oauth2-proxy/providers/provider_default.go

package providers

import (
	"bytes"
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"time"

	"github.com/coreos/go-oidc"

	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
)

// Redeem provides a default implementation of the OAuth2 token redemption process
func (p *ProviderData) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
	if code == "" {
		err = errors.New("missing code")
		return
	}
	clientSecret, err := p.GetClientSecret()
	if err != nil {
		return
	}

	params := url.Values{}
	params.Add("redirect_uri", redirectURL)
	params.Add("client_id", p.ClientID)
	params.Add("client_secret", clientSecret)
	params.Add("code", code)
	params.Add("grant_type", "authorization_code")
	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
		params.Add("resource", p.ProtectedResource.String())
	}

	var req *http.Request
	req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
	if err != nil {
		return
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	var resp *http.Response
	resp, err = http.DefaultClient.Do(req)
	if err != nil {
		return nil, err
	}
	var body []byte
	body, err = ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return
	}

	if resp.StatusCode != 200 {
		err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
		return
	}

	// blindly try json and x-www-form-urlencoded
	var jsonResponse struct {
		AccessToken string `json:"access_token"`
	}
	err = json.Unmarshal(body, &jsonResponse)
	if err == nil {
		s = &sessions.SessionState{
			AccessToken: jsonResponse.AccessToken,
		}
		return
	}

	var v url.Values
	v, err = url.ParseQuery(string(body))
	if err != nil {
		return
	}
	if a := v.Get("access_token"); a != "" {
		s = &sessions.SessionState{AccessToken: a, CreatedAt: time.Now()}
	} else {
		err = fmt.Errorf("no access token found %s", body)
	}
	return
}

// GetLoginURL with typical oauth parameters
func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
	a := *p.LoginURL
	params, _ := url.ParseQuery(a.RawQuery)
	params.Set("redirect_uri", redirectURI)
	params.Add("acr_values", p.AcrValues)
	if p.Prompt != "" {
		params.Set("prompt", p.Prompt)
	} else { // Legacy variant of the prompt param:
		params.Set("approval_prompt", p.ApprovalPrompt)
	}
	params.Add("scope", p.Scope)
	params.Set("client_id", p.ClientID)
	params.Set("response_type", "code")
	params.Add("state", state)
	a.RawQuery = params.Encode()
	return a.String()
}

// CookieForSession serializes a session state for storage in a cookie
func (p *ProviderData) CookieForSession(s *sessions.SessionState, c *encryption.Cipher) (string, error) {
	return s.EncodeSessionState(c)
}

// SessionFromCookie deserializes a session from a cookie value
func (p *ProviderData) SessionFromCookie(v string, c *encryption.Cipher) (s *sessions.SessionState, err error) {
	return sessions.DecodeSessionState(v, c)
}

// GetEmailAddress returns the Account email address
func (p *ProviderData) GetEmailAddress(s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// GetUserName returns the Account username
func (p *ProviderData) GetUserName(s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// GetPreferredUsername returns the Account preferred username
func (p *ProviderData) GetPreferredUsername(s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// ValidateGroup validates that the provided email exists in the configured provider
// email group(s).
func (p *ProviderData) ValidateGroup(email string) bool {
	return true
}

// ValidateSessionState validates the AccessToken
func (p *ProviderData) ValidateSessionState(s *sessions.SessionState) bool {
	return validateToken(p, s.AccessToken, nil)
}

// RefreshSessionIfNeeded should refresh the user's session if required and
// do nothing if a refresh is not required
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
	return false, nil
}

func (p *ProviderData) CreateSessionStateFromBearerToken(rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
	var claims struct {
		Subject           string `json:"sub"`
		Email             string `json:"email"`
		Verified          *bool  `json:"email_verified"`
		PreferredUsername string `json:"preferred_username"`
	}

	if err := idToken.Claims(&claims); err != nil {
		return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
	}

	if claims.Email == "" {
		claims.Email = claims.Subject
	}

	if claims.Verified != nil && !*claims.Verified {
		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
	}

	newSession := &sessions.SessionState{
		Email:             claims.Email,
		User:              claims.Email,
		PreferredUsername: claims.PreferredUsername,
	}

	newSession.AccessToken = rawIDToken
	newSession.IDToken = rawIDToken
	newSession.RefreshToken = ""
	newSession.ExpiresOn = idToken.Expiry

	return newSession, nil
}
Github provider 2015-05-21 06:23:48 +03:00			`package providers`

			`import (`
			`"bytes"`
			`"encoding/json"`
			`"errors"`
More complete HTTP error logging 2015-06-06 21:15:43 +03:00			`"fmt"`
Github provider 2015-05-21 06:23:48 +03:00			`"io/ioutil"`
			`"net/http"`
			`"net/url"`
Add CreatedAt to SessionState 2019-05-07 17:32:46 +03:00			`"time"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 09:46:46 +03:00			`"github.com/coreos/go-oidc"`

Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 16:54:36 +03:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"`
			`"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"`
Github provider 2015-05-21 06:23:48 +03:00			`)`

Add comments to exported methods for providers package 2018-12-20 13:37:59 +03:00			`// Redeem provides a default implementation of the OAuth2 token redemption process`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`func (p ProviderData) Redeem(redirectURL, code string) (s sessions.SessionState, err error) {`
Github provider 2015-05-21 06:23:48 +03:00			`if code == "" {`
			`err = errors.New("missing code")`
			`return`
			`}`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 16:44:39 +03:00			`clientSecret, err := p.GetClientSecret()`
			`if err != nil {`
			`return`
			`}`
Github provider 2015-05-21 06:23:48 +03:00
			`params := url.Values{}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 02:47:44 +03:00			`params.Add("redirect_uri", redirectURL)`
Github provider 2015-05-21 06:23:48 +03:00			`params.Add("client_id", p.ClientID)`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 16:44:39 +03:00			`params.Add("client_secret", clientSecret)`
Github provider 2015-05-21 06:23:48 +03:00			`params.Add("code", code)`
			`params.Add("grant_type", "authorization_code")`
Add Azure Provider 2015-11-09 11:28:34 +03:00			`if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {`
			`params.Add("resource", p.ProtectedResource.String())`
			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`var req *http.Request`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 02:47:44 +03:00			`req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))`
Github provider 2015-05-21 06:23:48 +03:00			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return`
Github provider 2015-05-21 06:23:48 +03:00			`}`
			`req.Header.Set("Content-Type", "application/x-www-form-urlencoded")`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`var resp *http.Response`
			`resp, err = http.DefaultClient.Do(req)`
Github provider 2015-05-21 06:23:48 +03:00			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return nil, err`
Github provider 2015-05-21 06:23:48 +03:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`var body []byte`
Github provider 2015-05-21 06:23:48 +03:00			`body, err = ioutil.ReadAll(resp.Body)`
			`resp.Body.Close()`
			`if err != nil {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return`
Github provider 2015-05-21 06:23:48 +03:00			`}`

More complete HTTP error logging 2015-06-06 21:15:43 +03:00			`if resp.StatusCode != 200 {`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 02:47:44 +03:00			`err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return`
More complete HTTP error logging 2015-06-06 21:15:43 +03:00			`}`

Github provider 2015-05-21 06:23:48 +03:00			`// blindly try json and x-www-form-urlencoded`
			`var jsonResponse struct {`
			AccessToken string `json:"access_token"`
			`}`
			`err = json.Unmarshal(body, &jsonResponse)`
			`if err == nil {`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`s = &sessions.SessionState{`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`AccessToken: jsonResponse.AccessToken,`
			`}`
			`return`
Github provider 2015-05-21 06:23:48 +03:00			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`var v url.Values`
			`v, err = url.ParseQuery(string(body))`
			`if err != nil {`
			`return`
			`}`
			`if a := v.Get("access_token"); a != "" {`
Add CreatedAt to SessionState 2019-05-07 17:32:46 +03:00			`s = &sessions.SessionState{AccessToken: a, CreatedAt: time.Now()}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`} else {`
			`err = fmt.Errorf("no access token found %s", body)`
			`}`
			`return`
Github provider 2015-05-21 06:23:48 +03:00			`}`
More complete HTTP error logging 2015-06-06 21:15:43 +03:00
immediately redeem refresh token for provider==Google 2015-06-23 20:23:47 +03:00			`// GetLoginURL with typical oauth parameters`
csrf protection; always set state 2017-03-28 04:14:38 +03:00			`func (p *ProviderData) GetLoginURL(redirectURI, state string) string {`
Add new linters (#486) * add new linters and fix issues * fix deprecated warnings * simplify return * update CHANGELOG * fix staticcheck issues * remove a deprecated linter, minor fixes of variable initialization 2020-04-14 11:36:44 +03:00			`a := *p.LoginURL`
immediately redeem refresh token for provider==Google 2015-06-23 20:23:47 +03:00			`params, _ := url.ParseQuery(a.RawQuery)`
			`params.Set("redirect_uri", redirectURI)`
Fix #381, expose acr_values to all providers (#445) 2020-03-17 20:57:33 +03:00			`params.Add("acr_values", p.AcrValues)`
Support prompt in addition to auth-prompt (#444) Fix #380 2020-03-14 12:53:43 +03:00			`if p.Prompt != "" {`
			`params.Set("prompt", p.Prompt)`
			`} else { // Legacy variant of the prompt param:`
			`params.Set("approval_prompt", p.ApprovalPrompt)`
			`}`
More complete HTTP error logging 2015-06-06 21:15:43 +03:00			`params.Add("scope", p.Scope)`
immediately redeem refresh token for provider==Google 2015-06-23 20:23:47 +03:00			`params.Set("client_id", p.ClientID)`
			`params.Set("response_type", "code")`
csrf protection; always set state 2017-03-28 04:14:38 +03:00			`params.Add("state", state)`
immediately redeem refresh token for provider==Google 2015-06-23 20:23:47 +03:00			`a.RawQuery = params.Encode()`
			`return a.String()`
More complete HTTP error logging 2015-06-06 21:15:43 +03:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00
			`// CookieForSession serializes a session state for storage in a cookie`
Move cookie to pkg/encryption 2019-05-24 19:06:48 +03:00			`func (p ProviderData) CookieForSession(s sessions.SessionState, c *encryption.Cipher) (string, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return s.EncodeSessionState(c)`
			`}`

			`// SessionFromCookie deserializes a session from a cookie value`
Move cookie to pkg/encryption 2019-05-24 19:06:48 +03:00			`func (p ProviderData) SessionFromCookie(v string, c encryption.Cipher) (s *sessions.SessionState, err error) {`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`return sessions.DecodeSessionState(v, c)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`}`

Add comments to exported methods for providers package 2018-12-20 13:37:59 +03:00			`// GetEmailAddress returns the Account email address`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`func (p ProviderData) GetEmailAddress(s sessions.SessionState) (string, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return "", errors.New("not implemented")`
			`}`

Github provider: use login as user - Save both user and email in session state: Encoding/decoding methods save both email and user field in session state, for use cases when User is not derived from email's local-parth, like for GitHub provider. For retrocompatibility, if no user is obtained by the provider, (e.g. User is an empty string) the encoding/decoding methods fall back to the previous behavior and use the email's local-part Updated also related tests and added two more tests to show behavior when session contains a non-empty user value. - Added first basic GitHub provider tests - Added GetUserName method to Provider interface The new GetUserName method is intended to return the User value when this is not the email's local-part. Added also the default implementation to provider_default.go - Added call to GetUserName in redeemCode the new GetUserName method is used in redeemCode to get SessionState User value. For backward compatibility, if GetUserName error is "not implemented", the error is ignored. - Added GetUserName method and tests to github provider. 2017-09-27 00:31:27 +03:00			`// GetUserName returns the Account username`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`func (p ProviderData) GetUserName(s sessions.SessionState) (string, error) {`
Github provider: use login as user - Save both user and email in session state: Encoding/decoding methods save both email and user field in session state, for use cases when User is not derived from email's local-parth, like for GitHub provider. For retrocompatibility, if no user is obtained by the provider, (e.g. User is an empty string) the encoding/decoding methods fall back to the previous behavior and use the email's local-part Updated also related tests and added two more tests to show behavior when session contains a non-empty user value. - Added first basic GitHub provider tests - Added GetUserName method to Provider interface The new GetUserName method is intended to return the User value when this is not the email's local-part. Added also the default implementation to provider_default.go - Added call to GetUserName in redeemCode the new GetUserName method is used in redeemCode to get SessionState User value. For backward compatibility, if GetUserName error is "not implemented", the error is ignored. - Added GetUserName method and tests to github provider. 2017-09-27 00:31:27 +03:00			`return "", errors.New("not implemented")`
			`}`

Add preferred_username support (OIDC provider) (#420) * Add support for preferred username. * Add missing TOC entries. * Add note about preferred_username support. * Adjust tests. * Check on not implemented error for GetPreferredUsername() call. Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-03-01 18:02:51 +03:00			`// GetPreferredUsername returns the Account preferred username`
			`func (p ProviderData) GetPreferredUsername(s sessions.SessionState) (string, error) {`
			`return "", errors.New("not implemented")`
			`}`

google: Support restricting access to a specific group(s) 2015-08-20 13:07:02 +03:00			`// ValidateGroup validates that the provided email exists in the configured provider`
			`// email group(s).`
			`func (p *ProviderData) ValidateGroup(email string) bool {`
			`return true`
			`}`

Add comments to exported methods for providers package 2018-12-20 13:37:59 +03:00			`// ValidateSessionState validates the AccessToken`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`func (p ProviderData) ValidateSessionState(s sessions.SessionState) bool {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return validateToken(p, s.AccessToken, nil)`
			`}`

Lint for non-comment linter errors 2018-11-29 17:26:41 +03:00			`// RefreshSessionIfNeeded should refresh the user's session if required and`
			`// do nothing if a refresh is not required`
Move SessionState to its own package 2019-05-05 15:33:13 +03:00			`func (p ProviderData) RefreshSessionIfNeeded(s sessions.SessionState) (bool, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 14:23:39 +03:00			`return false, nil`
			`}`
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 09:46:46 +03:00
			`func (p ProviderData) CreateSessionStateFromBearerToken(rawIDToken string, idToken oidc.IDToken) (*sessions.SessionState, error) {`
			`var claims struct {`
			Subject string `json:"sub"`
			Email string `json:"email"`
			Verified *bool `json:"email_verified"`
			PreferredUsername string `json:"preferred_username"`
			`}`

			`if err := idToken.Claims(&claims); err != nil {`
			`return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)`
			`}`

			`if claims.Email == "" {`
			`claims.Email = claims.Subject`
			`}`

			`if claims.Verified != nil && !*claims.Verified {`
			`return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)`
			`}`

			`newSession := &sessions.SessionState{`
			`Email: claims.Email,`
			`User: claims.Email,`
			`PreferredUsername: claims.PreferredUsername,`
			`}`

			`newSession.AccessToken = rawIDToken`
			`newSession.IDToken = rawIDToken`
			`newSession.RefreshToken = ""`
			`newSession.ExpiresOn = idToken.Expiry`

			`return newSession, nil`
			`}`