Merge branch 'next' into main-next

prepare the merge of next into main by resolving merge conflicts.

example/client/api/api.go

@@ -12,8 +12,8 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
 
-	"github.com/zitadel/oidc/pkg/client/rs"
-	"github.com/zitadel/oidc/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/client/rs"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
 )
 
 const (
@@ -76,7 +76,7 @@ func main() {
 		params := mux.Vars(r)
 		requestedClaim := params["claim"]
 		requestedValue := params["value"]
-		value, ok := resp.GetClaim(requestedClaim).(string)
+		value, ok := resp.Claims[requestedClaim].(string)
 		if !ok || value == "" || value != requestedValue {
 			http.Error(w, "claim does not match", http.StatusForbidden)
 			return

example/client/app/app.go

@@ -11,9 +11,9 @@ import (
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 
-	"github.com/zitadel/oidc/pkg/client/rp"
-	httphelper "github.com/zitadel/oidc/pkg/http"
-	"github.com/zitadel/oidc/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v2/pkg/http"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
 )
 
 var (
@@ -62,7 +62,7 @@ func main() {
 	http.Handle("/login", rp.AuthURLHandler(state, provider, rp.WithPromptURLParam("Welcome back!")))
 
 	// for demonstration purposes the returned userinfo response is written as JSON object onto response
-	marshalUserinfo := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp rp.RelyingParty, info oidc.UserInfo) {
+	marshalUserinfo := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, rp rp.RelyingParty, info *oidc.UserInfo) {
 		data, err := json.Marshal(info)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -82,6 +82,31 @@ func main() {
 	//	w.Write(data)
 	//}
 
+	// you can also try token exchange flow
+	//
+	// requestTokenExchange := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp rp.RelyingParty, info oidc.UserInfo) {
+	// 	data := make(url.Values)
+	// 	data.Set("grant_type", string(oidc.GrantTypeTokenExchange))
+	// 	data.Set("requested_token_type", string(oidc.IDTokenType))
+	// 	data.Set("subject_token", tokens.RefreshToken)
+	// 	data.Set("subject_token_type", string(oidc.RefreshTokenType))
+	// 	data.Add("scope", "profile custom_scope:impersonate:id2")
+
+	// 	client := &http.Client{}
+	// 	r2, _ := http.NewRequest(http.MethodPost, issuer+"/oauth/token", strings.NewReader(data.Encode()))
+	// 	// r2.Header.Add("Authorization", "Basic "+"d2ViOnNlY3JldA==")
+	// 	r2.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	// 	r2.SetBasicAuth("web", "secret")
+
+	// 	resp, _ := client.Do(r2)
+	// 	fmt.Println(resp.Status)
+
+	// 	b, _ := io.ReadAll(resp.Body)
+	// 	resp.Body.Close()
+
+	// 	w.Write(b)
+	// }
+
 	// register the CodeExchangeHandler at the callbackPath
 	// the CodeExchangeHandler handles the auth response, creates the token request and calls the callback function
 	// with the returned tokens from the token endpoint

example/client/device/device.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/zitadel/oidc/v2/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v2/pkg/http"
+)
+
+var (
+	key = []byte("test1234test1234")
+)
+
+func main() {
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT)
+	defer stop()
+
+	clientID := os.Getenv("CLIENT_ID")
+	clientSecret := os.Getenv("CLIENT_SECRET")
+	keyPath := os.Getenv("KEY_PATH")
+	issuer := os.Getenv("ISSUER")
+	scopes := strings.Split(os.Getenv("SCOPES"), " ")
+
+	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())
+
+	var options []rp.Option
+	if clientSecret == "" {
+		options = append(options, rp.WithPKCE(cookieHandler))
+	}
+	if keyPath != "" {
+		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
+	}
+
+	provider, err := rp.NewRelyingPartyOIDC(issuer, clientID, clientSecret, "", scopes, options...)
+	if err != nil {
+		logrus.Fatalf("error creating provider %s", err.Error())
+	}
+
+	logrus.Info("starting device authorization flow")
+	resp, err := rp.DeviceAuthorization(scopes, provider)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	logrus.Info("resp", resp)
+	fmt.Printf("\nPlease browse to %s and enter code %s\n", resp.VerificationURI, resp.UserCode)
+
+	logrus.Info("start polling")
+	token, err := rp.DeviceAccessToken(ctx, resp.DeviceCode, time.Duration(resp.Interval)*time.Second, provider)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	logrus.Infof("successfully obtained token: %v", token)
+}

example/client/github/github.go

@@ -10,9 +10,10 @@ import (
 	"golang.org/x/oauth2"
 	githubOAuth "golang.org/x/oauth2/github"
 
-	"github.com/zitadel/oidc/pkg/client/rp"
-	"github.com/zitadel/oidc/pkg/client/rp/cli"
-	"github.com/zitadel/oidc/pkg/http"
+	"github.com/zitadel/oidc/v2/pkg/client/rp"
+	"github.com/zitadel/oidc/v2/pkg/client/rp/cli"
+	"github.com/zitadel/oidc/v2/pkg/http"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
 )
 
 var (
@@ -43,7 +44,7 @@ func main() {
 	state := func() string {
 		return uuid.New().String()
 	}
-	token := cli.CodeFlow(ctx, relyingParty, callbackPath, port, state)
+	token := cli.CodeFlow[*oidc.IDTokenClaims](ctx, relyingParty, callbackPath, port, state)
 
 	client := github.NewClient(relyingParty.OAuthConfig().Client(ctx, token.Token))
 

example/client/service/service.go

@@ -13,7 +13,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 
-	"github.com/zitadel/oidc/pkg/client/profile"
+	"github.com/zitadel/oidc/v2/pkg/client/profile"
 )
 
 var client = http.DefaultClient