fuller-inc · shogo82148 · Oct 11, 2023 · Oct 11, 2023 · Oct 11, 2023
diff --git a/provider/assume-role/github/parse_id_token.go b/provider/assume-role/github/parse_id_token.go
@@ -2,9 +2,9 @@ package github
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
+	"github.com/shogo82148/goat/jwa"
 	_ "github.com/shogo82148/goat/jwa/rs"
 	"github.com/shogo82148/goat/jws"
 	"github.com/shogo82148/goat/jwt"
@@ -41,23 +41,26 @@ func (c *Client) ParseIDToken(ctx context.Context, idToken string) (*ActionsIDTo
 	if err != nil {
 		return nil, fmt.Errorf("github: failed to get JWK Set: %w", err)
 	}
-	token, err := jwt.Parse([]byte(idToken), jwt.FindKeyFunc(func(header *jws.Header) (key sig.SigningKey, err error) {
-		jwk, ok := set.Find(header.KeyID())
-		if !ok {
-			return nil, fmt.Errorf("github: kid %s is not found", header.KeyID())
-		}
-		if jwk.Algorithm() != "" && header.Algorithm().KeyAlgorithm() != jwk.Algorithm() {
-			return nil, fmt.Errorf("github: alg parameter mismatch")
-		}
-		key = header.Algorithm().New().NewSigningKey(jwk)
-		return
-	}))
+	p := &jwt.Parser{
+		KeyFinder: jwt.FindKeyFunc(func(ctx context.Context, header *jws.Header) (key sig.SigningKey, err error) {
+			jwk, ok := set.Find(header.KeyID())
+			if !ok {
+				return nil, fmt.Errorf("github: kid %s is not found", header.KeyID())
+			}
+			if jwk.Algorithm() != "" && header.Algorithm().KeyAlgorithm() != jwk.Algorithm() {
+				return nil, fmt.Errorf("github: alg parameter mismatch")
+			}
+			key = header.Algorithm().New().NewSigningKey(jwk)
+			return
+		}),
+		AlgorithmVerifier:     jwt.AllowedAlgorithms{jwa.RS256},
+		IssuerSubjectVerifier: jwt.Issuer(oidcIssuer),
+		AudienceVerifier:      jwt.UnsecureAnyAudience,
+	}
+	token, err := p.Parse(ctx, []byte(idToken))
 	if err != nil {
 		return nil, fmt.Errorf("github: failed to parse id token: %w", err)
 	}
-	if token.Claims.Issuer != oidcIssuer {
-		return nil, errors.New("github: failed to parse id token: invalid issuer")
-	}
 
 	var claims ActionsIDToken
 	if err := token.Claims.DecodeCustom(&claims); err != nil {

diff --git a/provider/assume-role/go.mod b/provider/assume-role/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/shogo82148/aws-xray-yasdk-go v1.7.1
 	github.com/shogo82148/aws-xray-yasdk-go/xrayaws-v2 v1.1.4
 	github.com/shogo82148/ctxlog v0.1.0
-	github.com/shogo82148/goat v0.0.6
+	github.com/shogo82148/goat v0.1.0
 	github.com/shogo82148/ridgenative v1.4.0
 )
 
@@ -23,7 +23,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.15.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2 // indirect
-	github.com/shogo82148/memoize v0.0.2 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	github.com/shogo82148/memoize v0.0.4 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
 )
diff --git a/provider/assume-role/go.sum b/provider/assume-role/go.sum
@@ -40,18 +40,18 @@ github.com/shogo82148/aws-xray-yasdk-go/xrayaws-v2 v1.1.4 h1:JxcMlEvjbHyyO7YqK6b
 github.com/shogo82148/aws-xray-yasdk-go/xrayaws-v2 v1.1.4/go.mod h1:qqeqw2VKFajsyJVGhtM+GdQAcbfZeq1LpOeM2rnD6Oo=
 github.com/shogo82148/ctxlog v0.1.0 h1:WN1kcHxnFFPrqMNKK+ZM8GKrjqAKQymWekjeq6EZ7ao=
 github.com/shogo82148/ctxlog v0.1.0/go.mod h1:1vzyF5O3lITc5QGi4oYH12DwupLpZytmfxdN2vH1ZZ0=
-github.com/shogo82148/goat v0.0.6 h1:QmNrB8HnXOt7BFaS8i890aBo4RRbiXVWcgSagd97S7Q=
-github.com/shogo82148/goat v0.0.6/go.mod h1:J5sGtFsP9R1Mh6OLSbCec8pVmXy3oQGaYUj12qtKg94=
-github.com/shogo82148/memoize v0.0.2 h1:KBHGjTpwuKPyCzpNlpNT79hKfmJaheHxpIuqdGzqdIE=
-github.com/shogo82148/memoize v0.0.2/go.mod h1:sOsvhOlJGVR2nHgCzUchvbEeYB6jNvSP9o4SPHgb+bY=
-github.com/shogo82148/pointer v1.2.0 h1:MEPjAx9hK17sdEVhaqHROphdy+RxTH70vaBypZzZ/d8=
-github.com/shogo82148/pointer v1.2.0/go.mod h1:agZ5JFpavFPXznbWonIvbG78NDfvDTFppe+7o53up5w=
+github.com/shogo82148/goat v0.1.0 h1:CD8v23E0rGSspMyKnS2FqiX+BJnEYs/mhgYDmo4i30k=
+github.com/shogo82148/goat v0.1.0/go.mod h1:O2/1GBUA42rPuc0TM5WV3Kx/5/BXCHBRvSh/g9MlAus=
+github.com/shogo82148/memoize v0.0.4 h1:3n08PzuwGLbVwawf2jM5kfNC4mV25EqaAIjKrNfqqAs=
+github.com/shogo82148/memoize v0.0.4/go.mod h1:sOsvhOlJGVR2nHgCzUchvbEeYB6jNvSP9o4SPHgb+bY=
+github.com/shogo82148/pointer v1.3.0 h1:LW5V2jUAjFNjS8e7k/PgFoh3EavOSB/vvN85aGue5+I=
+github.com/shogo82148/pointer v1.3.0/go.mod h1:agZ5JFpavFPXznbWonIvbG78NDfvDTFppe+7o53up5w=
 github.com/shogo82148/ridgenative v1.4.0 h1:yBsshqKQ86Y155CzgW3iC34DPwpcClceCJ8JQBd36UE=
 github.com/shogo82148/ridgenative v1.4.0/go.mod h1:PInWLpQIV0RsZI3j81ZH87hQ2knhDiMGbeDuTli3QIE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=