| 1565 | } |
| 1566 | |
| 1567 | func (api *API) accessTokenClaims(ctx context.Context, rw http.ResponseWriter, state httpmw.OAuth2State, logger slog.Logger) (accessTokenClaims map[string]interface{}, ok bool) { |
| 1568 | // Assume the access token is a jwt, and signed by the provider. |
| 1569 | accessToken, err := api.OIDCConfig.Verifier.Verify(ctx, state.Token.AccessToken) |
| 1570 | if err != nil { |
| 1571 | logger.Error(ctx, "oauth2: unable to verify access token as secondary claims source", slog.Error(err)) |
| 1572 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1573 | Message: "Failed to verify access token.", |
| 1574 | Detail: fmt.Sprintf("sourcing secondary claims from access token: %s", err.Error()), |
| 1575 | }) |
| 1576 | return nil, false |
| 1577 | } |
| 1578 | |
| 1579 | rawClaims := make(map[string]any) |
| 1580 | err = accessToken.Claims(&rawClaims) |
| 1581 | if err != nil { |
| 1582 | logger.Error(ctx, "oauth2: unable to unmarshal access token claims", slog.Error(err)) |
| 1583 | httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ |
| 1584 | Message: "Failed to unmarshal access token claims.", |
| 1585 | Detail: err.Error(), |
| 1586 | }) |
| 1587 | return nil, false |
| 1588 | } |
| 1589 | |
| 1590 | return rawClaims, true |
| 1591 | } |
| 1592 | |
| 1593 | func (api *API) userInfoClaims(ctx context.Context, rw http.ResponseWriter, state httpmw.OAuth2State, logger slog.Logger) (userInfoClaims map[string]interface{}, ok bool) { |
| 1594 | userInfoClaims = make(map[string]interface{}) |