Add an InspectTicket method for unverified ticket inspection

sso.go

@@ -270,3 +270,21 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
 
 	return t, nil
 }
+
+// InspectTicket reads a ticket without validating it (beyond syntax),
+// returning user and service. The results are untrusted.
+func InspectTicket(encoded string) (string, string, error) {
+	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", "", err
+	}
+	if len(decoded) < signatureLen {
+		return "", "", ErrMessageTooShort
+	}
+	serialized := decoded[signatureLen:]
+	t, err := deserializeTicket(string(serialized))
+	if err != nil {
+		return "", "", err
+	}
+	return t.User, t.Service, nil
+}