easier to extend

Author: ndyakov

azure_default_identity_provider.go

@@ -43,5 +43,5 @@ func (a *DefaultAzureIdentityProvider) RequestToken() (IdentityProviderResponse,
 		return nil, fmt.Errorf("failed to get token: %w", err)
 	}
 
-	return newIDPResponse(typeAccessToken, &token)
+	return NewIDPResponse(ResponseTypeAccessToken, &token)
 }

confidential_identity_provider.go

@@ -127,5 +127,5 @@ func (c *ConfidentialIdentityProvider) RequestToken() (IdentityProviderResponse,
 		return nil, fmt.Errorf("failed to acquire token: %w", err)
 	}
 
-	return newIDPResponse(typeAuthResult, &result)
+	return NewIDPResponse(ResponseTypeAuthResult, &result)
 }

credentials.go

@@ -89,35 +89,35 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 		}
 		if len(e.listeners) == 0 {
 			if e.cancelTokenManager != nil {
-				e.cancelTokenManager()
+				defer func() {
+					e.cancelTokenManager = nil
+					e.listeners = nil
+				}()
+				return e.cancelTokenManager()
 			}
-			e.cancelTokenManager = nil
-			e.listeners = nil
 		}
 		return nil
 	}
 
-	return credentials, cancel, nil
+	return token, cancel, nil
 }
 
 type entraidTokenListener struct {
-	onTokenNext  func(token *Token)
-	onTokenError func(err error)
+	cp *entraidCredentialsProvider
 }
 
-func tokenListenerFromCP(cp *entraidCredentialsProvider) *entraidTokenListener {
+func tokenListenerFromCP(cp *entraidCredentialsProvider) TokenListener {
 	return &entraidTokenListener{
-		onTokenNext:  cp.onTokenNext,
-		onTokenError: cp.onTokenError,
+		cp,
 	}
 }
 
 func (l *entraidTokenListener) OnTokenNext(token *Token) {
-	l.onTokenNext(token)
+	l.cp.onTokenNext(token)
 }
 
 func (l *entraidTokenListener) OnTokenError(err error) {
-	l.onTokenError(err)
+	l.cp.onTokenError(err)
 }
 
 // newCredentialsProvider creates a new credentials provider.

credentials_provider.go

@@ -8,10 +8,12 @@ import (
 )
 
 const (
-	// typeAuthResult is the type of the auth result.
-	typeAuthResult = "AuthResult"
-	// typeAccessToken is the type of the access token.
-	typeAccessToken = "AccessToken"
+	// ResponseTypeAuthResult is the type of the auth result.
+	ResponseTypeAuthResult = "AuthResult"
+	// ResponseTypeAccessToken is the type of the access token.
+	ResponseTypeAccessToken = "AccessToken"
+	// ResponseTypeRawToken is the type of the response when you have a raw string.
+	ResponseTypeRawToken = "RawToken"
 )
 
 // IdentityProviderResponse is an interface that defines the methods for an identity provider authentication result.
@@ -21,6 +23,7 @@ type IdentityProviderResponse interface {
 	Type() string
 	AuthResult() *public.AuthResult
 	AccessToken() *azcore.AccessToken
+	RawToken() string
 }
 
 // IdentityProviderResponseParserFunc is a function that parses the token and returns the username and password.
@@ -39,6 +42,7 @@ type authResult struct {
 	resultType  string
 	authResult  *public.AuthResult
 	accessToken *azcore.AccessToken
+	rawToken    string
 }
 
 func (a *authResult) Type() string {
@@ -53,26 +57,36 @@ func (a *authResult) AccessToken() *azcore.AccessToken {
 	return a.accessToken
 }
 
-// newAuthResult creates a new auth result based on the type provided.
+func (a *authResult) RawToken() string {
+	return a.rawToken
+}
+
+// NewIDPResponse creates a new auth result based on the type provided.
 // It returns an IdentityProviderResponse interface.
-func newIDPResponse(t string, result interface{}) (IdentityProviderResponse, error) {
+func NewIDPResponse(t string, result interface{}) (IdentityProviderResponse, error) {
 	r := &authResult{resultType: t}
 
 	switch t {
-	case typeAuthResult:
+	case ResponseTypeAuthResult:
 		if typed, ok := result.(*public.AuthResult); !ok {
 			return nil, fmt.Errorf("expected AuthResult, got %T", result)
 		} else {
 			r.authResult = typed
 		}
-	case typeAccessToken:
+	case ResponseTypeAccessToken:
 		if typed, ok := result.(*azcore.AccessToken); !ok {
 			return nil, fmt.Errorf("expected AccessToken, got %T", result)
 		} else {
 			r.accessToken = typed
 		}
+	case ResponseTypeRawToken:
+		if typed, ok := result.(string); !ok {
+			return nil, fmt.Errorf("expected string, got %T", result)
+		} else {
+			r.rawToken = typed
+		}
 	default:
-		return nil, fmt.Errorf("unknown type: %s", t)
+		return nil, fmt.Errorf("unknown idp response type: %s", t)
 	}
 
 	return r, nil

identity_provider.go

@@ -98,5 +98,5 @@ func (m *ManagedIdentityProvider) RequestToken() (IdentityProviderResponse, erro
 		return nil, fmt.Errorf("coudn't acquire token: %w", err)
 	}
 
-	return newIDPResponse(typeAuthResult, &authResult)
+	return NewIDPResponse(ResponseTypeAuthResult, &authResult)
 }

managed_identity_provider.go

@@ -38,18 +38,6 @@ func (t *Token) RawCredentials() string {
 	return t.rawToken
 }
 
-// IsExpired checks if the token is expired.
-// It returns true if the token is expired, false otherwise.
-func (t *Token) IsExpired() bool {
-	return t.expiresOn.Before(time.Now())
-}
-
-// IsValid checks if the token is valid.
-// It returns true if the token is valid, false otherwise.
-func (t *Token) IsValid() bool {
-	return !t.IsExpired()
-}
-
 // ExpirationOn returns the expiration time of the token.
 func (t *Token) ExpirationOn() time.Time {
 	return t.expiresOn

token.go

@@ -225,7 +225,7 @@ type entraidTokenManager struct {
 }
 
 func (e *entraidTokenManager) GetToken() (*Token, error) {
-	if e.token != nil && e.token.expiresOn.After(time.Now().Add(MinTokenTTL)) {
+	if e.token != nil && e.token.expiresOn.Before(time.Now().Add(e.lowerBoundDuration)) {
 		// copy the token so the caller can't modify it
 		return copyToken(e.token), nil
 	}