From 6e1ed2bdfc6ca66c32c60e37b52eb1a0f4919370 Mon Sep 17 00:00:00 2001
From: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Date: Fri, 8 Nov 2024 02:11:31 -0500
Subject: [PATCH] Remove go-oidc dependency from lib/jwt (#48622)

Abstracts the claims extraction via a new IDToken interface instead
of importing oidc.IDToken directly. This is being done to reduce
the footprint of the outdated go-oidc library in hopes that we
can move off our internal and outdated fork.
---
 lib/jwt/jwt.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/jwt/jwt.go b/lib/jwt/jwt.go
index 27d2abb91240d..e797b2e4f73ef 100644
--- a/lib/jwt/jwt.go
+++ b/lib/jwt/jwt.go
@@ -31,7 +31,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc"
 	"github.com/go-jose/go-jose/v3"
 	"github.com/go-jose/go-jose/v3/cryptosigner"
 	"github.com/go-jose/go-jose/v3/jwt"
@@ -573,11 +572,18 @@ func GenerateKeyPair() ([]byte, []byte, error) {
 	return public, private, nil
 }
 
+// IDToken allows introspecting claims from an OpenID Connect
+// ID Token.
+type IDToken interface {
+	// Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
+	Claims(v any) error
+}
+
 // CheckNotBefore ensures the token was not issued in the future.
 // https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5
 // 4.1.5.  "nbf" (Not Before) Claim
 // TODO(strideynet): upstream support for `nbf` into the go-oidc lib.
-func CheckNotBefore(now time.Time, leeway time.Duration, token *oidc.IDToken) error {
+func CheckNotBefore(now time.Time, leeway time.Duration, token IDToken) error {
 	claims := struct {
 		NotBefore *JSONTime `json:"nbf"`
 	}{}