feat(op): dynamic issuer depending on request / host

BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes: - `Configuration` interface: - `Issuer() string` has been changed to `IssuerFromRequest(r *http.Request) string` - `Insecure() bool` has been added - OpenIDProvider interface and dependants: - `Issuer` has been removed from Config struct - `NewOpenIDProvider` now takes an additional parameter `issuer` and returns a pointer to the public/default implementation and not an OpenIDProvider interface: `NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)` changed to `NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)` - therefore the parameter type Option changed to the public type as well: `Option func(o *Provider) error` - `AuthCallbackURL(o OpenIDProvider) func(string) string` has been changed to `AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string` - `IDTokenHintVerifier() IDTokenHintVerifier` (Authorizer, OpenIDProvider, SessionEnder interfaces), `AccessTokenVerifier() AccessTokenVerifier` (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and `JWTProfileVerifier() JWTProfileVerifier` (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter `IDTokenHintVerifier(context.Context) IDTokenHintVerifier`, `AccessTokenVerifier(context.Context) AccessTokenVerifier` and `JWTProfileVerifier(context.Context) JWTProfileVerifier` - `OidcDevMode` (CAOS_OIDC_DEV) environment variable check has been removed, use `WithAllowInsecure()` Option - Signing: the signer is not kept in memory anymore, but created on request from the loaded key: - `Signer` interface and func `NewSigner` have been removed - `ReadySigner(s Signer) ProbesFn` has been removed - `CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration` has been changed to `CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration` - `Storage` interface: - `GetSigningKey(context.Context, chan<- jose.SigningKey)` has been changed to `SigningKey(context.Context) (SigningKey, error)` - `KeySet(context.Context) ([]Key, error)` has been added - `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)` - `SigAlgorithms(s Signer) []string` has been changed to `SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string` - KeyProvider interface: `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)` - `CreateIDToken`: the Signer parameter has been removed
2022-04-19 14:33:07 +02:00 · 2022-04-19 14:33:07 +02:00 · a27ba09872
commit a27ba09872
parent 885fe0d45c
33 changed files with 1504 additions and 657 deletions
--- a/pkg/op/mock/authorizer.mock.go
+++ b/pkg/op/mock/authorizer.mock.go
@ -5,6 +5,7 @@
 package mock

 import (
+	context "context"
 	reflect "reflect"

 	http "github.com/caos/oidc/pkg/http"
@ -78,31 +79,17 @@ func (mr *MockAuthorizerMockRecorder) Encoder() *gomock.Call {
 }

 // IDTokenHintVerifier mocks base method.
-func (m *MockAuthorizer) IDTokenHintVerifier() op.IDTokenHintVerifier {
+func (m *MockAuthorizer) IDTokenHintVerifier(arg0 context.Context) op.IDTokenHintVerifier {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "IDTokenHintVerifier")
+	ret := m.ctrl.Call(m, "IDTokenHintVerifier", arg0)
 	ret0, _ := ret[0].(op.IDTokenHintVerifier)
 	return ret0
 }

 // IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier.
-func (mr *MockAuthorizerMockRecorder) IDTokenHintVerifier() *gomock.Call {
+func (mr *MockAuthorizerMockRecorder) IDTokenHintVerifier(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenHintVerifier", reflect.TypeOf((*MockAuthorizer)(nil).IDTokenHintVerifier))
-}
-
-// Issuer mocks base method.
-func (m *MockAuthorizer) Issuer() string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Issuer")
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// Issuer indicates an expected call of Issuer.
-func (mr *MockAuthorizerMockRecorder) Issuer() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockAuthorizer)(nil).Issuer))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenHintVerifier", reflect.TypeOf((*MockAuthorizer)(nil).IDTokenHintVerifier), arg0)
 }

 // RequestObjectSupported mocks base method.
@ -119,20 +106,6 @@ func (mr *MockAuthorizerMockRecorder) RequestObjectSupported() *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RequestObjectSupported", reflect.TypeOf((*MockAuthorizer)(nil).RequestObjectSupported))
 }

-// Signer mocks base method.
-func (m *MockAuthorizer) Signer() op.Signer {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Signer")
-	ret0, _ := ret[0].(op.Signer)
-	return ret0
-}
-
-// Signer indicates an expected call of Signer.
-func (mr *MockAuthorizerMockRecorder) Signer() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockAuthorizer)(nil).Signer))
-}
-
 // Storage mocks base method.
 func (m *MockAuthorizer) Storage() op.Storage {
 	m.ctrl.T.Helper()
--- a/pkg/op/mock/authorizer.mock.impl.go
+++ b/pkg/op/mock/authorizer.mock.impl.go
@ -20,7 +20,7 @@ func NewAuthorizerExpectValid(t *testing.T, wantErr bool) op.Authorizer {
 	m := NewAuthorizer(t)
 	ExpectDecoder(m)
 	ExpectEncoder(m)
-	ExpectSigner(m, t)
+	//ExpectSigner(m, t)
 	ExpectStorage(m, t)
 	ExpectVerifier(m, t)
 	// ExpectErrorHandler(m, t, wantErr)
@ -47,17 +47,18 @@ func ExpectEncoder(a op.Authorizer) {
 	mockA.EXPECT().Encoder().AnyTimes().Return(schema.NewEncoder())
 }

-func ExpectSigner(a op.Authorizer, t *testing.T) {
-	mockA := a.(*MockAuthorizer)
-	mockA.EXPECT().Signer().DoAndReturn(
-		func() op.Signer {
-			return &Sig{}
-		})
-}
+//
+//func ExpectSigner(a op.Authorizer, t *testing.T) {
+//	mockA := a.(*MockAuthorizer)
+//	mockA.EXPECT().Signer().DoAndReturn(
+//		func() op.Signer {
+//			return &Sig{}
+//		})
+//}

 func ExpectVerifier(a op.Authorizer, t *testing.T) {
 	mockA := a.(*MockAuthorizer)
-	mockA.EXPECT().IDTokenHintVerifier().DoAndReturn(
+	mockA.EXPECT().IDTokenHintVerifier(gomock.Any()).DoAndReturn(
 		func() op.IDTokenHintVerifier {
 			return op.NewIDTokenHintVerifier("", nil)
 		})
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@ -5,6 +5,7 @@
 package mock

 import (
+	http "net/http"
 	reflect "reflect"

 	op "github.com/caos/oidc/pkg/op"
@ -147,6 +148,20 @@ func (mr *MockConfigurationMockRecorder) GrantTypeTokenExchangeSupported() *gomo
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeTokenExchangeSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeTokenExchangeSupported))
 }

+// Insecure mocks base method.
+func (m *MockConfiguration) Insecure() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Insecure")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// Insecure indicates an expected call of Insecure.
+func (mr *MockConfigurationMockRecorder) Insecure() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Insecure", reflect.TypeOf((*MockConfiguration)(nil).Insecure))
+}
+
 // IntrospectionAuthMethodPrivateKeyJWTSupported mocks base method.
 func (m *MockConfiguration) IntrospectionAuthMethodPrivateKeyJWTSupported() bool {
 	m.ctrl.T.Helper()
@ -189,18 +204,18 @@ func (mr *MockConfigurationMockRecorder) IntrospectionEndpointSigningAlgorithmsS
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntrospectionEndpointSigningAlgorithmsSupported", reflect.TypeOf((*MockConfiguration)(nil).IntrospectionEndpointSigningAlgorithmsSupported))
 }

-// Issuer mocks base method.
-func (m *MockConfiguration) Issuer() string {
+// IssuerFromRequest mocks base method.
+func (m *MockConfiguration) IssuerFromRequest(arg0 *http.Request) string {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Issuer")
+	ret := m.ctrl.Call(m, "IssuerFromRequest", arg0)
 	ret0, _ := ret[0].(string)
 	return ret0
 }

-// Issuer indicates an expected call of Issuer.
-func (mr *MockConfigurationMockRecorder) Issuer() *gomock.Call {
+// IssuerFromRequest indicates an expected call of IssuerFromRequest.
+func (mr *MockConfigurationMockRecorder) IssuerFromRequest(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockConfiguration)(nil).Issuer))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssuerFromRequest", reflect.TypeOf((*MockConfiguration)(nil).IssuerFromRequest), arg0)
 }

 // KeysEndpoint mocks base method.
--- a/pkg/op/mock/generate.go
+++ b/pkg/op/mock/generate.go
@ -4,5 +4,6 @@ package mock
 //go:generate mockgen -package mock -destination ./authorizer.mock.go github.com/caos/oidc/pkg/op Authorizer
 //go:generate mockgen -package mock -destination ./client.mock.go github.com/caos/oidc/pkg/op Client
 //go:generate mockgen -package mock -destination ./configuration.mock.go github.com/caos/oidc/pkg/op Configuration
-//go:generate mockgen -package mock -destination ./signer.mock.go github.com/caos/oidc/pkg/op Signer
+//go:generate mockgen -package mock -destination ./discovery.mock.go github.com/caos/oidc/pkg/op DiscoverStorage
+//go:generate mockgen -package mock -destination ./signer.mock.go github.com/caos/oidc/pkg/op SigningKey,Key
 //go:generate mockgen -package mock -destination ./key.mock.go github.com/caos/oidc/pkg/op KeyProvider
--- a/pkg/op/mock/key.mock.go
+++ b/pkg/op/mock/key.mock.go
@ -8,8 +8,8 @@ import (
 	context "context"
 	reflect "reflect"

+	op "github.com/caos/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	jose "gopkg.in/square/go-jose.v2"
 )

 // MockKeyProvider is a mock of KeyProvider interface.
@ -35,17 +35,17 @@ func (m *MockKeyProvider) EXPECT() *MockKeyProviderMockRecorder {
 	return m.recorder
 }

-// GetKeySet mocks base method.
-func (m *MockKeyProvider) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, error) {
+// KeySet mocks base method.
+func (m *MockKeyProvider) KeySet(arg0 context.Context) ([]op.Key, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetKeySet", arg0)
-	ret0, _ := ret[0].(*jose.JSONWebKeySet)
+	ret := m.ctrl.Call(m, "KeySet", arg0)
+	ret0, _ := ret[0].([]op.Key)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }

-// GetKeySet indicates an expected call of GetKeySet.
-func (mr *MockKeyProviderMockRecorder) GetKeySet(arg0 interface{}) *gomock.Call {
+// KeySet indicates an expected call of KeySet.
+func (mr *MockKeyProviderMockRecorder) KeySet(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeySet", reflect.TypeOf((*MockKeyProvider)(nil).GetKeySet), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeySet", reflect.TypeOf((*MockKeyProvider)(nil).KeySet), arg0)
 }
--- a/pkg/op/mock/signer.mock.go
+++ b/pkg/op/mock/signer.mock.go
@ -1,56 +1,55 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/caos/oidc/pkg/op (interfaces: Signer)
+// Source: github.com/caos/oidc/pkg/op (interfaces: SigningKey,Key)

 // Package mock is a generated GoMock package.
 package mock

 import (
-	context "context"
 	reflect "reflect"

 	gomock "github.com/golang/mock/gomock"
 	jose "gopkg.in/square/go-jose.v2"
 )

-// MockSigner is a mock of Signer interface.
-type MockSigner struct {
+// MockSigningKey is a mock of SigningKey interface.
+type MockSigningKey struct {
 	ctrl     *gomock.Controller
-	recorder *MockSignerMockRecorder
+	recorder *MockSigningKeyMockRecorder
 }

-// MockSignerMockRecorder is the mock recorder for MockSigner.
-type MockSignerMockRecorder struct {
-	mock *MockSigner
+// MockSigningKeyMockRecorder is the mock recorder for MockSigningKey.
+type MockSigningKeyMockRecorder struct {
+	mock *MockSigningKey
 }

-// NewMockSigner creates a new mock instance.
-func NewMockSigner(ctrl *gomock.Controller) *MockSigner {
-	mock := &MockSigner{ctrl: ctrl}
-	mock.recorder = &MockSignerMockRecorder{mock}
+// NewMockSigningKey creates a new mock instance.
+func NewMockSigningKey(ctrl *gomock.Controller) *MockSigningKey {
+	mock := &MockSigningKey{ctrl: ctrl}
+	mock.recorder = &MockSigningKeyMockRecorder{mock}
 	return mock
 }

 // EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockSigner) EXPECT() *MockSignerMockRecorder {
+func (m *MockSigningKey) EXPECT() *MockSigningKeyMockRecorder {
 	return m.recorder
 }

-// Health mocks base method.
-func (m *MockSigner) Health(arg0 context.Context) error {
+// Key mocks base method.
+func (m *MockSigningKey) Key() interface{} {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Health", arg0)
-	ret0, _ := ret[0].(error)
+	ret := m.ctrl.Call(m, "Key")
+	ret0, _ := ret[0].(interface{})
 	return ret0
 }

-// Health indicates an expected call of Health.
-func (mr *MockSignerMockRecorder) Health(arg0 interface{}) *gomock.Call {
+// Key indicates an expected call of Key.
+func (mr *MockSigningKeyMockRecorder) Key() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockSigner)(nil).Health), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Key", reflect.TypeOf((*MockSigningKey)(nil).Key))
 }

 // SignatureAlgorithm mocks base method.
-func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm {
+func (m *MockSigningKey) SignatureAlgorithm() jose.SignatureAlgorithm {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SignatureAlgorithm")
 	ret0, _ := ret[0].(jose.SignatureAlgorithm)
@ -58,21 +57,86 @@ func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm {
 }

 // SignatureAlgorithm indicates an expected call of SignatureAlgorithm.
-func (mr *MockSignerMockRecorder) SignatureAlgorithm() *gomock.Call {
+func (mr *MockSigningKeyMockRecorder) SignatureAlgorithm() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SignatureAlgorithm", reflect.TypeOf((*MockSigner)(nil).SignatureAlgorithm))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SignatureAlgorithm", reflect.TypeOf((*MockSigningKey)(nil).SignatureAlgorithm))
 }

-// Signer mocks base method.
-func (m *MockSigner) Signer() jose.Signer {
+// MockKey is a mock of Key interface.
+type MockKey struct {
+	ctrl     *gomock.Controller
+	recorder *MockKeyMockRecorder
+}
+
+// MockKeyMockRecorder is the mock recorder for MockKey.
+type MockKeyMockRecorder struct {
+	mock *MockKey
+}
+
+// NewMockKey creates a new mock instance.
+func NewMockKey(ctrl *gomock.Controller) *MockKey {
+	mock := &MockKey{ctrl: ctrl}
+	mock.recorder = &MockKeyMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockKey) EXPECT() *MockKeyMockRecorder {
+	return m.recorder
+}
+
+// Algorithm mocks base method.
+func (m *MockKey) Algorithm() jose.SignatureAlgorithm {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Signer")
-	ret0, _ := ret[0].(jose.Signer)
+	ret := m.ctrl.Call(m, "Algorithm")
+	ret0, _ := ret[0].(jose.SignatureAlgorithm)
 	return ret0
 }

-// Signer indicates an expected call of Signer.
-func (mr *MockSignerMockRecorder) Signer() *gomock.Call {
+// Algorithm indicates an expected call of Algorithm.
+func (mr *MockKeyMockRecorder) Algorithm() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockSigner)(nil).Signer))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Algorithm", reflect.TypeOf((*MockKey)(nil).Algorithm))
+}
+
+// ID mocks base method.
+func (m *MockKey) ID() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ID")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// ID indicates an expected call of ID.
+func (mr *MockKeyMockRecorder) ID() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ID", reflect.TypeOf((*MockKey)(nil).ID))
+}
+
+// Key mocks base method.
+func (m *MockKey) Key() interface{} {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Key")
+	ret0, _ := ret[0].(interface{})
+	return ret0
+}
+
+// Key indicates an expected call of Key.
+func (mr *MockKeyMockRecorder) Key() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Key", reflect.TypeOf((*MockKey)(nil).Key))
+}
+
+// Use mocks base method.
+func (m *MockKey) Use() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Use")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// Use indicates an expected call of Use.
+func (mr *MockKeyMockRecorder) Use() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Use", reflect.TypeOf((*MockKey)(nil).Use))
 }
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -174,21 +174,6 @@ func (mr *MockStorageMockRecorder) GetKeyByIDAndUserID(arg0, arg1, arg2 interfac
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeyByIDAndUserID", reflect.TypeOf((*MockStorage)(nil).GetKeyByIDAndUserID), arg0, arg1, arg2)
 }

-// GetKeySet mocks base method.
-func (m *MockStorage) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetKeySet", arg0)
-	ret0, _ := ret[0].(*jose.JSONWebKeySet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetKeySet indicates an expected call of GetKeySet.
-func (mr *MockStorageMockRecorder) GetKeySet(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeySet", reflect.TypeOf((*MockStorage)(nil).GetKeySet), arg0)
-}
-
 // GetPrivateClaimsFromScopes mocks base method.
 func (m *MockStorage) GetPrivateClaimsFromScopes(arg0 context.Context, arg1, arg2 string, arg3 []string) (map[string]interface{}, error) {
 	m.ctrl.T.Helper()
@ -204,18 +189,6 @@ func (mr *MockStorageMockRecorder) GetPrivateClaimsFromScopes(arg0, arg1, arg2,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPrivateClaimsFromScopes", reflect.TypeOf((*MockStorage)(nil).GetPrivateClaimsFromScopes), arg0, arg1, arg2, arg3)
 }

-// GetSigningKey mocks base method.
-func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "GetSigningKey", arg0, arg1)
-}
-
-// GetSigningKey indicates an expected call of GetSigningKey.
-func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1)
-}
-
 // Health mocks base method.
 func (m *MockStorage) Health(arg0 context.Context) error {
 	m.ctrl.T.Helper()
@ -230,6 +203,21 @@ func (mr *MockStorageMockRecorder) Health(arg0 interface{}) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockStorage)(nil).Health), arg0)
 }

+// KeySet mocks base method.
+func (m *MockStorage) KeySet(arg0 context.Context) ([]op.Key, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "KeySet", arg0)
+	ret0, _ := ret[0].([]op.Key)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// KeySet indicates an expected call of KeySet.
+func (mr *MockStorageMockRecorder) KeySet(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeySet", reflect.TypeOf((*MockStorage)(nil).KeySet), arg0)
+}
+
 // RevokeToken mocks base method.
 func (m *MockStorage) RevokeToken(arg0 context.Context, arg1, arg2, arg3 string) *oidc.Error {
 	m.ctrl.T.Helper()
@ -300,6 +288,36 @@ func (mr *MockStorageMockRecorder) SetUserinfoFromToken(arg0, arg1, arg2, arg3,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).SetUserinfoFromToken), arg0, arg1, arg2, arg3, arg4)
 }

+// SignatureAlgorithms mocks base method.
+func (m *MockStorage) SignatureAlgorithms(arg0 context.Context) ([]jose.SignatureAlgorithm, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SignatureAlgorithms", arg0)
+	ret0, _ := ret[0].([]jose.SignatureAlgorithm)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SignatureAlgorithms indicates an expected call of SignatureAlgorithms.
+func (mr *MockStorageMockRecorder) SignatureAlgorithms(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SignatureAlgorithms", reflect.TypeOf((*MockStorage)(nil).SignatureAlgorithms), arg0)
+}
+
+// SigningKey mocks base method.
+func (m *MockStorage) SigningKey(arg0 context.Context) (op.SigningKey, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SigningKey", arg0)
+	ret0, _ := ret[0].(op.SigningKey)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SigningKey indicates an expected call of SigningKey.
+func (mr *MockStorageMockRecorder) SigningKey(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SigningKey", reflect.TypeOf((*MockStorage)(nil).SigningKey), arg0)
+}
+
 // TerminateSession mocks base method.
 func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
--- a/pkg/op/mock/storage.mock.impl.go
+++ b/pkg/op/mock/storage.mock.impl.go
@ -3,11 +3,10 @@ package mock
 import (
 	"context"
 	"errors"
-	"github.com/caos/oidc/pkg/oidc"
 	"testing"
 	"time"

-	"gopkg.in/square/go-jose.v2"
+	"github.com/caos/oidc/pkg/oidc"

 	"github.com/golang/mock/gomock"

@ -40,12 +39,12 @@ func NewMockStorageAny(t *testing.T) op.Storage {

 func NewMockStorageSigningKeyInvalid(t *testing.T) op.Storage {
 	m := NewStorage(t)
-	ExpectSigningKeyInvalid(m)
+	//ExpectSigningKeyInvalid(m)
 	return m
 }
 func NewMockStorageSigningKey(t *testing.T) op.Storage {
 	m := NewStorage(t)
-	ExpectSigningKey(m)
+	//ExpectSigningKey(m)
 	return m
 }

@ -83,23 +82,24 @@ func ExpectValidClientID(s op.Storage) {
 		})
 }

-func ExpectSigningKeyInvalid(s op.Storage) {
-	mockS := s.(*MockStorage)
-	mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
-		func(_ context.Context, keyCh chan<- jose.SigningKey) {
-			keyCh <- jose.SigningKey{}
-		},
-	)
-}
-
-func ExpectSigningKey(s op.Storage) {
-	mockS := s.(*MockStorage)
-	mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
-		func(_ context.Context, keyCh chan<- jose.SigningKey) {
-			keyCh <- jose.SigningKey{Algorithm: jose.HS256, Key: []byte("key")}
-		},
-	)
-}
+//
+//func ExpectSigningKeyInvalid(s op.Storage) {
+//	mockS := s.(*MockStorage)
+//	mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
+//		func(_ context.Context, keyCh chan<- jose.SigningKey) {
+//			keyCh <- jose.SigningKey{}
+//		},
+//	)
+//}
+//
+//func ExpectSigningKey(s op.Storage) {
+//	mockS := s.(*MockStorage)
+//	mockS.EXPECT().GetSigningKey(gomock.Any(), gomock.Any()).DoAndReturn(
+//		func(_ context.Context, keyCh chan<- jose.SigningKey) {
+//			keyCh <- jose.SigningKey{Algorithm: jose.HS256, Key: []byte("key")}
+//		},
+//	)
+//}

 type ConfClient struct {
 	id              string