chore(linting): apply gofumpt & goimports to all .go files (#225)

pkg/client/client.go

@@ -15,20 +15,17 @@ import (
 	"github.com/zitadel/oidc/pkg/oidc"
 )
 
-var (
-	Encoder = func() httphelper.Encoder {
-		e := schema.NewEncoder()
-		e.RegisterEncoder(oidc.SpaceDelimitedArray{}, func(value reflect.Value) string {
-			return value.Interface().(oidc.SpaceDelimitedArray).Encode()
-		})
-		return e
-	}()
-)
+var Encoder = func() httphelper.Encoder {
+	e := schema.NewEncoder()
+	e.RegisterEncoder(oidc.SpaceDelimitedArray{}, func(value reflect.Value) string {
+		return value.Interface().(oidc.SpaceDelimitedArray).Encode()
+	})
+	return e
+}()
 
-//Discover calls the discovery endpoint of the provided issuer and returns its configuration
-//It accepts an optional argument "wellknownUrl" which can be used to overide the dicovery endpoint url
+// Discover calls the discovery endpoint of the provided issuer and returns its configuration
+// It accepts an optional argument "wellknownUrl" which can be used to overide the dicovery endpoint url
 func Discover(issuer string, httpClient *http.Client, wellKnownUrl ...string) (*oidc.DiscoveryConfiguration, error) {
-
 	wellKnown := strings.TrimSuffix(issuer, "/") + oidc.DiscoveryEndpoint
 	if len(wellKnownUrl) == 1 && wellKnownUrl[0] != "" {
 		wellKnown = wellKnownUrl[0]

pkg/client/key.go

@@ -14,12 +14,12 @@ type keyFile struct {
 	Type   string `json:"type"` // serviceaccount or application
 	KeyID  string `json:"keyId"`
 	Key    string `json:"key"`
-	Issuer string `json:"issuer"` //not yet in file
+	Issuer string `json:"issuer"` // not yet in file
 
-	//serviceaccount
+	// serviceaccount
 	UserID string `json:"userId"`
 
-	//application
+	// application
 	ClientID string `json:"clientId"`
 }
 

pkg/client/profile/jwt_profile.go

@@ -11,9 +11,9 @@ import (
 	"github.com/zitadel/oidc/pkg/oidc"
 )
 
-//jwtProfileTokenSource implement the oauth2.TokenSource
-//it will request a token using the OAuth2 JWT Profile Grant
-//therefore sending an `assertion` by singing a JWT with the provided private key
+// jwtProfileTokenSource implement the oauth2.TokenSource
+// it will request a token using the OAuth2 JWT Profile Grant
+// therefore sending an `assertion` by singing a JWT with the provided private key
 type jwtProfileTokenSource struct {
 	clientID      string
 	audience      []string

pkg/client/rp/delegation.go

@@ -4,8 +4,8 @@ import (
 	"github.com/zitadel/oidc/pkg/oidc/grants/tokenexchange"
 )
 
-//DelegationTokenRequest is an implementation of TokenExchangeRequest
-//it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
+// DelegationTokenRequest is an implementation of TokenExchangeRequest
+// it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
 //"urn:ietf:params:oauth:token-type:access_token" actor token for an
 //"urn:ietf:params:oauth:token-type:access_token" delegation token
 func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest {

pkg/client/rp/jwks.go

@@ -21,12 +21,12 @@ func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKe
 	return keyset
 }
 
-//SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys
-//and no kid header is set in the JWT
+// SkipRemoteCheck will suppress checking for new remote keys if signature validation fails with cached keys
+// and no kid header is set in the JWT
 //
-//this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and
-//there is only a single remote key
-//please notice that remote keys will then only be fetched if cached keys are empty
+// this might be handy to save some unnecessary round trips in cases where the JWT does not contain a kid header and
+// there is only a single remote key
+// please notice that remote keys will then only be fetched if cached keys are empty
 func SkipRemoteCheck() func(set *remoteKeySet) {
 	return func(set *remoteKeySet) {
 		set.skipRemoteCheck = true
@@ -97,15 +97,15 @@ func (r *remoteKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig
 	return r.verifySignatureRemote(ctx, jws, keyID, alg)
 }
 
-//verifySignatureCached checks for a matching key in the cached key list
+// verifySignatureCached checks for a matching key in the cached key list
 //
-//if there is only one possible, it tries to verify the signature and will return the payload if successful
+// if there is only one possible, it tries to verify the signature and will return the payload if successful
 //
-//it only returns an error if signature validation fails and keys exactMatch which is if either:
+// it only returns an error if signature validation fails and keys exactMatch which is if either:
 // - both kid are empty and skipRemoteCheck is set to true
 // - or both (JWT and JWK) kid are equal
 //
-//otherwise it will return no error (so remote keys will be loaded)
+// otherwise it will return no error (so remote keys will be loaded)
 func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID, alg string) ([]byte, error) {
 	keys := r.keysFromCache()
 	if len(keys) == 0 {
@@ -113,7 +113,7 @@ func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID,
 	}
 	key, err := oidc.FindMatchingKey(keyID, oidc.KeyUseSignature, alg, keys...)
 	if err != nil {
-		//no key / multiple found, try with remote keys
+		// no key / multiple found, try with remote keys
 		return nil, nil //nolint:nilerr
 	}
 	payload, err := jws.Verify(&key)
@@ -121,7 +121,7 @@ func (r *remoteKeySet) verifySignatureCached(jws *jose.JSONWebSignature, keyID,
 		return payload, nil
 	}
 	if !r.exactMatch(key.KeyID, keyID) {
-		//no exact key match, try getting better match with remote keys
+		// no exact key match, try getting better match with remote keys
 		return nil, nil
 	}
 	return nil, fmt.Errorf("signature verification failed: %w", err)
@@ -213,11 +213,11 @@ func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey,
 	return keySet.Keys, nil
 }
 
-//jsonWebKeySet is an alias for jose.JSONWebKeySet which ignores unknown key types (kty)
+// jsonWebKeySet is an alias for jose.JSONWebKeySet which ignores unknown key types (kty)
 type jsonWebKeySet jose.JSONWebKeySet
 
-//UnmarshalJSON overrides the default jose.JSONWebKeySet method to ignore any error
-//which might occur because of unknown key types (kty)
+// UnmarshalJSON overrides the default jose.JSONWebKeySet method to ignore any error
+// which might occur because of unknown key types (kty)
 func (k *jsonWebKeySet) UnmarshalJSON(data []byte) (err error) {
 	var raw rawJSONWebKeySet
 	err = json.Unmarshal(data, &raw)

pkg/client/rp/relying_party.go

@@ -23,53 +23,49 @@ const (
 	pkceCode   = "pkce"
 )
 
-var (
-	ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
-)
+var ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
 
-//RelyingParty declares the minimal interface for oidc clients
+// RelyingParty declares the minimal interface for oidc clients
 type RelyingParty interface {
-	//OAuthConfig returns the oauth2 Config
+	// OAuthConfig returns the oauth2 Config
 	OAuthConfig() *oauth2.Config
 
-	//Issuer returns the issuer of the oidc config
+	// Issuer returns the issuer of the oidc config
 	Issuer() string
 
-	//IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
+	// IsPKCE returns if authorization is done using `Authorization Code Flow with Proof Key for Code Exchange (PKCE)`
 	IsPKCE() bool
 
-	//CookieHandler returns a http cookie handler used for various state transfer cookies
+	// CookieHandler returns a http cookie handler used for various state transfer cookies
 	CookieHandler() *httphelper.CookieHandler
 
-	//HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
+	// HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
 	HttpClient() *http.Client
 
-	//IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
+	// IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
 	IsOAuth2Only() bool
 
-	//Signer is used if the relaying party uses the JWT Profile
+	// Signer is used if the relaying party uses the JWT Profile
 	Signer() jose.Signer
 
-	//GetEndSessionEndpoint returns the endpoint to sign out on a IDP
+	// GetEndSessionEndpoint returns the endpoint to sign out on a IDP
 	GetEndSessionEndpoint() string
 
-	//UserinfoEndpoint returns the userinfo
+	// UserinfoEndpoint returns the userinfo
 	UserinfoEndpoint() string
 
-	//IDTokenVerifier returns the verifier interface used for oidc id_token verification
+	// IDTokenVerifier returns the verifier interface used for oidc id_token verification
 	IDTokenVerifier() IDTokenVerifier
-	//ErrorHandler returns the handler used for callback errors
+	// ErrorHandler returns the handler used for callback errors
 
 	ErrorHandler() func(http.ResponseWriter, *http.Request, string, string, string)
 }
 
 type ErrorHandler func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string)
 
-var (
-	DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
-		http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
-	}
-)
+var DefaultErrorHandler ErrorHandler = func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
+	http.Error(w, errorType+": "+errorDesc, http.StatusInternalServerError)
+}
 
 type relyingParty struct {
 	issuer            string
@@ -138,9 +134,9 @@ func (rp *relyingParty) ErrorHandler() func(http.ResponseWriter, *http.Request,
 	return rp.errorHandler
 }
 
-//NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given
-//OAuth2 Config and possible configOptions
-//it will use the AuthURL and TokenURL set in config
+// NewRelyingPartyOAuth creates an (OAuth2) RelyingParty with the given
+// OAuth2 Config and possible configOptions
+// it will use the AuthURL and TokenURL set in config
 func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error) {
 	rp := &relyingParty{
 		oauthConfig: config,
@@ -161,9 +157,9 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
 	return rp, nil
 }
 
-//NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given
-//issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
-//it will run discovery on the provided issuer and use the found endpoints
+// NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given
+// issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
+// it will run discovery on the provided issuer and use the found endpoints
 func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error) {
 	rp := &relyingParty{
 		issuer: issuer,
@@ -197,7 +193,7 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
 	return rp, nil
 }
 
-//Option is the type for providing dynamic options to the relyingParty
+// Option is the type for providing dynamic options to the relyingParty
 type Option func(*relyingParty) error
 
 func WithCustomDiscoveryUrl(url string) Option {
@@ -207,7 +203,7 @@ func WithCustomDiscoveryUrl(url string) Option {
 	}
 }
 
-//WithCookieHandler set a `CookieHandler` for securing the various redirects
+// WithCookieHandler set a `CookieHandler` for securing the various redirects
 func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
 	return func(rp *relyingParty) error {
 		rp.cookieHandler = cookieHandler
@@ -215,9 +211,9 @@ func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
 	}
 }
 
-//WithPKCE sets the RP to use PKCE (oauth2 code challenge)
-//it also sets a `CookieHandler` for securing the various redirects
-//and exchanging the code challenge
+// WithPKCE sets the RP to use PKCE (oauth2 code challenge)
+// it also sets a `CookieHandler` for securing the various redirects
+// and exchanging the code challenge
 func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
 	return func(rp *relyingParty) error {
 		rp.pkce = true
@@ -226,7 +222,7 @@ func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
 	}
 }
 
-//WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
+// WithHTTPClient provides the ability to set an http client to be used for the relaying party and verifier
 func WithHTTPClient(client *http.Client) Option {
 	return func(rp *relyingParty) error {
 		rp.httpClient = client
@@ -297,7 +293,7 @@ func SignerFromKeyAndKeyID(key []byte, keyID string) SignerFromKey {
 	}
 }
 
-//Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
+// Discover calls the discovery endpoint of the provided issuer and returns the found endpoints
 //
 //deprecated: use client.Discover
 func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
@@ -317,7 +313,7 @@ func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
 	return GetEndpoints(discoveryConfig), nil
 }
 
-//AuthURL returns the auth request url
+// AuthURL returns the auth request url
 //(wrapping the oauth2 `AuthCodeURL`)
 func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string {
 	authOpts := make([]oauth2.AuthCodeOption, 0)
@@ -327,8 +323,8 @@ func AuthURL(state string, rp RelyingParty, opts ...AuthURLOpt) string {
 	return rp.OAuthConfig().AuthCodeURL(state, authOpts...)
 }
 
-//AuthURLHandler extends the `AuthURL` method with a http redirect handler
-//including handling setting cookie for secure `state` transfer
+// AuthURLHandler extends the `AuthURL` method with a http redirect handler
+// including handling setting cookie for secure `state` transfer
 func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		opts := make([]AuthURLOpt, 0)
@@ -349,7 +345,7 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty) http.HandlerFunc {
 	}
 }
 
-//GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
+// GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie
 func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (string, error) {
 	codeVerifier := base64.RawURLEncoding.EncodeToString([]byte(uuid.New().String()))
 	if err := rp.CookieHandler().SetCookie(w, pkceCode, codeVerifier); err != nil {
@@ -358,8 +354,8 @@ func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (stri
 	return oidc.NewSHACodeChallenge(codeVerifier), nil
 }
 
-//CodeExchange handles the oauth2 code exchange, extracting and validating the id_token
-//returning it parsed together with the oauth2 tokens (access, refresh)
+// CodeExchange handles the oauth2 code exchange, extracting and validating the id_token
+// returning it parsed together with the oauth2 tokens (access, refresh)
 func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error) {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, rp.HttpClient())
 	codeOpts := make([]oauth2.AuthCodeOption, 0)
@@ -391,9 +387,9 @@ func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...Cod
 
 type CodeExchangeCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty)
 
-//CodeExchangeHandler extends the `CodeExchange` method with a http handler
-//including cookie handling for secure `state` transfer
-//and optional PKCE code verifier checking
+// CodeExchangeHandler extends the `CodeExchange` method with a http handler
+// including cookie handling for secure `state` transfer
+// and optional PKCE code verifier checking
 func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		state, err := tryReadStateCookie(w, r, rp)
@@ -434,9 +430,9 @@ func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.Ha
 
 type CodeExchangeUserinfoCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, provider RelyingParty, info oidc.UserInfo)
 
-//UserinfoCallback wraps the callback function of the CodeExchangeHandler
-//and calls the userinfo endpoint with the access token
-//on success it will pass the userinfo into its callback function as well
+// UserinfoCallback wraps the callback function of the CodeExchangeHandler
+// and calls the userinfo endpoint with the access token
+// on success it will pass the userinfo into its callback function as well
 func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
 	return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty) {
 		info, err := Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.GetSubject(), rp)
@@ -448,7 +444,7 @@ func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
 	}
 }
 
-//Userinfo will call the OIDC Userinfo Endpoint with the provided token
+// Userinfo will call the OIDC Userinfo Endpoint with the provided token
 func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo, error) {
 	req, err := http.NewRequest("GET", rp.UserinfoEndpoint(), nil)
 	if err != nil {
@@ -512,7 +508,7 @@ func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
 
 type AuthURLOpt func() []oauth2.AuthCodeOption
 
-//WithCodeChallenge sets the `code_challenge` params in the auth request
+// WithCodeChallenge sets the `code_challenge` params in the auth request
 func WithCodeChallenge(codeChallenge string) AuthURLOpt {
 	return func() []oauth2.AuthCodeOption {
 		return []oauth2.AuthCodeOption{
@@ -522,7 +518,7 @@ func WithCodeChallenge(codeChallenge string) AuthURLOpt {
 	}
 }
 
-//WithPrompt sets the `prompt` params in the auth request
+// WithPrompt sets the `prompt` params in the auth request
 func WithPrompt(prompt ...string) AuthURLOpt {
 	return func() []oauth2.AuthCodeOption {
 		return []oauth2.AuthCodeOption{
@@ -533,14 +529,14 @@ func WithPrompt(prompt ...string) AuthURLOpt {
 
 type CodeExchangeOpt func() []oauth2.AuthCodeOption
 
-//WithCodeVerifier sets the `code_verifier` param in the token request
+// WithCodeVerifier sets the `code_verifier` param in the token request
 func WithCodeVerifier(codeVerifier string) CodeExchangeOpt {
 	return func() []oauth2.AuthCodeOption {
 		return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("code_verifier", codeVerifier)}
 	}
 }
 
-//WithClientAssertionJWT sets the `client_assertion` param in the token request
+// WithClientAssertionJWT sets the `client_assertion` param in the token request
 func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt {
 	return func() []oauth2.AuthCodeOption {
 		return client.ClientAssertionCodeOptions(clientAssertion)

pkg/client/rp/tockenexchange.go

@@ -8,20 +8,20 @@ import (
 	"github.com/zitadel/oidc/pkg/oidc/grants/tokenexchange"
 )
 
-//TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
+// TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
 type TokenExchangeRP interface {
 	RelyingParty
 
-	//TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
+	// TokenExchange implement the `Token Exchange Grant` exchanging some token for an other
 	TokenExchange(context.Context, *tokenexchange.TokenExchangeRequest) (*oauth2.Token, error)
 }
 
-//DelegationTokenExchangeRP extends the `TokenExchangeRP` interface
-//for the specific `delegation token` request
+// DelegationTokenExchangeRP extends the `TokenExchangeRP` interface
+// for the specific `delegation token` request
 type DelegationTokenExchangeRP interface {
 	TokenExchangeRP
 
-	//DelegationTokenExchange implement the `Token Exchange Grant`
-	//providing an access token in request for a `delegation` token for a given resource / audience
+	// DelegationTokenExchange implement the `Token Exchange Grant`
+	// providing an access token in request for a `delegation` token for a given resource / audience
 	DelegationTokenExchange(context.Context, string, ...tokenexchange.TokenExchangeOption) (*oauth2.Token, error)
 }

pkg/client/rp/verifier.go

@@ -19,7 +19,7 @@ type IDTokenVerifier interface {
 	MaxAge() time.Duration
 }
 
-//VerifyTokens implement the Token Response Validation as defined in OIDC specification
+// VerifyTokens implement the Token Response Validation as defined in OIDC specification
 //https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
 func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
 	idToken, err := VerifyIDToken(ctx, idTokenString, v)
@@ -32,7 +32,7 @@ func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTo
 	return idToken, nil
 }
 
-//VerifyIDToken validates the id token according to
+// VerifyIDToken validates the id token according to
 //https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
 	claims := oidc.EmptyIDTokenClaims()
@@ -88,7 +88,7 @@ func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.I
 	return claims, nil
 }
 
-//VerifyAccessToken validates the access token according to
+// VerifyAccessToken validates the access token according to
 //https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
 func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error {
 	if atHash == "" {
@@ -105,8 +105,8 @@ func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAl
 	return nil
 }
 
-//NewIDTokenVerifier returns an implementation of `IDTokenVerifier`
-//for `VerifyTokens` and `VerifyIDToken`
+// NewIDTokenVerifier returns an implementation of `IDTokenVerifier`
+// for `VerifyTokens` and `VerifyIDToken`
 func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) IDTokenVerifier {
 	v := &idTokenVerifier{
 		issuer:   issuer,
@@ -125,46 +125,46 @@ func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...
 	return v
 }
 
-//VerifierOption is the type for providing dynamic options to the IDTokenVerifier
+// VerifierOption is the type for providing dynamic options to the IDTokenVerifier
 type VerifierOption func(*idTokenVerifier)
 
-//WithIssuedAtOffset mitigates the risk of iat to be in the future
-//because of clock skews with the ability to add an offset to the current time
+// WithIssuedAtOffset mitigates the risk of iat to be in the future
+// because of clock skews with the ability to add an offset to the current time
 func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier) {
 	return func(v *idTokenVerifier) {
 		v.offset = offset
 	}
 }
 
-//WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
+// WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
 func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier) {
 	return func(v *idTokenVerifier) {
 		v.maxAge = maxAge
 	}
 }
 
-//WithNonce sets the function to check the nonce
+// WithNonce sets the function to check the nonce
 func WithNonce(nonce func(context.Context) string) VerifierOption {
 	return func(v *idTokenVerifier) {
 		v.nonce = nonce
 	}
 }
 
-//WithACRVerifier sets the verifier for the acr claim
+// WithACRVerifier sets the verifier for the acr claim
 func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption {
 	return func(v *idTokenVerifier) {
 		v.acr = verifier
 	}
 }
 
-//WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
+// WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
 func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption {
 	return func(v *idTokenVerifier) {
 		v.maxAge = maxAge
 	}
 }
 
-//WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm
+// WithSupportedSigningAlgorithms overwrites the default RS256 signing algorithm
 func WithSupportedSigningAlgorithms(algs ...string) VerifierOption {
 	return func(v *idTokenVerifier) {
 		v.supportedSignAlgs = algs

pkg/client/rs/resource_server.go

@@ -43,6 +43,7 @@ func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, o
 	}
 	return newResourceServer(issuer, authorizer, option...)
 }
+
 func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
 	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)
 	if err != nil {
@@ -91,14 +92,14 @@ func NewResourceServerFromKeyFile(issuer, path string, options ...Option) (Resou
 
 type Option func(*resourceServer)
 
-//WithClient provides the ability to set an http client to be used for the resource server
+// WithClient provides the ability to set an http client to be used for the resource server
 func WithClient(client *http.Client) Option {
 	return func(server *resourceServer) {
 		server.httpClient = client
 	}
 }
 
-//WithStaticEndpoints provides the ability to set static token and introspect URL
+// WithStaticEndpoints provides the ability to set static token and introspect URL
 func WithStaticEndpoints(tokenURL, introspectURL string) Option {
 	return func(server *resourceServer) {
 		server.tokenURL = tokenURL