refactor: remove usage of core/oidc package.

cmd/serve.go

@@ -70,12 +70,12 @@ var serveCmd = &cobra.Command{
 			fx.Supply(fx.Annotate(cmd.Context(), fx.As(new(context.Context)))),
 			api.Module(baseUrl, ":8080"),
 			storage.Module(viper.GetString(postgresUriFlag), key),
-			delegatedauth.Module(
-				delegatedIssuer,
-				delegatedClientID,
-				delegatedClientSecret,
-				fmt.Sprintf("%s/delegatedoidc/callback", baseUrl),
-			),
+			delegatedauth.Module(delegatedauth.Config{
+				Issuer:       delegatedIssuer,
+				ClientID:     delegatedClientID,
+				ClientSecret: delegatedClientSecret,
+				RedirectURL:  fmt.Sprintf("%s/delegatedoidc/callback", baseUrl),
+			}),
 			fx.Invoke(func() {
 				sharedlogging.Infof("App started.")
 			}),

go.mod

@@ -3,8 +3,6 @@ module github.com/numary/auth
 go 1.18
 
 require (
-	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/davecgh/go-spew v1.1.1
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/numary/go-libs v0.0.0-20220801164020-fc3e3280ca13
@@ -13,17 +11,21 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/viper v1.12.0
+	github.com/stretchr/testify v1.8.0
 	github.com/zitadel/oidc v1.6.1
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.33.0
+	go.opentelemetry.io/otel/trace v1.8.0
 	go.uber.org/fx v1.17.1
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
 	golang.org/x/text v0.3.7
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gorm.io/driver/postgres v1.3.8
+	gorm.io/driver/sqlite v1.3.6
 	gorm.io/gorm v1.23.8
 )
 
 require (
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -52,15 +54,12 @@ require (
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.8.0 // indirect
 	github.com/subosito/gotenv v1.3.0 // indirect
 	github.com/zitadel/logging v0.3.4 // indirect
-	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.33.0 // indirect
 	go.opentelemetry.io/otel v1.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.8.0 // indirect
@@ -69,14 +68,14 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.8.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.8.0 // indirect
-	go.opentelemetry.io/otel/trace v1.8.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.18.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/dig v1.14.1 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
 	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
@@ -85,5 +84,4 @@ require (
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gorm.io/driver/sqlite v1.3.6 // indirect
 )

go.sum

@@ -64,8 +64,6 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -82,7 +80,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -239,7 +236,6 @@ github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dv
 github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
-github.com/jinzhu/now v1.1.4 h1:tHnRBy1i5F2Dh8BAFxqFzxKqqvezXrL2OW1TnX+Mlas=
 github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
@@ -290,8 +286,6 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
-github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -331,7 +325,6 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=

pkg/api/authorize_callback.go

@@ -4,19 +4,17 @@ import (
 	"context"
 	"net/http"
 
-	"github.com/coreos/go-oidc"
 	auth "github.com/numary/auth/pkg"
 	"github.com/numary/auth/pkg/delegatedauth"
 	"github.com/numary/auth/pkg/storage"
+	"github.com/zitadel/oidc/pkg/client/rp"
 	"github.com/zitadel/oidc/pkg/op"
-	"golang.org/x/oauth2"
 )
 
 func authorizeCallbackHandler(
 	provider op.OpenIDProvider,
 	storage storage.Storage,
-	delegatedOAuth2Config oauth2.Config,
-	delegatedOIDCProvider *oidc.Provider,
+	relyingParty rp.RelyingParty,
 ) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
@@ -30,28 +28,21 @@ func authorizeCallbackHandler(
 			panic(err)
 		}
 
-		token, err := delegatedOAuth2Config.Exchange(context.Background(), r.URL.Query().Get("code"))
+		tokens, err := rp.CodeExchange(context.Background(), r.URL.Query().Get("code"), relyingParty)
 		if err != nil {
 			panic(err)
 		}
 
-		idToken, err := delegatedOIDCProvider.Verifier(&oidc.Config{
-			ClientID: delegatedOAuth2Config.ClientID,
-		}).Verify(context.Background(), token.Extra("id_token").(string))
+		userInfo, err := rp.Userinfo(tokens.AccessToken, "Bearer", tokens.IDTokenClaims.GetSubject(), relyingParty)
 		if err != nil {
 			panic(err)
 		}
 
-		claims := &delegatedauth.Claims{}
-		if err := idToken.Claims(&claims); err != nil {
-			panic(err)
-		}
-
-		user, err := storage.FindUserByEmail(r.Context(), claims.Email)
+		user, err := storage.FindUserByEmail(r.Context(), userInfo.GetEmail())
 		if err != nil {
 			user = &auth.User{
-				Subject: claims.Subject,
-				Email:   claims.Email,
+				Subject: userInfo.GetSubject(),
+				Email:   userInfo.GetEmail(),
 			}
 			if err := storage.CreateUser(r.Context(), user); err != nil {
 				panic(err)

pkg/api/clients.go

@@ -21,20 +21,20 @@ func addClientRoutes(db *gorm.DB, router *mux.Router) {
 	router.Path("/clients/{clientId}/scopes/{scopeId}").Methods(http.MethodDelete).HandlerFunc(deleteScopeOfClient(db))
 }
 
-type client struct {
+type clientView struct {
 	auth.ClientOptions
 	ID     string   `json:"id"`
 	Scopes []string `json:"scopes"`
 }
 
-func mapBusinessClient(c auth.Client) client {
+func mapBusinessClient(c auth.Client) clientView {
 	public := true
 	for _, grantType := range c.GrantTypes {
 		if grantType == oidc.GrantTypeClientCredentials {
 			public = false
 		}
 	}
-	return client{
+	return clientView{
 		ClientOptions: auth.ClientOptions{
 			Public:                 public,
 			RedirectUris:           c.RedirectURIs,

pkg/api/clients_test.go

@@ -94,7 +94,7 @@ func TestCreateClient(t *testing.T) {
 
 			require.Equal(t, http.StatusCreated, res.Code)
 
-			createdClient := readTestResponse[client](t, res)
+			createdClient := readTestResponse[clientView](t, res)
 			require.NotEmpty(t, createdClient.ID)
 			require.Equal(t, tc.options, createdClient.ClientOptions)
 
@@ -178,7 +178,7 @@ func TestUpdateClient(t *testing.T) {
 
 			require.Equal(t, http.StatusOK, res.Code)
 
-			updatedClient := readTestResponse[client](t, res)
+			updatedClient := readTestResponse[clientView](t, res)
 			require.NotEmpty(t, updatedClient.ID)
 			require.Equal(t, tc.options, updatedClient.ClientOptions)
 
@@ -210,7 +210,7 @@ func TestListClients(t *testing.T) {
 
 		require.Equal(t, http.StatusOK, res.Code)
 
-		clients := readTestResponse[[]client](t, res)
+		clients := readTestResponse[[]clientView](t, res)
 		require.Len(t, clients, 2)
 		require.Len(t, clients[1].Metadata, 1)
 		require.Equal(t, clients[1].Metadata["foo"], "bar")
@@ -239,8 +239,8 @@ func TestReadClient(t *testing.T) {
 
 		require.Equal(t, http.StatusOK, res.Code)
 
-		ret := readTestResponse[client](t, res)
-		require.Equal(t, client{
+		ret := readTestResponse[clientView](t, res)
+		require.Equal(t, clientView{
 			ClientOptions: opts,
 			ID:            client1.Id,
 			Scopes:        []string{scope1.ID},

pkg/api/health.go

@@ -2,25 +2,16 @@ package api
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 
-	"github.com/numary/auth/pkg/delegatedauth"
 	sharedhealth "github.com/numary/go-libs/sharedhealth/pkg"
+	"github.com/zitadel/oidc/pkg/client"
+	"github.com/zitadel/oidc/pkg/client/rp"
 )
 
-func delegatedOIDCServerAvailability(issuer delegatedauth.Issuer) sharedhealth.NamedCheck {
+func delegatedOIDCServerAvailability(rp rp.RelyingParty) sharedhealth.NamedCheck {
 	return sharedhealth.NewNamedCheck("Delegated OIDC server", sharedhealth.CheckFn(func(ctx context.Context) error {
-		rsp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuer))
-		if err != nil {
-			return err
-		}
-		if rsp.Body != nil {
-			rsp.Body.Close()
-		}
-		if rsp.StatusCode != http.StatusOK {
-			return fmt.Errorf("Unexpected status code: %d", rsp.StatusCode)
-		}
-		return nil
+		_, err := client.Discover(rp.Issuer(), http.DefaultClient)
+		return err
 	}))
 }

pkg/api/router.go

@@ -3,19 +3,17 @@ package api
 import (
 	"net/http"
 
-	"github.com/coreos/go-oidc"
 	"github.com/gorilla/mux"
-	"github.com/numary/auth/pkg/delegatedauth"
 	"github.com/numary/auth/pkg/storage"
 	sharedhealth "github.com/numary/go-libs/sharedhealth/pkg"
+	"github.com/zitadel/oidc/pkg/client/rp"
 	"github.com/zitadel/oidc/pkg/op"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
 	"gorm.io/gorm"
 )
 
 func NewRouter(provider op.OpenIDProvider, storage storage.Storage, healthController *sharedhealth.HealthController,
-	delegatedOAuth2Config delegatedauth.OAuth2Config, delegatedOIDCProvider *oidc.Provider,
-	db *gorm.DB) *mux.Router {
+	relyingParty rp.RelyingParty, db *gorm.DB) *mux.Router {
 	router := provider.HttpHandler().(*mux.Router)
 	router.Use(otelmux.Middleware("auth"))
 	router.Use(func(handler http.Handler) http.Handler {
@@ -26,7 +24,7 @@ func NewRouter(provider op.OpenIDProvider, storage storage.Storage, healthContro
 	})
 	router.Path("/_healthcheck").HandlerFunc(healthController.Check)
 	router.Path("/delegatedoidc/callback").Handler(authorizeCallbackHandler(
-		provider, storage, delegatedOAuth2Config, delegatedOIDCProvider))
+		provider, storage, relyingParty))
 	addClientRoutes(db, router)
 	addScopeRoutes(db, router)
 	return router

pkg/delegatedauth/module.go

@@ -1,22 +1,21 @@
 package delegatedauth
 
 import (
-	"github.com/coreos/go-oidc"
+	"github.com/zitadel/oidc/pkg/client/rp"
 	"go.uber.org/fx"
 )
 
-func Module(issuer, clientID, clientSecret, redirectURL string) fx.Option {
+type Config struct {
+	Issuer       string
+	ClientID     string
+	ClientSecret string
+	RedirectURL  string
+}
+
+func Module(cfg Config) fx.Option {
 	return fx.Options(
-		fx.Provide(ProvideDelegatedOIDCProvider),
-		fx.Supply(Issuer(issuer)),
-		fx.Provide(func(provider *oidc.Provider) OAuth2Config {
-			return OAuth2Config{
-				ClientID:     clientID,
-				ClientSecret: clientSecret,
-				RedirectURL:  redirectURL,
-				Endpoint:     provider.Endpoint(),
-				Scopes:       []string{oidc.ScopeOpenID, "email"},
-			}
+		fx.Provide(func() (rp.RelyingParty, error) {
+			return rp.NewRelyingPartyOIDC(cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL, []string{"openid email"})
 		}),
 	)
 }