move error as separate

kyma-project · Oct 24, 2024 · fbde224 · fbde224
1 parent 551089f
commit fbde224
Showing 1 changed file with 28 additions and 29 deletions.
diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
@@ -383,11 +383,12 @@ func (tokenProcessor *TokenProcessor) Issuer() string {
 func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context, verifier TokenVerifierInterface, claims ClaimsInterface) error {
 	logger := tokenProcessor.logger
 	token, err := verifier.Verify(ctx, tokenProcessor.rawToken)
+	var tokenExpiryError *oidc.TokenExpiredError
+	if errors.As(err, &tokenExpiryError) {
+		token, err = tokenProcessor.handleExpiredToken(ctx, tokenExpiryError, logger, err)
+	}
 	if err != nil {
-		token, err = tokenProcessor.handleExpiredToken(ctx, logger, err)
-		if err != nil {
-			return fmt.Errorf("failed to verify token: %w", err)
-		}
+		return fmt.Errorf("failed to verify token: %w", err)
 	}
 
 	logger.Debugw("Getting claims from token")
@@ -403,31 +404,29 @@ func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context
 	return nil
 }
 
-func (tokenProcessor *TokenProcessor) handleExpiredToken(ctx context.Context, logger LoggerInterface, err error) (Token, error) {
-	var tokenExpiryError *oidc.TokenExpiredError
-	if errors.As(err, &tokenExpiryError) {
-		expiryTime := tokenExpiryError.Expiry
-		now := time.Now()
-		elapsed := now.Sub(expiryTime)
-		gracePeriod := 10 * time.Minute
-		if elapsed <= gracePeriod {
-			newVerifierConfig := tokenProcessor.verifierConfig
-			newVerifierConfig.SkipExpiryCheck = true
-
-			provider, err := NewProviderFromDiscovery(ctx, logger, tokenProcessor.issuer.IssuerURL)
-			if err != nil {
-				return Token{}, fmt.Errorf("failed to create provider: %w", err)
-			}
-
-			newVerifier := provider.NewVerifier(logger, newVerifierConfig)
-			token, err := newVerifier.Verify(ctx, tokenProcessor.rawToken)
-			if err != nil {
-				return Token{}, fmt.Errorf("failed to verify token after skipping expiry check: %w", err)
-			}
-			return token, nil
-		} else {
-			return Token{}, fmt.Errorf("token expired more than %v ago: %w", gracePeriod, err)
+func (tokenProcessor *TokenProcessor) handleExpiredToken(ctx context.Context, tokenExpiryError *oidc.TokenExpiredError, logger LoggerInterface, err error) (Token, error) {
+	expiryTime := tokenExpiryError.Expiry
+	now := time.Now()
+	elapsed := now.Sub(expiryTime)
+	gracePeriod := 10 * time.Minute
+	if elapsed <= gracePeriod {
+		newVerifierConfig := tokenProcessor.verifierConfig
+		newVerifierConfig.SkipExpiryCheck = true
+
+		provider, err := NewProviderFromDiscovery(ctx, logger, tokenProcessor.issuer.IssuerURL)
+		if err != nil {
+			return Token{}, fmt.Errorf("failed to create provider: %w", err)
 		}
+
+		newVerifier := provider.NewVerifier(logger, newVerifierConfig)
+		token, err := newVerifier.Verify(ctx, tokenProcessor.rawToken)
+
+		if err != nil {
+			return Token{}, fmt.Errorf("failed to verify token after skipping expiry check: %w", err)
+		}
+
+		return token, nil
+	} else {
+		return Token{}, fmt.Errorf("token expired more than %v ago: %w", gracePeriod, err)
 	}
-	return Token{}, err
 }