some comments

example/server/internal/client.go

@@ -44,7 +44,7 @@ func (c *Client) RedirectURIs() []string {
 	return c.redirectURIs
 }
 
-//PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for signouts
+//PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for sign-outs
 func (c *Client) PostLogoutRedirectURIs() []string {
 	return []string{}
 }
@@ -160,7 +160,7 @@ func NativeClient(id string, redirectURIs ...string) *Client {
 	}
 }
 
-//WebClient will create a client of type web, which will always use PKCE and allow the use of refresh tokens
+//WebClient will create a client of type web, which will always use Basic Auth and allow the use of refresh tokens
 //user-defined redirectURIs may include:
 // - http://localhost with port specification (e.g. http://localhost:9999/auth/callback)
 //(the example will be used as default, if none is provided)

example/server/internal/storage.go

@@ -379,6 +379,9 @@ func (s *storage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID string)
 		return nil, fmt.Errorf("user not found")
 	}
 	key, ok := service.keys[keyID]
+	if !ok {
+		return nil, fmt.Errorf("key not found")
+	}
 	return &jose.JSONWebKey{
 		KeyID: keyID,
 		Use:   "sig",

example/server/op.go

@@ -30,8 +30,13 @@ func init() {
 func main() {
 	ctx := context.Background()
 
+	//this will allow us to use an issuer with http:// instead of https://
 	os.Setenv(op.OidcDevMode, "true")
+
 	port := "9998"
+
+	//the OpenID Provider requires a 32-byte key for (token) encryption
+	//be sure to create a proper crypto random key and manage it securely!
 	key := sha256.Sum256([]byte("test"))
 
 	router := mux.NewRouter()