gravitational · Joerger · May 23, 2025 · May 20, 2025 · May 20, 2025 · May 20, 2025
diff --git a/.golangci.yml b/.golangci.yml
@@ -161,8 +161,8 @@ linters:
               desc: use "crypto" or "x/crypto" instead
         oidc:
           deny:
-            - pkg: github.com/coreos/go-oidc$
-              desc: 'github.com/coreos/go-oidc/v3 or github.com/zitadel/oidc/v3 should be used instead'
+            - pkg: github.com/coreos/go-oidc
+              desc: 'github.com/zitadel/oidc/v3 should be used instead'
             - pkg: github.com/zitadel/oidc$
               desc: 'github.com/zitadel/oidc/v3 should be used instead'
         testify:

@@ -91,7 +91,6 @@ require (
 	github.com/charmbracelet/bubbletea v1.3.5
 	github.com/charmbracelet/huh v0.7.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/coreos/go-semver v0.3.1
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/creack/pty v1.1.24

diff --git a/go.sum b/go.sum
@@ -1117,6 +1117,7 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/coreos/go-oidc v2.3.0+incompatible h1:+5vEsrgprdLjjQ9FzIKAzQz1wwPD+83hQRfUIPh7rO0=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
 github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=

@@ -117,7 +117,6 @@ require (
 	github.com/containerd/errdefs v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/crewjam/saml v0.4.14 // indirect
@@ -387,7 +386,6 @@ replace (
 // replace statements from teleport
 replace (
 	github.com/alecthomas/kingpin/v2 => github.com/gravitational/kingpin/v2 v2.1.11-0.20230515143221-4ec6b70ecd33
-	github.com/coreos/go-oidc => github.com/gravitational/go-oidc v0.1.1
 	github.com/crewjam/saml => github.com/gravitational/saml v0.4.15-teleport.2
 	github.com/datastax/go-cassandra-native-protocol => github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1
 	github.com/go-mysql-org/go-mysql => github.com/gravitational/go-mysql v1.9.1-teleport.4

diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum
@@ -262,8 +262,6 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=

@@ -129,7 +129,6 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
@@ -464,7 +463,6 @@ replace (
 // replace statements from teleport
 replace (
 	github.com/alecthomas/kingpin/v2 => github.com/gravitational/kingpin/v2 v2.1.11-0.20230515143221-4ec6b70ecd33
-	github.com/coreos/go-oidc => github.com/gravitational/go-oidc v0.1.1
 	github.com/crewjam/saml => github.com/gravitational/saml v0.4.15-teleport.2
 	github.com/datastax/go-cassandra-native-protocol => github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1
 	github.com/go-mysql-org/go-mysql => github.com/gravitational/go-mysql v1.9.1-teleport.4

diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum
@@ -389,8 +389,6 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -647,19 +647,15 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 
 	if as.ghaIDTokenValidator == nil {
 		as.ghaIDTokenValidator = githubactions.NewIDTokenValidator(
-			githubactions.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			githubactions.IDTokenValidatorConfig{},
 		)
 	}
 	if as.ghaIDTokenJWKSValidator == nil {
 		as.ghaIDTokenJWKSValidator = githubactions.ValidateTokenWithJWKS
 	}
 	if as.spaceliftIDTokenValidator == nil {
 		as.spaceliftIDTokenValidator = spacelift.NewIDTokenValidator(
-			spacelift.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			spacelift.IDTokenValidatorConfig{},
 		)
 	}
 	if as.gitlabIDTokenValidator == nil {
@@ -681,7 +677,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 			ctx context.Context, organizationID, token string,
 		) (*circleci.IDTokenClaims, error) {
 			return circleci.ValidateToken(
-				ctx, as.clock, circleci.IssuerURLTemplate, organizationID, token,
+				ctx, circleci.IssuerURLTemplate, organizationID, token,
 			)
 		}
 	}
@@ -697,20 +693,16 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 
 	if as.gcpIDTokenValidator == nil {
 		as.gcpIDTokenValidator = gcp.NewIDTokenValidator(
-			gcp.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			gcp.IDTokenValidatorConfig{},
 		)
 	}
 
 	if as.terraformIDTokenValidator == nil {
-		as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{
-			Clock: as.clock,
-		})
+		as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{})
 	}
 
 	if as.bitbucketIDTokenValidator == nil {
-		as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator(as.clock)
+		as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator()
 	}
 
 	if as.createBoundKeypairValidator == nil {

diff --git a/lib/auth/join_azure.go b/lib/auth/join_azure.go
@@ -34,17 +34,17 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	armpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/digitorus/pkcs7"
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 
 	"github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/client/proto"
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/cloud/azure"
+	liboidc "github.com/gravitational/teleport/lib/oidc"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -87,7 +87,7 @@ type attestedData struct {
 }
 
 type accessTokenClaims struct {
-	jwt.Claims
+	oidc.TokenClaims
 	TenantID string `json:"tid"`
 	Version  string `json:"ver"`
 
@@ -107,18 +107,29 @@ type accessTokenClaims struct {
 	AzureResourceID            string `json:"xms_az_rid"`
 }
 
+func (c *accessTokenClaims) AsJWTClaims() jwt.Claims {
+	return jwt.Claims{
+		Issuer:    c.Issuer,
+		Subject:   c.Subject,
+		Audience:  jwt.Audience(c.Audience),
+		Expiry:    jwt.NewNumericDate(c.Expiration.AsTime()),
+		NotBefore: jwt.NewNumericDate(c.NotBefore.AsTime()),
+		IssuedAt:  jwt.NewNumericDate(c.IssuedAt.AsTime()),
+		ID:        c.JWTID,
+	}
+}
+
 type azureVerifyTokenFunc func(ctx context.Context, rawIDToken string) (*accessTokenClaims, error)
 
 type vmClientGetter func(subscriptionID string, token *azure.StaticCredential) (azure.VirtualMachinesClient, error)
 
 type azureRegisterConfig struct {
-	clock                  clockwork.Clock
 	certificateAuthorities []*x509.Certificate
 	verify                 azureVerifyTokenFunc
 	getVMClient            vmClientGetter
 }
 
-func azureVerifyFuncFromOIDCVerifier(cfg *oidc.Config) azureVerifyTokenFunc {
+func azureVerifyFuncFromOIDCVerifier(clientID string) azureVerifyTokenFunc {
 	return func(ctx context.Context, rawIDToken string) (*accessTokenClaims, error) {
 		token, err := jwt.ParseSigned(rawIDToken)
 		if err != nil {
@@ -133,32 +144,13 @@ func azureVerifyFuncFromOIDCVerifier(cfg *oidc.Config) azureVerifyTokenFunc {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		provider, err := oidc.NewProvider(ctx, issuer)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		verifiedToken, err := provider.Verifier(cfg).Verify(ctx, rawIDToken)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		var tokenClaims accessTokenClaims
-		if err := verifiedToken.Claims(&tokenClaims); err != nil {
-			return nil, trace.Wrap(err)
-		}
-		return &tokenClaims, nil
+		return liboidc.ValidateToken[*accessTokenClaims](ctx, issuer, clientID, rawIDToken)
 	}
 }
 
 func (cfg *azureRegisterConfig) CheckAndSetDefaults(ctx context.Context) error {
-	if cfg.clock == nil {
-		cfg.clock = clockwork.NewRealClock()
-	}
 	if cfg.verify == nil {
-		oidcConfig := &oidc.Config{
-			ClientID: azureAccessTokenAudience,
-			Now:      cfg.clock.Now,
-		}
-		cfg.verify = azureVerifyFuncFromOIDCVerifier(oidcConfig)
+		cfg.verify = azureVerifyFuncFromOIDCVerifier(azureAccessTokenAudience)
 	}
 
 	if cfg.certificateAuthorities == nil {
@@ -278,7 +270,7 @@ func verifyVMIdentity(
 		Time:     requestStart,
 	}
 
-	if err := tokenClaims.Validate(expectedClaims); err != nil {
+	if err := tokenClaims.AsJWTClaims().Validate(expectedClaims); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -301,7 +293,7 @@ func verifyVMIdentity(
 
 	tokenCredential := azure.NewStaticCredential(azcore.AccessToken{
 		Token:     accessToken,
-		ExpiresOn: tokenClaims.Expiry.Time(),
+		ExpiresOn: tokenClaims.GetExpiration(),
 	})
 	vmClient, err := cfg.getVMClient(subscriptionID, tokenCredential)
 	if err != nil {

diff --git a/lib/auth/join_azure_test.go b/lib/auth/join_azure_test.go
@@ -34,6 +34,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
@@ -144,14 +145,14 @@ func makeToken(managedIdentityResourceID, azureResourceID string, issueTime time
 		return "", trace.Wrap(err)
 	}
 	claims := accessTokenClaims{
-		Claims: jwt.Claims{
-			Issuer:    "https://sts.windows.net/test-tenant-id/",
-			Audience:  []string{azureAccessTokenAudience},
-			Subject:   "test",
-			IssuedAt:  jwt.NewNumericDate(issueTime),
-			NotBefore: jwt.NewNumericDate(issueTime),
-			Expiry:    jwt.NewNumericDate(issueTime.Add(time.Minute)),
-			ID:        "id",
+		TokenClaims: oidc.TokenClaims{
+			Issuer:     "https://sts.windows.net/test-tenant-id/",
+			Audience:   []string{azureAccessTokenAudience},
+			Subject:    "test",
+			IssuedAt:   oidc.FromTime(issueTime),
+			NotBefore:  oidc.FromTime(issueTime),
+			Expiration: oidc.FromTime(issueTime.Add(time.Minute)),
+			JWTID:      "id",
 		},
 		ManangedIdentityResourceID: managedIdentityResourceID,
 		AzureResourceID:            azureResourceID,

diff --git a/lib/azuredevops/token_validator.go b/lib/azuredevops/token_validator.go
@@ -23,17 +23,11 @@ import (
 	"fmt"
 	"net/url"
 	"strings"
-	"time"
 
 	"github.com/gravitational/trace"
-	"github.com/zitadel/oidc/v3/pkg/client"
-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
-)
 
-// providerTimeout is the maximum time allowed to fetch provider metadata before
-// giving up.
-const providerTimeout = 15 * time.Second
+	"github.com/gravitational/teleport/lib/oidc"
+)
 
 // audience is the static value that Azure DevOps uses for the `aud` claim in
 // issued ID Tokens. Unfortunately, this cannot be changed.
@@ -75,30 +69,13 @@ func NewIDTokenValidator() *IDTokenValidator {
 func (id *IDTokenValidator) Validate(
 	ctx context.Context, organizationID, token string,
 ) (*IDTokenClaims, error) {
-	timeoutCtx, cancel := context.WithTimeout(ctx, providerTimeout)
-	defer cancel()
-
 	issuer := issuerURL(
 		organizationID, id.overrideDiscoveryHost, id.insecureDiscovery,
 	)
-	// TODO(noah): It'd be nice to cache the OIDC discovery document fairly
-	// aggressively across join tokens since this isn't going to change very
-	// regularly.
-	dc, err := client.Discover(timeoutCtx, issuer, otelhttp.DefaultClient)
-	if err != nil {
-		return nil, trace.Wrap(err, "discovering oidc document")
-	}
-
-	// TODO(noah): Ideally we'd cache the remote keyset across joins/join tokens
-	// based on the issuer.
-	ks := rp.NewRemoteKeySet(otelhttp.DefaultClient, dc.JwksURI)
-	verifier := rp.NewIDTokenVerifier(issuer, audience, ks)
-	// TODO(noah): It'd be ideal if we could extend the verifier to use an
-	// injected "now" time.
 
-	claims, err := rp.VerifyIDToken[*IDTokenClaims](timeoutCtx, token, verifier)
+	claims, err := oidc.ValidateToken[*IDTokenClaims](ctx, issuer, audience, token)
 	if err != nil {
-		return nil, trace.Wrap(err, "verifying token")
+		return nil, trace.Wrap(err, "validating token")
 	}
 
 	parsed, err := parseSubClaim(claims.Sub)

diff --git a/lib/bitbucket/bitbucket.go b/lib/bitbucket/bitbucket.go
@@ -19,13 +19,17 @@
 package bitbucket
 
 import (
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 )
 
 // IDTokenClaims
 // See the following for the structure:
 // https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/
 type IDTokenClaims struct {
+	oidc.TokenClaims
+
 	// Sub provides some information about the Bitbucket Pipelines run that
 	// generated this token. Format: {RepositoryUUID}:{StepUUID}
 	Sub string `json:"sub"`
@@ -59,6 +63,10 @@ type IDTokenClaims struct {
 	BranchName string `json:"branchName"`
 }
 
+func (c *IDTokenClaims) GetSubject() string {
+	return c.Sub
+}
+
 // JoinAttrs returns the protobuf representation of the attested identity.
 // This is used for auditing and for evaluation of WorkloadIdentity rules and
 // templating.