feat: merge the verifier types (#336)

BREAKING CHANGE:

- The various verifier types are merged into a oidc.Verifir.
- oidc.Verfier became a struct with exported fields

* use type aliases for oidc.Verifier

this binds the correct contstructor to each verifier usecase.

* fix: handle the zero cases for oidc.Time

* add unit tests to oidc verifier

* fix: correct returned field for JWTTokenRequest

JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field.
This change corrects that by returning IssuedAt instead.

pkg/op/verifier_access_token.go

@@ -2,62 +2,25 @@ package op
 
 import (
 	"context"
-	"time"
 
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
-type AccessTokenVerifier interface {
-	oidc.Verifier
-	SupportedSignAlgs() []string
-	KeySet() oidc.KeySet
-}
+type AccessTokenVerifier oidc.Verifier
 
-type accessTokenVerifier struct {
-	issuer            string
-	maxAgeIAT         time.Duration
-	offset            time.Duration
-	supportedSignAlgs []string
-	keySet            oidc.KeySet
-}
-
-// Issuer implements oidc.Verifier interface
-func (i *accessTokenVerifier) Issuer() string {
-	return i.issuer
-}
-
-// MaxAgeIAT implements oidc.Verifier interface
-func (i *accessTokenVerifier) MaxAgeIAT() time.Duration {
-	return i.maxAgeIAT
-}
-
-// Offset implements oidc.Verifier interface
-func (i *accessTokenVerifier) Offset() time.Duration {
-	return i.offset
-}
-
-// SupportedSignAlgs implements AccessTokenVerifier interface
-func (i *accessTokenVerifier) SupportedSignAlgs() []string {
-	return i.supportedSignAlgs
-}
-
-// KeySet implements AccessTokenVerifier interface
-func (i *accessTokenVerifier) KeySet() oidc.KeySet {
-	return i.keySet
-}
-
-type AccessTokenVerifierOpt func(*accessTokenVerifier)
+type AccessTokenVerifierOpt func(*AccessTokenVerifier)
 
 func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifierOpt {
-	return func(verifier *accessTokenVerifier) {
-		verifier.supportedSignAlgs = algs
+	return func(verifier *AccessTokenVerifier) {
+		verifier.SupportedSignAlgs = algs
 	}
 }
 
-func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) AccessTokenVerifier {
-	verifier := &accessTokenVerifier{
-		issuer: issuer,
-		keySet: keySet,
+// NewAccessTokenVerifier returns a AccessTokenVerifier suitable for access token verification.
+func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *AccessTokenVerifier {
+	verifier := &AccessTokenVerifier{
+		Issuer: issuer,
+		KeySet: keySet,
 	}
 	for _, opt := range opts {
 		opt(verifier)
@@ -66,7 +29,7 @@ func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTok
 }
 
 // VerifyAccessToken validates the access token (issuer, signature and expiration).
-func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v AccessTokenVerifier) (claims C, err error) {
+func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *AccessTokenVerifier) (claims C, err error) {
 	var nilClaims C
 
 	decrypted, err := oidc.DecryptToken(token)
@@ -78,15 +41,15 @@ func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v Acces
 		return nilClaims, err
 	}
 
-	if err := oidc.CheckIssuer(claims, v.Issuer()); err != nil {
+	if err := oidc.CheckIssuer(claims, v.Issuer); err != nil {
 		return nilClaims, err
 	}
 
-	if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs(), v.KeySet()); err != nil {
+	if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs, v.KeySet); err != nil {
 		return nilClaims, err
 	}
 
-	if err = oidc.CheckExpiration(claims, v.Offset()); err != nil {
+	if err = oidc.CheckExpiration(claims, v.Offset); err != nil {
 		return nilClaims, err
 	}