add comments documenting Storage and AuthStorage

pkg/op/storage.go

@@ -16,7 +16,17 @@ type AuthStorage interface {
 	SaveAuthCode(context.Context, string, string) error
 	DeleteAuthRequest(context.Context, string) error
 
+	// The TokenRequest parameter of CreateAccessToken can be any of:
+	// - TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest
+	// - RefreshTokenRequest as returned by AuthStorage.TokenRequestByRefreshToken
+	// - AuthRequest as returned one of the AuthStorage methods above
+	// - oidc.JWTTokenRequest created by decoding a JWT
 	CreateAccessToken(context.Context, TokenRequest) (string, time.Time, error)
+
+	// The TokenRequest parameter of CreateAccessAndRefreshTokens can be any of:
+	// - TokenRequest as returned by ClientCredentialsStorage.ClientCredentialsTokenRequest
+	// - RefreshTokenRequest as returned by AuthStorage.TokenRequestByRefreshToken
+	// - AuthRequest as returned one of the AuthStorage methods above
 	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
 	TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (RefreshTokenRequest, error)
 
@@ -42,6 +52,11 @@ type OPStorage interface {
 	ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
 }
 
+// Storage is a required parameter for NewOpenIDProvider(). In addition to the
+// embedded interfaces below, if the passed Storage implements ClientCredentialsStorage
+// then the grant type "client_credentials" will be supported. In that case, the access
+// token returned by CreateAccessToken should be a JWT.
+// See https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4 for context.
 type Storage interface {
 	AuthStorage
 	OPStorage