                opts.Thumbprints,
+			calculateThumbprintOptions: opts.CalculateThumbprintOptions,
 		}
 	}
 

transport.go

@@ -27,11 +27,11 @@ type thumbprintValidatingTransport struct {
 	// one of the valid thumbprints, the response is rejected.
 	thumbprints []string
 
-	// tlsConfig is a customizable TLS configuration used when establishing the TLS connection.
-	tlsConfig *tls.Config
-
-	// dialer is a custom network dialer that will be used to establish the network connection.
-	dialer *net.Dialer
+	// calculateThumbprintOptions is an optional configuration for calculating the thumbprint.
+	// It allows customization of the TLS configuration and dialer used to establish the connection.
+	// This is useful for scenarios where you need to specify custom TLS settings or a custom dialer.
+	// If nil, default settings will be used.
+	calculateThumbprintOptions *CalculateThumbprintOptions
 }
 
 // RoundTrip executes the HTTP request and processes the response. It validates the certificate
@@ -80,12 +80,14 @@ func (t *thumbprintValidatingTransport) RoundTrip(req *http.Request) (*http.Resp
 		}
 
 		thumbprint, err := CalculateThumbprintFromJWKS(jwksURL, func(o *CalculateThumbprintOptions) {
-			if t.tlsConfig != nil {
-				o.TLSConfig = t.tlsConfig
-			}
-
-			if t.dialer != nil {
-				o.Dialer = t.dialer
+			if t.calculateThumbprintOptions != nil {
+				if t.calculateThumbprintOptions.TLSConfig != nil {
+					o.TLSConfig = t.calculateThumbprintOptions.TLSConfig
+				}
+
+				if t.calculateThumbprintOptions.Dialer != nil {
+					o.Dialer = t.calculateThumbprintOptions.Dialer
+				}
 			}
 		})
 		if err != nil {
@@ -117,8 +119,11 @@ func (t *thumbprintValidatingTransport) isThumbprintValid(thumbprint string) boo
 
 // CalculateThumbprintOptions holds configuration for CalculateThumbprintFromJWKS
 type CalculateThumbprintOptions struct {
+	// TLSConfig is a customizable TLS configuration used when establishing the TLS connection.
 	TLSConfig *tls.Config
-	Dialer    *net.Dialer
+
+	// Dialer is a custom network dialer that will be used to establish the network connection.
+	Dialer *net.Dialer
 }
 
 // CalculateThumbprintFromJWKS retrieves the certificate chain from the JWKS URI, extracts the last certificate,

transport_test.go

@@ -0,0 +1,46 @@
+package tokenbridge
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCalculateThumbprint(t *testing.T) {
+	// Sample PEM-encoded certificate
+	certPEM := `-----BEGIN CERTIFICATE-----
+MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
+b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
+BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
+MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
+VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
+b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
+YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
+21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
+rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
+Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
+nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
+FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
+NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
+-----END CERTIFICATE-----`
+
+	// Decode the PEM-encoded certificate
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		t.Fatalf("failed to decode PEM block")
+	}
+
+	// Parse the certificate
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+
+	// Calculate the thumbprint
+	thumbprint, err := calculateThumbprint(cert)
+	assert.NoError(t, err, "Expected no error while calculating thumbprint")
+	assert.Equal(t, "990F4193972F2BECF12DDEDA5237F9C952F20D9E", thumbprint, "Thumbprint should match expected value")
+}