refactor(tokenparser): simplify default parser

ndyakov · ndyakov · commit 57e500d81b3c · 2025-04-28T16:10:40.000+03:00
Simplify the default identity provider response parser by extracting the raw token from the response and then parsing it as jwt token.
diff --git a/internal/idp_response.go b/internal/idp_response.go
@@ -36,17 +36,17 @@ func NewIDPResp(resultType string, result interface{}) (*IDPResp, error) {
 		default:
 			return nil, fmt.Errorf("invalid auth result type: expected public.AuthResult or *public.AuthResult, got %T", result)
 		}
+		r.rawTokenVal = r.authResultVal.AccessToken
 	case "AccessToken":
 		switch v := result.(type) {
 		case *azcore.AccessToken:
 			r.accessTokenVal = v
-			r.rawTokenVal = v.Token
 		case azcore.AccessToken:
 			r.accessTokenVal = &v
-			r.rawTokenVal = v.Token
 		default:
 			return nil, fmt.Errorf("invalid access token type: expected azcore.AccessToken or *azcore.AccessToken, got %T", result)
 		}
+		r.rawTokenVal = r.accessTokenVal.Token
 	case "RawToken":
 		switch v := result.(type) {
 		case string:
diff --git a/manager/defaults.go b/manager/defaults.go
@@ -96,7 +96,8 @@ type defaultIdentityProviderResponseParser struct{}
 
 // ParseResponse parses the response from the identity provider and extracts the token.
 // It takes an IdentityProviderResponse as an argument and returns a Token and an error if any.
-// The IdentityProviderResponse contains the raw token and the expiration time.
+// The raw token is extracted based on the IdentityProviderResponse Type and then
+// is parsed as a JWT token to extract the claims.
 func (*defaultIdentityProviderResponseParser) ParseResponse(response shared.IdentityProviderResponse) (*token.Token, error) {
 	if response == nil {
 		return nil, fmt.Errorf("identity provider response cannot be nil")
@@ -113,82 +114,51 @@ func (*defaultIdentityProviderResponseParser) ParseResponse(response shared.Iden
 			return nil, fmt.Errorf("failed to get auth result: %w", err)
 		}
 
-		claims := struct {
-			jwt.RegisteredClaims
-			Oid string `json:"oid,omitempty"`
-		}{}
-
-		// Parse the token to extract claims, but note that signature verification
-		// should be handled by the identity provider
-		_, _, err = jwt.NewParser().ParseUnverified(authResult.AccessToken, &claims)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse JWT token: %w", err)
-		}
-
-		if claims.Oid == "" {
-			return nil, fmt.Errorf("auth result OID is empty")
-		}
-
-		if claims.ExpiresAt.IsZero() {
-			return nil, fmt.Errorf("auth result expiration time is not set")
-		}
-
+		expiresOn = authResult.ExpiresOn.UTC()
 		rawToken = authResult.AccessToken
-		username = claims.Oid
-		password = rawToken
-		expiresOn = claims.ExpiresAt.UTC()
-
-	case shared.ResponseTypeRawToken, shared.ResponseTypeAccessToken:
-		var tokenStr string
-		var err error
-		if response.Type() == shared.ResponseTypeRawToken {
-			tokenStr, err = response.(shared.RawTokenIDPResponse).RawToken()
-			if err != nil {
-				return nil, fmt.Errorf("failed to get raw token: %w", err)
-			}
-		}
-		if response.Type() == shared.ResponseTypeAccessToken {
-			accessToken, err := response.(shared.AccessTokenIDPResponse).AccessToken()
-			if err != nil {
-				return nil, fmt.Errorf("failed to get access token: %w", err)
-			}
-			if accessToken.Token == "" {
-				return nil, fmt.Errorf("access token value is empty")
-			}
-			tokenStr = accessToken.Token
-			expiresOn = accessToken.ExpiresOn.UTC()
-		}
-
-		if tokenStr == "" {
-			return nil, fmt.Errorf("raw token is empty")
+	case shared.ResponseTypeAccessToken:
+		accessToken, err := response.(shared.AccessTokenIDPResponse).AccessToken()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get access token: %w", err)
 		}
 
-		claims := struct {
-			jwt.RegisteredClaims
-			Oid string `json:"oid,omitempty"`
-		}{}
-
-		// Parse the token to extract claims, but note that signature verification
-		// should be handled by the identity provider
-		_, _, err = jwt.NewParser().ParseUnverified(tokenStr, &claims)
+		rawToken = accessToken.Token
+		expiresOn = accessToken.ExpiresOn.UTC()
+	case shared.ResponseTypeRawToken:
+		tokenStr, err := response.(shared.RawTokenIDPResponse).RawToken()
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse JWT token: %w", err)
+			return nil, fmt.Errorf("failed to get raw token: %w", err)
 		}
+		rawToken = tokenStr
+	default:
+		return nil, fmt.Errorf("unsupported response type: %s", response.Type())
+	}
 
-		if claims.Oid == "" {
-			return nil, fmt.Errorf("JWT token does not contain OID claim")
-		}
+	if rawToken == "" {
+		return nil, fmt.Errorf("raw token is empty")
+	}
 
-		rawToken = tokenStr
-		username = claims.Oid
-		password = rawToken
+	// Parse JWT
+	claims := struct {
+		jwt.RegisteredClaims
+		Oid string `json:"oid,omitempty"`
+	}{}
+
+	// Parse the token to extract claims, but note that signature verification
+	// should be handled by the identity provider
+	_, _, err := jwt.NewParser().ParseUnverified(rawToken, &claims)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse JWT token: %w", err)
+	}
 
-		if expiresOn.IsZero() && claims.ExpiresAt != nil {
-			expiresOn = claims.ExpiresAt.UTC()
-		}
+	if claims.Oid == "" {
+		return nil, fmt.Errorf("JWT token does not contain OID claim")
+	}
 
-	default:
-		return nil, fmt.Errorf("unsupported response type: %s", response.Type())
+	username = claims.Oid
+	password = rawToken
+	if expiresOn.IsZero() && claims.ExpiresAt != nil {
+		expiresOn = claims.ExpiresAt.UTC()
 	}
 
 	if expiresOn.IsZero() {
diff --git a/shared/identity_provider_response.go b/shared/identity_provider_response.go
@@ -43,11 +43,15 @@ type IdentityProviderResponseParser interface {
 type IdentityProviderResponse interface {
 	// Type returns the type of identity provider response
 	Type() string
+	// RawToken returns the raw token string.
+	// Returns ErrRawTokenNotFound if the raw token is not set.
+	RawToken() (string, error)
 }
 
 // AuthResultIDPResponse is an interface that defines the method for getting the auth result.
 // Returns ErrAuthResultNotFound if the auth result is not set.
 type AuthResultIDPResponse interface {
+	IdentityProviderResponse
 	// AuthResult returns the Microsoft Authentication Library AuthResult.
 	// Returns ErrAuthResultNotFound if the auth result is not set.
 	AuthResult() (public.AuthResult, error)
@@ -56,28 +60,19 @@ type AuthResultIDPResponse interface {
 // AccessTokenIDPResponse is an interface that defines the method for getting the access token.
 // Returns ErrAccessTokenNotFound if the access token is not set.
 type AccessTokenIDPResponse interface {
+	IdentityProviderResponse
 	// AccessToken returns the Azure SDK AccessToken.
 	// Returns ErrAccessTokenNotFound if the access token is not set.
 	AccessToken() (azcore.AccessToken, error)
 }
 
-// RawTokenIDPResponse is an interface that defines the method for getting the raw token.
-// Returns ErrRawTokenNotFound if the raw token is not set.
 type RawTokenIDPResponse interface {
-	// RawToken returns the raw token string.
-	// Returns ErrRawTokenNotFound if the raw token is not set.
-	RawToken() (string, error)
+	IdentityProviderResponse
 }
 
 // IdentityProvider is an interface that defines the methods for an identity provider.
 // It is used to request a token for authentication.
 // The identity provider is responsible for providing the raw authentication token.
-// Available errors:
-// - ErrInvalidIDPResponse: When the response from the identity provider is invalid
-// - ErrInvalidIDPResponseType: When the response type is not supported
-// - ErrAuthResultNotFound: When trying to get an AuthResult that is not set
-// - ErrAccessTokenNotFound: When trying to get an AccessToken that is not set
-// - ErrRawTokenNotFound: When trying to get a RawToken that is not set
 type IdentityProvider interface {
 	// RequestToken requests a token from the identity provider.
 	// The context is passed to the request to allow for cancellation and timeouts.
