testutil: simplefy usage

2023-03-04 02:00:26 +02:00 · 2023-03-04 02:00:26 +02:00 · 944fbd7c5b
commit 944fbd7c5b
parent 2b6c709ce7
4 changed files with 92 additions and 99 deletions
--- a/internal/testutil/token.go
+++ b/internal/testutil/token.go
@ -4,8 +4,6 @@ package testutil

 import (
 	"context"
-	"crypto/rand"
-	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"time"
@ -14,40 +12,45 @@ import (
 	"gopkg.in/square/go-jose.v2"
 )

-const SignatureAlgorithm = jose.PS512
+// KeySet implements oidc.Keys
+type KeySet struct{}

-// KeySet implements oidc.Keys and
-// additionally can create tokens and claims that can
-// be validated by this KeySet.
-type KeySet struct {
-	Private *rsa.PrivateKey
-	Public  *rsa.PublicKey
+// VerifySignature implments op.KeySet.
+func (KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
+	if ctx.Err() != nil {
+		return nil, err
+	}

+	return jws.Verify(WebKey.Public())
+}
+
+// use a reproducible signing key
+const webkeyJSON = `{"kty":"RSA","kid":"1","alg":"PS512","n":"x6JoG8t2Li68JSwPwnh51TvHYFf3z72tQ3wmJG3VosU6MdJF0gSTCIwflOJ38OWE6hYtN1WAeyBy2CYdnXd1QZzkK_apGK4M7hsNA9jCTg8NOZjLPL0ww1jp7313Skla7mbm90uNdg4TUNp2n_r-sCYywI-9cfSlhzLSksxKK_BRdzy6xW20daAcI-mErQXIcvdYIguunJk_uTb8kJedsWMcQ4Mb57QujUok2Z2YabWyb9Fi1_StixXJvd_WEu93SHNMORB0u6ymnO3aZJdATLdhtcP-qsVicQhffpqVazmZQPf7K-7n4I5vJE4g9XXzZ2dSKSp3Ewe_nna_2kvbCw","e":"AQAB","d":"sl3F_QeF2O-CxQegMRYpbL6Tfd47GM6VDxXOkn_cACmNvFPudB4ILPvdf830cjTv06Lq1WS8fcZZNgygK0A_cNc3-pvRK67e-KMMtuIlgU7rdwmwlN1Iw1Ee-w6z1ZjC-PzR4iQMCW28DmKS2I-OnV4TvH7xOe7nMmvTPrvujV__YKfUxvAWXJG7_wtaJBGplezn5nNsKG2Ot9h0mhMdYUgGC36wLxo3Q5d4m79EXQYdhm89EfxogwvMmHRes5PNpHRuDZRHGAI4RZi2KvgmqF07e1Qdq4TqbQnY5pCYrdjqvEFFjGC6jTE-ak_b21FcSVy-9aZHyf04U4g5-cIUEQ","p":"7AaicFryJCHRekdSkx8tfPxaSiyEuN8jhP9cLqs4rLkIbrSHmanPhjnLe-Tlh3icQ8hPoy6WC8ktLwsrzbfGIh4U_zgAfvtD1Y_lZM-YSWZsxqlrGiI5do11iVzzoy4a1XdkgOjHQz9y6J-uoA9jY8ILG7VaEZQnaYwWZV3cspk","q":"2Ide9hlwthXJQJYqI0mibM5BiGBxJ4CafPmF1DYNXggBCczZ6ERGReNTGM_AEhy5mvLXUH6uBSOJlfHTYzx49C1GgIO3hEWVEGAKAytVRL6RfAkVSOXMQUp-HjXKpGg_Nx1SJxQf3rulbW8HXO4KqIlloyIXpPQSK7jB8A4hJUM","dp":"1nmc6F4sRNsaQHRJO_mL21RxM4_KtzfFThjCCoJ6iLHHUNnpkp_1PTKNjrLMRFM8JHgErfMqU-FmlqYfEtvZRq1xRQ39nWX0GT-eIwJljuVtGQVglqnc77bRxJXbqz-9EJdik6VzVM92Op7IDxiMp1zvvSkJhInNWqL6wvgNEZk","dq":"dlHizlAwiw90ndpwxD-khhhfLwqkSpW31br0KnYu78cn6hcKrCVC0UXbTp-XsU4JDmbMyauvpBc7Q7iVbpDI94UWFXvkeF8diYkxb3HqclpAXasI-oC4EKWILTHvvc9JW_Clx7zzfV7Ekvws5dcd8-LAq1gh232TwFiBgY_3BMk","qi":"E1k_9W3odXgcmIP2PCJztE7hB7jeuAL1ElAY88VJBBPY670uwOEjKL2VfQuz9q9IjzLAvcgf7vS9blw2RHP_XqHqSOlJWGwvMQTF0Q8zLknCgKt8q7HQQNWIJcBZ8qdUVn02-qf4E3tgZ3JHaHNs8imA_L-__WoUmzC4z5jH_lM"}`
+
+const SignatureAlgorithm = jose.RS256
+
+var (
+	WebKey jose.JSONWebKey
 	Signer jose.Signer
-}
+)

-func NewKeySet() *KeySet {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+func init() {
+	err := json.Unmarshal([]byte(webkeyJSON), &WebKey)
 	if err != nil {
 		panic(err)
 	}
-	signer, err := jose.NewSigner(jose.SigningKey{Algorithm: SignatureAlgorithm, Key: privateKey}, nil)
+	Signer, err = jose.NewSigner(jose.SigningKey{Algorithm: SignatureAlgorithm, Key: WebKey}, nil)
 	if err != nil {
 		panic(err)
 	}
-	return &KeySet{
-		Private: privateKey,
-		Public:  &privateKey.PublicKey,
-		Signer:  signer,
-	}
 }

-func (k *KeySet) signEncodeTokenClaims(claims any) string {
+func signEncodeTokenClaims(claims any) string {
 	payload, err := json.Marshal(claims)
 	if err != nil {
 		panic(err)
 	}
-	object, err := k.Signer.Sign(payload)
+	object, err := Signer.Sign(payload)
 	if err != nil {
 		panic(err)
 	}
@ -70,11 +73,27 @@ func claimsMap(claims any) map[string]any {
 	return dst
 }

-// NewIDToken creates a new IDTokenClaims with passed data and returns a signed token and claims.
-func (k *KeySet) NewIDToken(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string) (string, *oidc.IDTokenClaims) {
+func NewIDTokenCustom(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string, custom map[string]any) (string, *oidc.IDTokenClaims) {
 	claims := oidc.NewIDTokenClaims(issuer, subject, audience, expiration, authTime, nonce, acr, amr, clientID, skew)
 	claims.AccessTokenHash = atHash
-	token := k.signEncodeTokenClaims(claims)
+	claims.Claims = custom
+	token := signEncodeTokenClaims(claims)
+
+	// set this so that assertion in tests will work
+	claims.SignatureAlg = SignatureAlgorithm
+	claims.Claims = claimsMap(claims)
+	return token, claims
+}
+
+// NewIDToken creates a new IDTokenClaims with passed data and returns a signed token and claims.
+func NewIDToken(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string, skew time.Duration, atHash string) (string, *oidc.IDTokenClaims) {
+	return NewIDTokenCustom(issuer, subject, audience, expiration, authTime, nonce, acr, amr, clientID, skew, atHash, nil)
+}
+
+func NewAccessTokenCustom(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration, custom map[string]any) (string, *oidc.AccessTokenClaims) {
+	claims := oidc.NewAccessTokenClaims(issuer, subject, audience, expiration, jwtid, clientID, skew)
+	claims.Claims = custom
+	token := signEncodeTokenClaims(claims)

 	// set this so that assertion in tests will work
 	claims.SignatureAlg = SignatureAlgorithm
@ -83,20 +102,13 @@ func (k *KeySet) NewIDToken(issuer, subject string, audience []string, expiratio
 }

 // NewAcccessToken creates a new AccessTokenClaims with passed data and returns a signed token and claims.
-func (k *KeySet) NewAccessToken(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) (string, *oidc.AccessTokenClaims) {
-	claims := oidc.NewAccessTokenClaims(issuer, subject, audience, expiration, jwtid, clientID, skew)
-	token := k.signEncodeTokenClaims(claims)
-
-	// set this so that assertion in tests will work
-	claims.SignatureAlg = SignatureAlgorithm
-	claims.Claims = claimsMap(claims)
-	return token, claims
+func NewAccessToken(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) (string, *oidc.AccessTokenClaims) {
+	return NewAccessTokenCustom(issuer, subject, audience, expiration, jwtid, clientID, skew, nil)
 }

 const InvalidSignatureToken = `eyJhbGciOiJQUzUxMiJ9.eyJpc3MiOiJsb2NhbC5jb20iLCJzdWIiOiJ0aW1AbG9jYWwuY29tIiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImV4cCI6MTY3Nzg0MDQzMSwiaWF0IjoxNjc3ODQwMzcwLCJhdXRoX3RpbWUiOjE2Nzc4NDAzMTAsIm5vbmNlIjoiMTIzNDUiLCJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF6cCI6IjU1NTY2NiJ9.DtZmvVkuE4Hw48ijBMhRJbxEWCr_WEYuPQBMY73J9TP6MmfeNFkjVJf4nh4omjB9gVLnQ-xhEkNOe62FS5P0BB2VOxPuHZUj34dNspCgG3h98fGxyiMb5vlIYAHDF9T-w_LntlYItohv63MmdYR-hPpAqjXE7KOfErf-wUDGE9R3bfiQ4HpTdyFJB1nsToYrZ9lhP2mzjTCTs58ckZfQ28DFHn_lfHWpR4rJBgvLx7IH4rMrUayr09Ap-PxQLbv0lYMtmgG1z3JK8MXnuYR0UJdZnEIezOzUTlThhCXB-nvuAXYjYxZZTR0FtlgZUHhIpYK0V2abf_Q_Or36akNCUg`

 // These variables always result in a valid token
-// for the same test run.
 var (
 	ValidIssuer     = "local.com"
 	ValidSubject    = "tim@local.com"
@ -112,26 +124,17 @@ var (
 )

 // ValidIDToken returns a token and claims that are in the token.
-// It uses the Valid* global variables and the token always passes
-// verification within the same test run.
-func (k *KeySet) ValidIDToken() (string, *oidc.IDTokenClaims) {
-	return k.NewIDToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidAuthTime, ValidNonce, ValidACR, ValidAMR, ValidClientID, ValidSkew, "")
+// It uses the Valid* global variables and the token will always
+// pass verification.
+func ValidIDToken() (string, *oidc.IDTokenClaims) {
+	return NewIDToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidAuthTime, ValidNonce, ValidACR, ValidAMR, ValidClientID, ValidSkew, "")
 }

 // ValidAccessToken returns a token and claims that are in the token.
 // It uses the Valid* global variables and the token always passes
 // verification within the same test run.
-func (k *KeySet) ValidAccessToken() (string, *oidc.AccessTokenClaims) {
-	return k.NewAccessToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidJWTID, ValidClientID, ValidSkew)
-}
-
-// VerifySignature implments op.KeySet.
-func (k *KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
-	if ctx.Err() != nil {
-		return nil, err
-	}
-
-	return jws.Verify(k.Public)
+func ValidAccessToken() (string, *oidc.AccessTokenClaims) {
+	return NewAccessToken(ValidIssuer, ValidSubject, ValidAudience, ValidExpiration, ValidJWTID, ValidClientID, ValidSkew)
 }

 // ACRVerify is a oidc.ACRVerifier func.
--- a/pkg/client/rp/verifier_test.go
+++ b/pkg/client/rp/verifier_test.go
@ -13,19 +13,18 @@ import (
 )

 func TestVerifyTokens(t *testing.T) {
-	keySet := tu.NewKeySet()
 	verifier := &idTokenVerifier{
 		issuer:            tu.ValidIssuer,
 		maxAgeIAT:         2 * time.Minute,
 		offset:            time.Second,
-		supportedSignAlgs: []string{string(jose.PS512)},
-		keySet:            keySet,
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
+		keySet:            tu.KeySet{},
 		maxAge:            2 * time.Minute,
 		acr:               tu.ACRVerify,
 		nonce:             func(context.Context) string { return tu.ValidNonce },
 		clientID:          tu.ValidClientID,
 	}
-	accessToken, _ := keySet.ValidAccessToken()
+	accessToken, _ := tu.ValidAccessToken()
 	atHash, err := oidc.ClaimHash(accessToken, tu.SignatureAlgorithm)
 	require.NoError(t, err)

@ -37,13 +36,13 @@ func TestVerifyTokens(t *testing.T) {
 	}{
 		{
 			name:          "without access token",
-			idTokenClaims: keySet.ValidIDToken,
+			idTokenClaims: tu.ValidIDToken,
 		},
 		{
 			name:        "with access token",
 			accessToken: accessToken,
 			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash,
@ -54,7 +53,7 @@ func TestVerifyTokens(t *testing.T) {
 			name:        "expired id token",
 			accessToken: accessToken,
 			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash,
@ -66,7 +65,7 @@ func TestVerifyTokens(t *testing.T) {
 			name:        "wronf access token",
 			accessToken: accessToken,
 			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "~~~",
@ -92,13 +91,12 @@ func TestVerifyTokens(t *testing.T) {
 }

 func TestVerifyIDToken(t *testing.T) {
-	keySet := tu.NewKeySet()
 	verifier := &idTokenVerifier{
 		issuer:            tu.ValidIssuer,
 		maxAgeIAT:         2 * time.Minute,
 		offset:            time.Second,
-		supportedSignAlgs: []string{string(jose.PS512)},
-		keySet:            keySet,
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
+		keySet:            tu.KeySet{},
 		maxAge:            2 * time.Minute,
 		acr:               tu.ACRVerify,
 		nonce:             func(context.Context) string { return tu.ValidNonce },
@ -113,7 +111,7 @@ func TestVerifyIDToken(t *testing.T) {
 		{
 			name:        "success",
 			clientID:    tu.ValidClientID,
-			tokenClaims: keySet.ValidIDToken,
+			tokenClaims: tu.ValidIDToken,
 		},
 		{
 			name:        "parse err",
@ -131,7 +129,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "empty subject",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, "", tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -143,7 +141,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "wrong issuer",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					"foo", tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -154,14 +152,14 @@ func TestVerifyIDToken(t *testing.T) {
 		{
 			name:        "wrong clientID",
 			clientID:    "foo",
-			tokenClaims: keySet.ValidIDToken,
+			tokenClaims: tu.ValidIDToken,
 			wantErr:     true,
 		},
 		{
 			name:     "expired",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -173,7 +171,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "wrong IAT",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "",
@ -185,7 +183,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "wrong acr",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					"else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -197,7 +195,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "expired auth",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime.Add(-time.Hour), tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -209,7 +207,7 @@ func TestVerifyIDToken(t *testing.T) {
 			name:     "wrong nonce",
 			clientID: tu.ValidClientID,
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, "foo",
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -236,8 +234,7 @@ func TestVerifyIDToken(t *testing.T) {
 }

 func TestVerifyAccessToken(t *testing.T) {
-	keySet := tu.NewKeySet()
-	token, _ := keySet.ValidAccessToken()
+	token, _ := tu.ValidAccessToken()
 	hash, err := oidc.ClaimHash(token, tu.SignatureAlgorithm)
 	require.NoError(t, err)

@ -294,7 +291,6 @@ func TestVerifyAccessToken(t *testing.T) {
 }

 func TestNewIDTokenVerifier(t *testing.T) {
-	keySet := tu.NewKeySet()
 	type args struct {
 		issuer   string
 		clientID string
@ -311,7 +307,7 @@ func TestNewIDTokenVerifier(t *testing.T) {
 			args: args{
 				issuer:   tu.ValidIssuer,
 				clientID: tu.ValidClientID,
-				keySet:   keySet,
+				keySet:   tu.KeySet{},
 				options: []VerifierOption{
 					WithIssuedAtOffset(time.Minute),
 					//WithIssuedAtMaxAge(time.Hour),
@ -326,7 +322,7 @@ func TestNewIDTokenVerifier(t *testing.T) {
 				offset: time.Minute,
 				//maxAgeIAT:         time.Hour, // Maybe BUG?
 				clientID:          tu.ValidClientID,
-				keySet:            keySet,
+				keySet:            tu.KeySet{},
 				nonce:             nil,
 				acr:               nil,
 				maxAge:            2 * time.Hour,
--- a/pkg/op/verifier_access_token_test.go
+++ b/pkg/op/verifier_access_token_test.go
@ -9,11 +9,9 @@ import (
 	"github.com/stretchr/testify/require"
 	tu "github.com/zitadel/oidc/v2/internal/testutil"
 	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"gopkg.in/square/go-jose.v2"
 )

 func TestNewAccessTokenVerifier(t *testing.T) {
-	keySet := tu.NewKeySet()
 	type args struct {
 		issuer string
 		keySet oidc.KeySet
@ -28,25 +26,25 @@ func TestNewAccessTokenVerifier(t *testing.T) {
 			name: "simple",
 			args: args{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 			},
 			want: &accessTokenVerifier{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 			},
 		},
 		{
 			name: "with signature algorithm",
 			args: args{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 				opts: []AccessTokenVerifierOpt{
 					WithSupportedAccessTokenSigningAlgorithms("ABC", "DEF"),
 				},
 			},
 			want: &accessTokenVerifier{
 				issuer:            tu.ValidIssuer,
-				keySet:            keySet,
+				keySet:            tu.KeySet{},
 				supportedSignAlgs: []string{"ABC", "DEF"},
 			},
 		},
@ -60,13 +58,12 @@ func TestNewAccessTokenVerifier(t *testing.T) {
 }

 func TestVerifyAccessToken(t *testing.T) {
-	keySet := tu.NewKeySet()
 	verifier := &accessTokenVerifier{
 		issuer:            tu.ValidIssuer,
 		maxAgeIAT:         2 * time.Minute,
 		offset:            time.Second,
-		supportedSignAlgs: []string{string(jose.PS512)},
-		keySet:            keySet,
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
+		keySet:            tu.KeySet{},
 	}

 	tests := []struct {
@ -76,7 +73,7 @@ func TestVerifyAccessToken(t *testing.T) {
 	}{
 		{
 			name:        "success",
-			tokenClaims: keySet.ValidAccessToken,
+			tokenClaims: tu.ValidAccessToken,
 		},
 		{
 			name:        "parse err",
@ -91,7 +88,7 @@ func TestVerifyAccessToken(t *testing.T) {
 		{
 			name: "wrong issuer",
 			tokenClaims: func() (string, *oidc.AccessTokenClaims) {
-				return keySet.NewAccessToken(
+				return tu.NewAccessToken(
 					"foo", tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidJWTID, tu.ValidClientID,
 					tu.ValidSkew,
@ -102,7 +99,7 @@ func TestVerifyAccessToken(t *testing.T) {
 		{
 			name: "expired",
 			tokenClaims: func() (string, *oidc.AccessTokenClaims) {
-				return keySet.NewAccessToken(
+				return tu.NewAccessToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration.Add(-time.Hour), tu.ValidJWTID, tu.ValidClientID,
 					tu.ValidSkew,
--- a/pkg/op/verifier_id_token_hint_test.go
+++ b/pkg/op/verifier_id_token_hint_test.go
@ -9,11 +9,9 @@ import (
 	"github.com/stretchr/testify/require"
 	tu "github.com/zitadel/oidc/v2/internal/testutil"
 	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"gopkg.in/square/go-jose.v2"
 )

 func TestNewIDTokenHintVerifier(t *testing.T) {
-	keySet := tu.NewKeySet()
 	type args struct {
 		issuer string
 		keySet oidc.KeySet
@ -28,25 +26,25 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
 			name: "simple",
 			args: args{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 			},
 			want: &idTokenHintVerifier{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 			},
 		},
 		{
 			name: "with signature algorithm",
 			args: args{
 				issuer: tu.ValidIssuer,
-				keySet: keySet,
+				keySet: tu.KeySet{},
 				opts: []IDTokenHintVerifierOpt{
 					WithSupportedIDTokenHintSigningAlgorithms("ABC", "DEF"),
 				},
 			},
 			want: &idTokenHintVerifier{
 				issuer:            tu.ValidIssuer,
-				keySet:            keySet,
+				keySet:            tu.KeySet{},
 				supportedSignAlgs: []string{"ABC", "DEF"},
 			},
 		},
@ -60,15 +58,14 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
 }

 func TestVerifyIDTokenHint(t *testing.T) {
-	keySet := tu.NewKeySet()
 	verifier := &idTokenHintVerifier{
 		issuer:            tu.ValidIssuer,
 		maxAgeIAT:         2 * time.Minute,
 		offset:            time.Second,
-		supportedSignAlgs: []string{string(jose.PS512)},
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
 		maxAge:            2 * time.Minute,
 		acr:               tu.ACRVerify,
-		keySet:            keySet,
+		keySet:            tu.KeySet{},
 	}

 	tests := []struct {
@ -78,7 +75,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 	}{
 		{
 			name:        "success",
-			tokenClaims: keySet.ValidIDToken,
+			tokenClaims: tu.ValidIDToken,
 		},
 		{
 			name:        "parse err",
@ -93,7 +90,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 		{
 			name: "wrong issuer",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					"foo", tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -104,7 +101,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 		{
 			name: "expired",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -115,7 +112,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 		{
 			name: "wrong IAT",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "",
@ -126,7 +123,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 		{
 			name: "wrong acr",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
 					"else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
@ -137,7 +134,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 		{
 			name: "expired auth",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return keySet.NewIDToken(
+				return tu.NewIDToken(
 					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
 					tu.ValidExpiration, tu.ValidAuthTime.Add(-time.Hour), tu.ValidNonce,
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",