gravitational
diff --git a/‎.golangci.yml‎
Lines changed: 2 additions & 2 deletions b/‎.golangci.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.mod‎
Lines changed: 0 additions & 1 deletion b/‎go.mod‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 1 addition & 0 deletions b/‎go.sum‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎integrations/event-handler/go.mod‎
Lines changed: 0 additions & 2 deletions b/‎integrations/event-handler/go.mod‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎integrations/event-handler/go.sum‎
Lines changed: 0 additions & 2 deletions b/‎integrations/event-handler/go.sum‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎integrations/terraform/go.mod‎
Lines changed: 0 additions & 2 deletions b/‎integrations/terraform/go.mod‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎integrations/terraform/go.sum‎
Lines changed: 0 additions & 2 deletions b/‎integrations/terraform/go.sum‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎lib/auth/auth.go‎
Lines changed: 6 additions & 14 deletions b/‎lib/auth/auth.go‎
Lines changed: 6 additions & 14 deletions
diff --git a/‎lib/auth/join_azure.go‎
Lines changed: 20 additions & 28 deletions b/‎lib/auth/join_azure.go‎
Lines changed: 20 additions & 28 deletions
diff --git a/‎lib/auth/join_azure_test.go‎
Lines changed: 9 additions & 8 deletions b/‎lib/auth/join_azure_test.go‎
Lines changed: 9 additions & 8 deletions
@@ -161,8 +161,8 @@ linters:
               desc: use "crypto" or "x/crypto" instead
         oidc:
           deny:
-            - pkg: github.com/coreos/go-oidc$
-              desc: 'github.com/coreos/go-oidc/v3 or github.com/zitadel/oidc/v3 should be used instead'
+            - pkg: github.com/coreos/go-oidc
+              desc: 'github.com/zitadel/oidc/v3 should be used instead'
             - pkg: github.com/zitadel/oidc$
               desc: 'github.com/zitadel/oidc/v3 should be used instead'
         testify:
 
@@ -91,7 +91,6 @@ require (
 	github.com/charmbracelet/bubbletea v1.3.5
 	github.com/charmbracelet/huh v0.7.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/coreos/go-semver v0.3.1
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/creack/pty v1.1.24
 
@@ -1111,6 +1111,7 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/coreos/go-oidc v2.3.0+incompatible h1:+5vEsrgprdLjjQ9FzIKAzQz1wwPD+83hQRfUIPh7rO0=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
 github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 
@@ -117,7 +117,6 @@ require (
 	github.com/containerd/errdefs v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/crewjam/saml v0.4.14 // indirect
@@ -387,7 +386,6 @@ replace (
 // replace statements from teleport
 replace (
 	github.com/alecthomas/kingpin/v2 => github.com/gravitational/kingpin/v2 v2.1.11-0.20230515143221-4ec6b70ecd33
-	github.com/coreos/go-oidc => github.com/gravitational/go-oidc v0.1.1
 	github.com/crewjam/saml => github.com/gravitational/saml v0.4.15-teleport.2
 	github.com/datastax/go-cassandra-native-protocol => github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1
 	github.com/go-mysql-org/go-mysql => github.com/gravitational/go-mysql v1.9.1-teleport.4
 
@@ -262,8 +262,6 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 
@@ -129,7 +129,6 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
@@ -464,7 +463,6 @@ replace (
 // replace statements from teleport
 replace (
 	github.com/alecthomas/kingpin/v2 => github.com/gravitational/kingpin/v2 v2.1.11-0.20230515143221-4ec6b70ecd33
-	github.com/coreos/go-oidc => github.com/gravitational/go-oidc v0.1.1
 	github.com/crewjam/saml => github.com/gravitational/saml v0.4.15-teleport.2
 	github.com/datastax/go-cassandra-native-protocol => github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1
 	github.com/go-mysql-org/go-mysql => github.com/gravitational/go-mysql v1.9.1-teleport.4
 
@@ -389,8 +389,6 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 
@@ -647,19 +647,15 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 
 	if as.ghaIDTokenValidator == nil {
 		as.ghaIDTokenValidator = githubactions.NewIDTokenValidator(
-			githubactions.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			githubactions.IDTokenValidatorConfig{},
 		)
 	}
 	if as.ghaIDTokenJWKSValidator == nil {
 		as.ghaIDTokenJWKSValidator = githubactions.ValidateTokenWithJWKS
 	}
 	if as.spaceliftIDTokenValidator == nil {
 		as.spaceliftIDTokenValidator = spacelift.NewIDTokenValidator(
-			spacelift.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			spacelift.IDTokenValidatorConfig{},
 		)
 	}
 	if as.gitlabIDTokenValidator == nil {
@@ -681,7 +677,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 			ctx context.Context, organizationID, token string,
 		) (*circleci.IDTokenClaims, error) {
 			return circleci.ValidateToken(
-				ctx, as.clock, circleci.IssuerURLTemplate, organizationID, token,
+				ctx, circleci.IssuerURLTemplate, organizationID, token,
 			)
 		}
 	}
@@ -697,20 +693,16 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 
 	if as.gcpIDTokenValidator == nil {
 		as.gcpIDTokenValidator = gcp.NewIDTokenValidator(
-			gcp.IDTokenValidatorConfig{
-				Clock: as.clock,
-			},
+			gcp.IDTokenValidatorConfig{},
 		)
 	}
 
 	if as.terraformIDTokenValidator == nil {
-		as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{
-			Clock: as.clock,
-		})
+		as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{})
 	}
 
 	if as.bitbucketIDTokenValidator == nil {
-		as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator(as.clock)
+		as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator()
 	}
 
 	if as.createBoundKeypairValidator == nil {
 
@@ -34,17 +34,17 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	armpolicy "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/digitorus/pkcs7"
 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 
 	"github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/client/proto"
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/cloud/azure"
+	liboidc "github.com/gravitational/teleport/lib/oidc"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -87,7 +87,7 @@ type attestedData struct {
 }
 
 type accessTokenClaims struct {
-	jwt.Claims
+	oidc.TokenClaims
 	TenantID string `json:"tid"`
 	Version  string `json:"ver"`
 
@@ -107,18 +107,29 @@ type accessTokenClaims struct {
 	AzureResourceID            string `json:"xms_az_rid"`
 }
 
+func (c *accessTokenClaims) AsJWTClaims() jwt.Claims {
+	return jwt.Claims{
+		Issuer:    c.Issuer,
+		Subject:   c.Subject,
+		Audience:  jwt.Audience(c.Audience),
+		Expiry:    jwt.NewNumericDate(c.Expiration.AsTime()),
+		NotBefore: jwt.NewNumericDate(c.NotBefore.AsTime()),
+		IssuedAt:  jwt.NewNumericDate(c.IssuedAt.AsTime()),
+		ID:        c.JWTID,
+	}
+}
+
 type azureVerifyTokenFunc func(ctx context.Context, rawIDToken string) (*accessTokenClaims, error)
 
 type vmClientGetter func(subscriptionID string, token *azure.StaticCredential) (azure.VirtualMachinesClient, error)
 
 type azureRegisterConfig struct {
-	clock                  clockwork.Clock
 	certificateAuthorities []*x509.Certificate
 	verify                 azureVerifyTokenFunc
 	getVMClient            vmClientGetter
 }
 
-func azureVerifyFuncFromOIDCVerifier(cfg *oidc.Config) azureVerifyTokenFunc {
+func azureVerifyFuncFromOIDCVerifier(clientID string) azureVerifyTokenFunc {
 	return func(ctx context.Context, rawIDToken string) (*accessTokenClaims, error) {
 		token, err := jwt.ParseSigned(rawIDToken)
 		if err != nil {
@@ -133,32 +144,13 @@ func azureVerifyFuncFromOIDCVerifier(cfg *oidc.Config) azureVerifyTokenFunc {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		provider, err := oidc.NewProvider(ctx, issuer)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		verifiedToken, err := provider.Verifier(cfg).Verify(ctx, rawIDToken)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		var tokenClaims accessTokenClaims
-		if err := verifiedToken.Claims(&tokenClaims); err != nil {
-			return nil, trace.Wrap(err)
-		}
-		return &tokenClaims, nil
+		return liboidc.ValidateToken[*accessTokenClaims](ctx, issuer, clientID, rawIDToken)
 	}
 }
 
 func (cfg *azureRegisterConfig) CheckAndSetDefaults(ctx context.Context) error {
-	if cfg.clock == nil {
-		cfg.clock = clockwork.NewRealClock()
-	}
 	if cfg.verify == nil {
-		oidcConfig := &oidc.Config{
-			ClientID: azureAccessTokenAudience,
-			Now:      cfg.clock.Now,
-		}
-		cfg.verify = azureVerifyFuncFromOIDCVerifier(oidcConfig)
+		cfg.verify = azureVerifyFuncFromOIDCVerifier(azureAccessTokenAudience)
 	}
 
 	if cfg.certificateAuthorities == nil {
@@ -278,7 +270,7 @@ func verifyVMIdentity(
 		Time:     requestStart,
 	}
 
-	if err := tokenClaims.Validate(expectedClaims); err != nil {
+	if err := tokenClaims.AsJWTClaims().Validate(expectedClaims); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -301,7 +293,7 @@ func verifyVMIdentity(
 
 	tokenCredential := azure.NewStaticCredential(azcore.AccessToken{
 		Token:     accessToken,
-		ExpiresOn: tokenClaims.Expiry.Time(),
+		ExpiresOn: tokenClaims.GetExpiration(),
 	})
 	vmClient, err := cfg.getVMClient(subscriptionID, tokenCredential)
 	if err != nil {
 
@@ -34,6 +34,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
@@ -144,14 +145,14 @@ func makeToken(managedIdentityResourceID, azureResourceID string, issueTime time
 		return "", trace.Wrap(err)
 	}
 	claims := accessTokenClaims{
-		Claims: jwt.Claims{
-			Issuer:    "https://sts.windows.net/test-tenant-id/",
-			Audience:  []string{azureAccessTokenAudience},
-			Subject:   "test",
-			IssuedAt:  jwt.NewNumericDate(issueTime),
-			NotBefore: jwt.NewNumericDate(issueTime),
-			Expiry:    jwt.NewNumericDate(issueTime.Add(time.Minute)),
-			ID:        "id",
+		TokenClaims: oidc.TokenClaims{
+			Issuer:     "https://sts.windows.net/test-tenant-id/",
+			Audience:   []string{azureAccessTokenAudience},
+			Subject:    "test",
+			IssuedAt:   oidc.FromTime(issueTime),
+			NotBefore:  oidc.FromTime(issueTime),
+			Expiration: oidc.FromTime(issueTime.Add(time.Minute)),
+			JWTID:      "id",
 		},
 		ManangedIdentityResourceID: managedIdentityResourceID,
 		AzureResourceID:            azureResourceID,
Original file line number	Diff line number	Diff line change
`@@ -647,19 +647,15 @@ func NewServer(cfg InitConfig, opts ...ServerOption) (Server, error) {`
`647`	`647`
`648`	`648`	`if as.ghaIDTokenValidator == nil {`
`649`	`649`	`as.ghaIDTokenValidator = githubactions.NewIDTokenValidator(`
`650`		`- githubactions.IDTokenValidatorConfig{`
`651`		`- Clock: as.clock,`
`652`		`- },`
	`650`	`+ githubactions.IDTokenValidatorConfig{},`
`653`	`651`	`)`
`654`	`652`	`}`
`655`	`653`	`if as.ghaIDTokenJWKSValidator == nil {`
`656`	`654`	`as.ghaIDTokenJWKSValidator = githubactions.ValidateTokenWithJWKS`
`657`	`655`	`}`
`658`	`656`	`if as.spaceliftIDTokenValidator == nil {`
`659`	`657`	`as.spaceliftIDTokenValidator = spacelift.NewIDTokenValidator(`
`660`		`- spacelift.IDTokenValidatorConfig{`
`661`		`- Clock: as.clock,`
`662`		`- },`
	`658`	`+ spacelift.IDTokenValidatorConfig{},`
`663`	`659`	`)`
`664`	`660`	`}`
`665`	`661`	`if as.gitlabIDTokenValidator == nil {`
`@@ -681,7 +677,7 @@ func NewServer(cfg InitConfig, opts ...ServerOption) (Server, error) {`
`681`	`677`	`ctx context.Context, organizationID, token string,`
`682`	`678`	`) (*circleci.IDTokenClaims, error) {`
`683`	`679`	`return circleci.ValidateToken(`
`684`		`- ctx, as.clock, circleci.IssuerURLTemplate, organizationID, token,`
	`680`	`+ ctx, circleci.IssuerURLTemplate, organizationID, token,`
`685`	`681`	`)`
`686`	`682`	`}`
`687`	`683`	`}`
`@@ -697,20 +693,16 @@ func NewServer(cfg InitConfig, opts ...ServerOption) (Server, error) {`
`697`	`693`
`698`	`694`	`if as.gcpIDTokenValidator == nil {`
`699`	`695`	`as.gcpIDTokenValidator = gcp.NewIDTokenValidator(`
`700`		`- gcp.IDTokenValidatorConfig{`
`701`		`- Clock: as.clock,`
`702`		`- },`
	`696`	`+ gcp.IDTokenValidatorConfig{},`
`703`	`697`	`)`
`704`	`698`	`}`
`705`	`699`
`706`	`700`	`if as.terraformIDTokenValidator == nil {`
`707`		`- as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{`
`708`		`- Clock: as.clock,`
`709`		`- })`
	`701`	`+ as.terraformIDTokenValidator = terraformcloud.NewIDTokenValidator(terraformcloud.IDTokenValidatorConfig{})`
`710`	`702`	`}`
`711`	`703`
`712`	`704`	`if as.bitbucketIDTokenValidator == nil {`
`713`		`- as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator(as.clock)`
	`705`	`+ as.bitbucketIDTokenValidator = bitbucket.NewIDTokenValidator()`
`714`	`706`	`}`
`715`	`707`
`716`	`708`	`if as.createBoundKeypairValidator == nil {`