Merge pull request #97 from caos/refresh-token

feat: refresh token
2021-05-12 08:44:58 +02:00 · 2021-05-12 08:44:58 +02:00 · cd44ff0982
commit cd44ff0982
parent d4c1f1253c d362dd7546
20 changed files with 824 additions and 429 deletions
--- a/example/internal/mock/storage.go
+++ b/example/internal/mock/storage.go
@ -95,6 +95,8 @@ func (a *AuthRequest) GetScopes() []string {
 	}
 }
 func (a *AuthRequest) SetCurrentScopes(scopes oidc.Scopes) {}
 func (a *AuthRequest) GetState() string {
 	return ""
 }
@ -151,9 +153,19 @@ func (s *AuthStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequ
 	}
 	return a, nil
 }
-func (s *AuthStorage) CreateToken(_ context.Context, authReq op.TokenRequest) (string, time.Time, error) {
+func (s *AuthStorage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error) {
 	return "id", time.Now().UTC().Add(5 * time.Minute), nil
 }
 func (s *AuthStorage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error) {
 	return "id", "refreshToken", time.Now().UTC().Add(5 * time.Minute), nil
 }
 func (s *AuthStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error) {
 	if refreshToken != c {
 		return nil, errors.New("invalid token")
 	}
 	return a, nil
 }
 func (s *AuthStorage) TerminateSession(_ context.Context, userID, clientID string) error {
 	return nil
 }
--- a/go.sum
+++ b/go.sum
@ -12,50 +12,70 @@ cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bP
 cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
 cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
 cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0 h1:/May9ojXjRkPBNVrq+oWLqmWCkr4OU5uRY29bu0mRyQ=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/pubsub v1.3.1 h1:ukjixP1wl0LpnZ6LWtZJ0mX5tBmjp1f8Sqer8Z2OMUU=
 cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9 h1:VpgP7xuJadIUuKccphEpTJnWhS2jkQyMt6Y7pJCD7fY=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802 h1:1BDTz0u9nC3//pOCMdNH+CiXJVYJh5UQNCOBG7jbELc=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
 github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
 github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrCgN8fCq8E5Xuty6jGbmSNEvSsU=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELBIYWeBVh6wn+E=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1 h1:QbL/5oDUmRBzO9/Z7Seo6zf912W/a6Sr4Eu0G/3Jho0=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4 h1:WtGNWLvXpe6ZudgnXrq0barxBImvnnJoMEhXAzcbM0I=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@ -81,6 +101,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@ -95,7 +116,9 @@ github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6C
 github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0 h1:pMen7vLs8nvgEYhywH3KDWJIJTeEr2ULsVWHWYHQyBs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@ -103,11 +126,14 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99 h1:Ak8CrdlwwXwAZxzS66vgPt4U8yUZX7JwLvVR58FN5jM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
@ -118,14 +144,21 @@ github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlI
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@ -133,12 +166,15 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0 h1:RR9dF3JtopPvtkroDZuVD7qquD0bnHlKSqaQhgwt8yk=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@ -146,11 +182,13 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32 h1:5tjfNdR2ki3yYQ842+eX2sQHeiwpKJ0RnHO4IYOc4V8=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4 h1:LYy1Hy3MJdrCdMwwzxA/dRok4ejH+RwNGbuoD9fCjto=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -167,8 +205,10 @@ golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b h1:+qEpEAPhDZ1o0x3tHzZTQDArnOixOzGD9HUJfcg0mb4=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@ -179,14 +219,17 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG1In4gJY5YRhtpDNeDeHWs=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -230,6 +273,7 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -269,6 +313,7 @@ golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -309,6 +354,7 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d h1:W07d4xkoAUSNOkOzdzXCdFGxT7o2rW4q8M34tB2i//k=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -330,6 +376,7 @@ google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/
 google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0 h1:yfrXXP61wVuLb0vBcG6qaOoIoqYEzOQS8jum51jkv2w=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -366,6 +413,7 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 h1:PDIOdWxZ8eRizhKa1AAvY53xsvLB1cWorMjslvY3VA8=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@ -378,6 +426,7 @@ google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@ -394,6 +443,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0 h1:0vLT13EuvQ0hNvakwLuFZ/jYrLp5F3kcWHXdRggjCE8=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@ -408,7 +458,11 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/pkg/client/rp/relaying_party.go
+++ b/pkg/client/rp/relaying_party.go
@ -165,7 +165,6 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
 			return nil, err
 		}
 	}
 	endpoints, err := Discover(rp.issuer, rp.httpClient)
 	if err != nil {
 		return nil, err
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -10,6 +10,9 @@ const (
 	//GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
 	GrantTypeCode GrantType = "authorization_code"
 	//GrantTypeCode defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow
 	GrantTypeRefreshToken GrantType = "refresh_token"
 	//GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
 	GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
@ -44,6 +47,39 @@ func (a *AccessTokenRequest) GrantType() GrantType {
 	return GrantTypeCode
 }
 //SetClientID implements op.AuthenticatedTokenRequest
 func (a *AccessTokenRequest) SetClientID(clientID string) {
 	a.ClientID = clientID
 }
 //SetClientSecret implements op.AuthenticatedTokenRequest
 func (a *AccessTokenRequest) SetClientSecret(clientSecret string) {
 	a.ClientSecret = clientSecret
 }
 type RefreshTokenRequest struct {
 	RefreshToken        string `schema:"refresh_token"`
 	Scopes              Scopes `schema:"scope"`
 	ClientID            string `schema:"client_id"`
 	ClientSecret        string `schema:"client_secret"`
 	ClientAssertion     string `schema:"client_assertion"`
 	ClientAssertionType string `schema:"client_assertion_type"`
 }
 func (a *RefreshTokenRequest) GrantType() GrantType {
 	return GrantTypeRefreshToken
 }
 //SetClientID implements op.AuthenticatedTokenRequest
 func (a *RefreshTokenRequest) SetClientID(clientID string) {
 	a.ClientID = clientID
 }
 //SetClientSecret implements op.AuthenticatedTokenRequest
 func (a *RefreshTokenRequest) SetClientSecret(clientSecret string) {
 	a.ClientSecret = clientSecret
 }
 type JWTTokenRequest struct {
 	Issuer    string   `json:"iss"`
 	Subject   string   `json:"sub"`
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@ -91,7 +91,7 @@ func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 	RedirectToLogin(req.GetID(), client, w, r)
 }
-//ParseAuthorizeRequest parsed the http request into a AuthRequest
+//ParseAuthorizeRequest parsed the http request into a oidc.AuthRequest
 func ParseAuthorizeRequest(r *http.Request, decoder utils.Decoder) (*oidc.AuthRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
@ -299,7 +299,7 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
 //AuthResponseToken creates the successful token(s) authentication response
 func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client) {
 	createAccessToken := authReq.GetResponseType() != oidc.ResponseTypeIDTokenOnly
-	resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "")
+	resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "", "")
 	if err != nil {
 		AuthRequestError(w, r, authReq, err, authorizer.Encoder())
 		return
@ -325,6 +325,7 @@ func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Sto
 	return code, nil
 }
 //BuildAuthRequestCode builds the string representation of the auth code
 func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error) {
 	return crypto.Encrypt(authReq.GetID())
 }
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
--- a/pkg/op/mock/authorizer.mock.go
+++ b/pkg/op/mock/authorizer.mock.go
@ -5,36 +5,37 @@
 package mock
 import (
 	reflect "reflect"
 	op "github.com/caos/oidc/pkg/op"
 	utils "github.com/caos/oidc/pkg/utils"
 	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
 )
-// MockAuthorizer is a mock of Authorizer interface
+// MockAuthorizer is a mock of Authorizer interface.
 type MockAuthorizer struct {
 	ctrl     *gomock.Controller
 	recorder *MockAuthorizerMockRecorder
 }
-// MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer
+// MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer.
 type MockAuthorizerMockRecorder struct {
 	mock *MockAuthorizer
 }
-// NewMockAuthorizer creates a new mock instance
+// NewMockAuthorizer creates a new mock instance.
 func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer {
 	mock := &MockAuthorizer{ctrl: ctrl}
 	mock.recorder = &MockAuthorizerMockRecorder{mock}
 	return mock
 }
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder {
 	return m.recorder
 }
-// Crypto mocks base method
+// Crypto mocks base method.
 func (m *MockAuthorizer) Crypto() op.Crypto {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Crypto")
@ -42,13 +43,13 @@ func (m *MockAuthorizer) Crypto() op.Crypto {
 	return ret0
 }
-// Crypto indicates an expected call of Crypto
+// Crypto indicates an expected call of Crypto.
 func (mr *MockAuthorizerMockRecorder) Crypto() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Crypto", reflect.TypeOf((*MockAuthorizer)(nil).Crypto))
 }
-// Decoder mocks base method
+// Decoder mocks base method.
 func (m *MockAuthorizer) Decoder() utils.Decoder {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Decoder")
@ -56,13 +57,13 @@ func (m *MockAuthorizer) Decoder() utils.Decoder {
 	return ret0
 }
-// Decoder indicates an expected call of Decoder
+// Decoder indicates an expected call of Decoder.
 func (mr *MockAuthorizerMockRecorder) Decoder() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decoder", reflect.TypeOf((*MockAuthorizer)(nil).Decoder))
 }
-// Encoder mocks base method
+// Encoder mocks base method.
 func (m *MockAuthorizer) Encoder() utils.Encoder {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Encoder")
@ -70,13 +71,13 @@ func (m *MockAuthorizer) Encoder() utils.Encoder {
 	return ret0
 }
-// Encoder indicates an expected call of Encoder
+// Encoder indicates an expected call of Encoder.
 func (mr *MockAuthorizerMockRecorder) Encoder() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Encoder", reflect.TypeOf((*MockAuthorizer)(nil).Encoder))
 }
-// IDTokenHintVerifier mocks base method
+// IDTokenHintVerifier mocks base method.
 func (m *MockAuthorizer) IDTokenHintVerifier() op.IDTokenHintVerifier {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IDTokenHintVerifier")
@ -84,13 +85,13 @@ func (m *MockAuthorizer) IDTokenHintVerifier() op.IDTokenHintVerifier {
 	return ret0
 }
-// IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier
+// IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier.
 func (mr *MockAuthorizerMockRecorder) IDTokenHintVerifier() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenHintVerifier", reflect.TypeOf((*MockAuthorizer)(nil).IDTokenHintVerifier))
 }
-// Issuer mocks base method
+// Issuer mocks base method.
 func (m *MockAuthorizer) Issuer() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Issuer")
@ -98,13 +99,13 @@ func (m *MockAuthorizer) Issuer() string {
 	return ret0
 }
-// Issuer indicates an expected call of Issuer
+// Issuer indicates an expected call of Issuer.
 func (mr *MockAuthorizerMockRecorder) Issuer() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockAuthorizer)(nil).Issuer))
 }
-// Signer mocks base method
+// Signer mocks base method.
 func (m *MockAuthorizer) Signer() op.Signer {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Signer")
@ -112,13 +113,13 @@ func (m *MockAuthorizer) Signer() op.Signer {
 	return ret0
 }
-// Signer indicates an expected call of Signer
+// Signer indicates an expected call of Signer.
 func (mr *MockAuthorizerMockRecorder) Signer() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockAuthorizer)(nil).Signer))
 }
-// Storage mocks base method
+// Storage mocks base method.
 func (m *MockAuthorizer) Storage() op.Storage {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Storage")
@ -126,7 +127,7 @@ func (m *MockAuthorizer) Storage() op.Storage {
 	return ret0
 }
-// Storage indicates an expected call of Storage
+// Storage indicates an expected call of Storage.
 func (mr *MockAuthorizerMockRecorder) Storage() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Storage", reflect.TypeOf((*MockAuthorizer)(nil).Storage))
--- a/pkg/op/mock/client.mock.go
+++ b/pkg/op/mock/client.mock.go
@ -5,37 +5,38 @@
 package mock
 import (
 	reflect "reflect"
 	time "time"
 	oidc "github.com/caos/oidc/pkg/oidc"
 	op "github.com/caos/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
 	time "time"
 )
-// MockClient is a mock of Client interface
+// MockClient is a mock of Client interface.
 type MockClient struct {
 	ctrl     *gomock.Controller
 	recorder *MockClientMockRecorder
 }
-// MockClientMockRecorder is the mock recorder for MockClient
+// MockClientMockRecorder is the mock recorder for MockClient.
 type MockClientMockRecorder struct {
 	mock *MockClient
 }
-// NewMockClient creates a new mock instance
+// NewMockClient creates a new mock instance.
 func NewMockClient(ctrl *gomock.Controller) *MockClient {
 	mock := &MockClient{ctrl: ctrl}
 	mock.recorder = &MockClientMockRecorder{mock}
 	return mock
 }
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockClient) EXPECT() *MockClientMockRecorder {
 	return m.recorder
 }
-// AccessTokenType mocks base method
+// AccessTokenType mocks base method.
 func (m *MockClient) AccessTokenType() op.AccessTokenType {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AccessTokenType")
@ -43,13 +44,13 @@ func (m *MockClient) AccessTokenType() op.AccessTokenType {
 	return ret0
 }
-// AccessTokenType indicates an expected call of AccessTokenType
+// AccessTokenType indicates an expected call of AccessTokenType.
 func (mr *MockClientMockRecorder) AccessTokenType() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessTokenType", reflect.TypeOf((*MockClient)(nil).AccessTokenType))
 }
-// ApplicationType mocks base method
+// ApplicationType mocks base method.
 func (m *MockClient) ApplicationType() op.ApplicationType {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ApplicationType")
@ -57,13 +58,13 @@ func (m *MockClient) ApplicationType() op.ApplicationType {
 	return ret0
 }
-// ApplicationType indicates an expected call of ApplicationType
+// ApplicationType indicates an expected call of ApplicationType.
 func (mr *MockClientMockRecorder) ApplicationType() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ApplicationType", reflect.TypeOf((*MockClient)(nil).ApplicationType))
 }
-// AuthMethod mocks base method
+// AuthMethod mocks base method.
 func (m *MockClient) AuthMethod() oidc.AuthMethod {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthMethod")
@ -71,13 +72,13 @@ func (m *MockClient) AuthMethod() oidc.AuthMethod {
 	return ret0
 }
-// AuthMethod indicates an expected call of AuthMethod
+// AuthMethod indicates an expected call of AuthMethod.
 func (mr *MockClientMockRecorder) AuthMethod() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethod", reflect.TypeOf((*MockClient)(nil).AuthMethod))
 }
-// ClockSkew mocks base method
+// ClockSkew mocks base method.
 func (m *MockClient) ClockSkew() time.Duration {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ClockSkew")
@ -85,13 +86,13 @@ func (m *MockClient) ClockSkew() time.Duration {
 	return ret0
 }
-// ClockSkew indicates an expected call of ClockSkew
+// ClockSkew indicates an expected call of ClockSkew.
 func (mr *MockClientMockRecorder) ClockSkew() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClockSkew", reflect.TypeOf((*MockClient)(nil).ClockSkew))
 }
-// DevMode mocks base method
+// DevMode mocks base method.
 func (m *MockClient) DevMode() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DevMode")
@ -99,13 +100,13 @@ func (m *MockClient) DevMode() bool {
 	return ret0
 }
-// DevMode indicates an expected call of DevMode
+// DevMode indicates an expected call of DevMode.
 func (mr *MockClientMockRecorder) DevMode() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DevMode", reflect.TypeOf((*MockClient)(nil).DevMode))
 }
-// GetID mocks base method
+// GetID mocks base method.
 func (m *MockClient) GetID() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetID")
@ -113,13 +114,13 @@ func (m *MockClient) GetID() string {
 	return ret0
 }
-// GetID indicates an expected call of GetID
+// GetID indicates an expected call of GetID.
 func (mr *MockClientMockRecorder) GetID() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetID", reflect.TypeOf((*MockClient)(nil).GetID))
 }
-// IDTokenLifetime mocks base method
+// IDTokenLifetime mocks base method.
 func (m *MockClient) IDTokenLifetime() time.Duration {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IDTokenLifetime")
@ -127,13 +128,13 @@ func (m *MockClient) IDTokenLifetime() time.Duration {
 	return ret0
 }
-// IDTokenLifetime indicates an expected call of IDTokenLifetime
+// IDTokenLifetime indicates an expected call of IDTokenLifetime.
 func (mr *MockClientMockRecorder) IDTokenLifetime() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenLifetime", reflect.TypeOf((*MockClient)(nil).IDTokenLifetime))
 }
-// IDTokenUserinfoClaimsAssertion mocks base method
+// IDTokenUserinfoClaimsAssertion mocks base method.
 func (m *MockClient) IDTokenUserinfoClaimsAssertion() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IDTokenUserinfoClaimsAssertion")
@ -141,13 +142,13 @@ func (m *MockClient) IDTokenUserinfoClaimsAssertion() bool {
 	return ret0
 }
-// IDTokenUserinfoClaimsAssertion indicates an expected call of IDTokenUserinfoClaimsAssertion
+// IDTokenUserinfoClaimsAssertion indicates an expected call of IDTokenUserinfoClaimsAssertion.
 func (mr *MockClientMockRecorder) IDTokenUserinfoClaimsAssertion() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenUserinfoClaimsAssertion", reflect.TypeOf((*MockClient)(nil).IDTokenUserinfoClaimsAssertion))
 }
-// IsScopeAllowed mocks base method
+// IsScopeAllowed mocks base method.
 func (m *MockClient) IsScopeAllowed(arg0 string) bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IsScopeAllowed", arg0)
@ -155,13 +156,13 @@ func (m *MockClient) IsScopeAllowed(arg0 string) bool {
 	return ret0
 }
-// IsScopeAllowed indicates an expected call of IsScopeAllowed
+// IsScopeAllowed indicates an expected call of IsScopeAllowed.
 func (mr *MockClientMockRecorder) IsScopeAllowed(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsScopeAllowed", reflect.TypeOf((*MockClient)(nil).IsScopeAllowed), arg0)
 }
-// LoginURL mocks base method
+// LoginURL mocks base method.
 func (m *MockClient) LoginURL(arg0 string) string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "LoginURL", arg0)
@ -169,13 +170,13 @@ func (m *MockClient) LoginURL(arg0 string) string {
 	return ret0
 }
-// LoginURL indicates an expected call of LoginURL
+// LoginURL indicates an expected call of LoginURL.
 func (mr *MockClientMockRecorder) LoginURL(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoginURL", reflect.TypeOf((*MockClient)(nil).LoginURL), arg0)
 }
-// PostLogoutRedirectURIs mocks base method
+// PostLogoutRedirectURIs mocks base method.
 func (m *MockClient) PostLogoutRedirectURIs() []string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "PostLogoutRedirectURIs")
@ -183,13 +184,13 @@ func (m *MockClient) PostLogoutRedirectURIs() []string {
 	return ret0
 }
-// PostLogoutRedirectURIs indicates an expected call of PostLogoutRedirectURIs
+// PostLogoutRedirectURIs indicates an expected call of PostLogoutRedirectURIs.
 func (mr *MockClientMockRecorder) PostLogoutRedirectURIs() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PostLogoutRedirectURIs", reflect.TypeOf((*MockClient)(nil).PostLogoutRedirectURIs))
 }
-// RedirectURIs mocks base method
+// RedirectURIs mocks base method.
 func (m *MockClient) RedirectURIs() []string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "RedirectURIs")
@ -197,13 +198,13 @@ func (m *MockClient) RedirectURIs() []string {
 	return ret0
 }
-// RedirectURIs indicates an expected call of RedirectURIs
+// RedirectURIs indicates an expected call of RedirectURIs.
 func (mr *MockClientMockRecorder) RedirectURIs() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RedirectURIs", reflect.TypeOf((*MockClient)(nil).RedirectURIs))
 }
-// ResponseTypes mocks base method
+// ResponseTypes mocks base method.
 func (m *MockClient) ResponseTypes() []oidc.ResponseType {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ResponseTypes")
@ -211,13 +212,13 @@ func (m *MockClient) ResponseTypes() []oidc.ResponseType {
 	return ret0
 }
-// ResponseTypes indicates an expected call of ResponseTypes
+// ResponseTypes indicates an expected call of ResponseTypes.
 func (mr *MockClientMockRecorder) ResponseTypes() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResponseTypes", reflect.TypeOf((*MockClient)(nil).ResponseTypes))
 }
-// RestrictAdditionalAccessTokenScopes mocks base method
+// RestrictAdditionalAccessTokenScopes mocks base method.
 func (m *MockClient) RestrictAdditionalAccessTokenScopes() func([]string) []string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "RestrictAdditionalAccessTokenScopes")
@ -225,13 +226,13 @@ func (m *MockClient) RestrictAdditionalAccessTokenScopes() func([]string) []stri
 	return ret0
 }
-// RestrictAdditionalAccessTokenScopes indicates an expected call of RestrictAdditionalAccessTokenScopes
+// RestrictAdditionalAccessTokenScopes indicates an expected call of RestrictAdditionalAccessTokenScopes.
 func (mr *MockClientMockRecorder) RestrictAdditionalAccessTokenScopes() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RestrictAdditionalAccessTokenScopes", reflect.TypeOf((*MockClient)(nil).RestrictAdditionalAccessTokenScopes))
 }
-// RestrictAdditionalIdTokenScopes mocks base method
+// RestrictAdditionalIdTokenScopes mocks base method.
 func (m *MockClient) RestrictAdditionalIdTokenScopes() func([]string) []string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "RestrictAdditionalIdTokenScopes")
@ -239,7 +240,7 @@ func (m *MockClient) RestrictAdditionalIdTokenScopes() func([]string) []string {
 	return ret0
 }
-// RestrictAdditionalIdTokenScopes indicates an expected call of RestrictAdditionalIdTokenScopes
+// RestrictAdditionalIdTokenScopes indicates an expected call of RestrictAdditionalIdTokenScopes.
 func (mr *MockClientMockRecorder) RestrictAdditionalIdTokenScopes() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RestrictAdditionalIdTokenScopes", reflect.TypeOf((*MockClient)(nil).RestrictAdditionalIdTokenScopes))
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@ -5,35 +5,36 @@
 package mock
 import (
 	reflect "reflect"
 	op "github.com/caos/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
 )
-// MockConfiguration is a mock of Configuration interface
+// MockConfiguration is a mock of Configuration interface.
 type MockConfiguration struct {
 	ctrl     *gomock.Controller
 	recorder *MockConfigurationMockRecorder
 }
-// MockConfigurationMockRecorder is the mock recorder for MockConfiguration
+// MockConfigurationMockRecorder is the mock recorder for MockConfiguration.
 type MockConfigurationMockRecorder struct {
 	mock *MockConfiguration
 }
-// NewMockConfiguration creates a new mock instance
+// NewMockConfiguration creates a new mock instance.
 func NewMockConfiguration(ctrl *gomock.Controller) *MockConfiguration {
 	mock := &MockConfiguration{ctrl: ctrl}
 	mock.recorder = &MockConfigurationMockRecorder{mock}
 	return mock
 }
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockConfiguration) EXPECT() *MockConfigurationMockRecorder {
 	return m.recorder
 }
-// AuthMethodPostSupported mocks base method
+// AuthMethodPostSupported mocks base method.
 func (m *MockConfiguration) AuthMethodPostSupported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthMethodPostSupported")
@ -41,13 +42,13 @@ func (m *MockConfiguration) AuthMethodPostSupported() bool {
 	return ret0
 }
-// AuthMethodPostSupported indicates an expected call of AuthMethodPostSupported
+// AuthMethodPostSupported indicates an expected call of AuthMethodPostSupported.
 func (mr *MockConfigurationMockRecorder) AuthMethodPostSupported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPostSupported", reflect.TypeOf((*MockConfiguration)(nil).AuthMethodPostSupported))
 }
-// AuthMethodPrivateKeyJWTSupported mocks base method
+// AuthMethodPrivateKeyJWTSupported mocks base method.
 func (m *MockConfiguration) AuthMethodPrivateKeyJWTSupported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthMethodPrivateKeyJWTSupported")
@ -55,13 +56,13 @@ func (m *MockConfiguration) AuthMethodPrivateKeyJWTSupported() bool {
 	return ret0
 }
-// AuthMethodPrivateKeyJWTSupported indicates an expected call of AuthMethodPrivateKeyJWTSupported
+// AuthMethodPrivateKeyJWTSupported indicates an expected call of AuthMethodPrivateKeyJWTSupported.
 func (mr *MockConfigurationMockRecorder) AuthMethodPrivateKeyJWTSupported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPrivateKeyJWTSupported", reflect.TypeOf((*MockConfiguration)(nil).AuthMethodPrivateKeyJWTSupported))
 }
-// AuthorizationEndpoint mocks base method
+// AuthorizationEndpoint mocks base method.
 func (m *MockConfiguration) AuthorizationEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthorizationEndpoint")
@ -69,13 +70,13 @@ func (m *MockConfiguration) AuthorizationEndpoint() op.Endpoint {
 	return ret0
 }
-// AuthorizationEndpoint indicates an expected call of AuthorizationEndpoint
+// AuthorizationEndpoint indicates an expected call of AuthorizationEndpoint.
 func (mr *MockConfigurationMockRecorder) AuthorizationEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthorizationEndpoint", reflect.TypeOf((*MockConfiguration)(nil).AuthorizationEndpoint))
 }
-// CodeMethodS256Supported mocks base method
+// CodeMethodS256Supported mocks base method.
 func (m *MockConfiguration) CodeMethodS256Supported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CodeMethodS256Supported")
@ -83,13 +84,13 @@ func (m *MockConfiguration) CodeMethodS256Supported() bool {
 	return ret0
 }
-// CodeMethodS256Supported indicates an expected call of CodeMethodS256Supported
+// CodeMethodS256Supported indicates an expected call of CodeMethodS256Supported.
 func (mr *MockConfigurationMockRecorder) CodeMethodS256Supported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CodeMethodS256Supported", reflect.TypeOf((*MockConfiguration)(nil).CodeMethodS256Supported))
 }
-// EndSessionEndpoint mocks base method
+// EndSessionEndpoint mocks base method.
 func (m *MockConfiguration) EndSessionEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "EndSessionEndpoint")
@ -97,13 +98,13 @@ func (m *MockConfiguration) EndSessionEndpoint() op.Endpoint {
 	return ret0
 }
-// EndSessionEndpoint indicates an expected call of EndSessionEndpoint
+// EndSessionEndpoint indicates an expected call of EndSessionEndpoint.
 func (mr *MockConfigurationMockRecorder) EndSessionEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndSessionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).EndSessionEndpoint))
 }
-// GrantTypeJWTAuthorizationSupported mocks base method
+// GrantTypeJWTAuthorizationSupported mocks base method.
 func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GrantTypeJWTAuthorizationSupported")
@ -111,13 +112,13 @@ func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool {
 	return ret0
 }
-// GrantTypeJWTAuthorizationSupported indicates an expected call of GrantTypeJWTAuthorizationSupported
+// GrantTypeJWTAuthorizationSupported indicates an expected call of GrantTypeJWTAuthorizationSupported.
 func (mr *MockConfigurationMockRecorder) GrantTypeJWTAuthorizationSupported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeJWTAuthorizationSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeJWTAuthorizationSupported))
 }
-// GrantTypeTokenExchangeSupported mocks base method
+// GrantTypeTokenExchangeSupported mocks base method.
 func (m *MockConfiguration) GrantTypeTokenExchangeSupported() bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GrantTypeTokenExchangeSupported")
@ -125,13 +126,13 @@ func (m *MockConfiguration) GrantTypeTokenExchangeSupported() bool {
 	return ret0
 }
-// GrantTypeTokenExchangeSupported indicates an expected call of GrantTypeTokenExchangeSupported
+// GrantTypeTokenExchangeSupported indicates an expected call of GrantTypeTokenExchangeSupported.
 func (mr *MockConfigurationMockRecorder) GrantTypeTokenExchangeSupported() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeTokenExchangeSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeTokenExchangeSupported))
 }
-// IntrospectionEndpoint mocks base method
+// IntrospectionEndpoint mocks base method.
 func (m *MockConfiguration) IntrospectionEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "IntrospectionEndpoint")
@ -139,13 +140,13 @@ func (m *MockConfiguration) IntrospectionEndpoint() op.Endpoint {
 	return ret0
 }
-// IntrospectionEndpoint indicates an expected call of IntrospectionEndpoint
+// IntrospectionEndpoint indicates an expected call of IntrospectionEndpoint.
 func (mr *MockConfigurationMockRecorder) IntrospectionEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntrospectionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).IntrospectionEndpoint))
 }
-// Issuer mocks base method
+// Issuer mocks base method.
 func (m *MockConfiguration) Issuer() string {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Issuer")
@ -153,13 +154,13 @@ func (m *MockConfiguration) Issuer() string {
 	return ret0
 }
-// Issuer indicates an expected call of Issuer
+// Issuer indicates an expected call of Issuer.
 func (mr *MockConfigurationMockRecorder) Issuer() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockConfiguration)(nil).Issuer))
 }
-// KeysEndpoint mocks base method
+// KeysEndpoint mocks base method.
 func (m *MockConfiguration) KeysEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "KeysEndpoint")
@ -167,13 +168,13 @@ func (m *MockConfiguration) KeysEndpoint() op.Endpoint {
 	return ret0
 }
-// KeysEndpoint indicates an expected call of KeysEndpoint
+// KeysEndpoint indicates an expected call of KeysEndpoint.
 func (mr *MockConfigurationMockRecorder) KeysEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeysEndpoint", reflect.TypeOf((*MockConfiguration)(nil).KeysEndpoint))
 }
-// TokenEndpoint mocks base method
+// TokenEndpoint mocks base method.
 func (m *MockConfiguration) TokenEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "TokenEndpoint")
@ -181,13 +182,13 @@ func (m *MockConfiguration) TokenEndpoint() op.Endpoint {
 	return ret0
 }
-// TokenEndpoint indicates an expected call of TokenEndpoint
+// TokenEndpoint indicates an expected call of TokenEndpoint.
 func (mr *MockConfigurationMockRecorder) TokenEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TokenEndpoint", reflect.TypeOf((*MockConfiguration)(nil).TokenEndpoint))
 }
-// UserinfoEndpoint mocks base method
+// UserinfoEndpoint mocks base method.
 func (m *MockConfiguration) UserinfoEndpoint() op.Endpoint {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UserinfoEndpoint")
@ -195,7 +196,7 @@ func (m *MockConfiguration) UserinfoEndpoint() op.Endpoint {
 	return ret0
 }
-// UserinfoEndpoint indicates an expected call of UserinfoEndpoint
+// UserinfoEndpoint indicates an expected call of UserinfoEndpoint.
 func (mr *MockConfigurationMockRecorder) UserinfoEndpoint() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UserinfoEndpoint", reflect.TypeOf((*MockConfiguration)(nil).UserinfoEndpoint))
--- a/pkg/op/mock/signer.mock.go
+++ b/pkg/op/mock/signer.mock.go
@ -6,35 +6,36 @@ package mock
 import (
 	context "context"
 	reflect "reflect"
 	gomock "github.com/golang/mock/gomock"
 	jose "gopkg.in/square/go-jose.v2"
 	reflect "reflect"
 )
-// MockSigner is a mock of Signer interface
+// MockSigner is a mock of Signer interface.
 type MockSigner struct {
 	ctrl     *gomock.Controller
 	recorder *MockSignerMockRecorder
 }
-// MockSignerMockRecorder is the mock recorder for MockSigner
+// MockSignerMockRecorder is the mock recorder for MockSigner.
 type MockSignerMockRecorder struct {
 	mock *MockSigner
 }
-// NewMockSigner creates a new mock instance
+// NewMockSigner creates a new mock instance.
 func NewMockSigner(ctrl *gomock.Controller) *MockSigner {
 	mock := &MockSigner{ctrl: ctrl}
 	mock.recorder = &MockSignerMockRecorder{mock}
 	return mock
 }
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockSigner) EXPECT() *MockSignerMockRecorder {
 	return m.recorder
 }
-// Health mocks base method
+// Health mocks base method.
 func (m *MockSigner) Health(arg0 context.Context) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Health", arg0)
@ -42,13 +43,13 @@ func (m *MockSigner) Health(arg0 context.Context) error {
 	return ret0
 }
-// Health indicates an expected call of Health
+// Health indicates an expected call of Health.
 func (mr *MockSignerMockRecorder) Health(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockSigner)(nil).Health), arg0)
 }
-// SignatureAlgorithm mocks base method
+// SignatureAlgorithm mocks base method.
 func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SignatureAlgorithm")
@ -56,13 +57,13 @@ func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm {
 	return ret0
 }
-// SignatureAlgorithm indicates an expected call of SignatureAlgorithm
+// SignatureAlgorithm indicates an expected call of SignatureAlgorithm.
 func (mr *MockSignerMockRecorder) SignatureAlgorithm() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SignatureAlgorithm", reflect.TypeOf((*MockSigner)(nil).SignatureAlgorithm))
 }
-// Signer mocks base method
+// Signer mocks base method.
 func (m *MockSigner) Signer() jose.Signer {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Signer")
@ -70,7 +71,7 @@ func (m *MockSigner) Signer() jose.Signer {
 	return ret0
 }
-// Signer indicates an expected call of Signer
+// Signer indicates an expected call of Signer.
 func (mr *MockSignerMockRecorder) Signer() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockSigner)(nil).Signer))
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -6,38 +6,39 @@ package mock
 import (
 	context "context"
 	reflect "reflect"
 	time "time"
 	oidc "github.com/caos/oidc/pkg/oidc"
 	op "github.com/caos/oidc/pkg/op"
 	gomock "github.com/golang/mock/gomock"
 	jose "gopkg.in/square/go-jose.v2"
 	reflect "reflect"
 	time "time"
 )
-// MockStorage is a mock of Storage interface
+// MockStorage is a mock of Storage interface.
 type MockStorage struct {
 	ctrl     *gomock.Controller
 	recorder *MockStorageMockRecorder
 }
-// MockStorageMockRecorder is the mock recorder for MockStorage
+// MockStorageMockRecorder is the mock recorder for MockStorage.
 type MockStorageMockRecorder struct {
 	mock *MockStorage
 }
-// NewMockStorage creates a new mock instance
+// NewMockStorage creates a new mock instance.
 func NewMockStorage(ctrl *gomock.Controller) *MockStorage {
 	mock := &MockStorage{ctrl: ctrl}
 	mock.recorder = &MockStorageMockRecorder{mock}
 	return mock
 }
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockStorage) EXPECT() *MockStorageMockRecorder {
 	return m.recorder
 }
-// AuthRequestByCode mocks base method
+// AuthRequestByCode mocks base method.
 func (m *MockStorage) AuthRequestByCode(arg0 context.Context, arg1 string) (op.AuthRequest, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthRequestByCode", arg0, arg1)
@ -46,13 +47,13 @@ func (m *MockStorage) AuthRequestByCode(arg0 context.Context, arg1 string) (op.A
 	return ret0, ret1
 }
-// AuthRequestByCode indicates an expected call of AuthRequestByCode
+// AuthRequestByCode indicates an expected call of AuthRequestByCode.
 func (mr *MockStorageMockRecorder) AuthRequestByCode(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthRequestByCode", reflect.TypeOf((*MockStorage)(nil).AuthRequestByCode), arg0, arg1)
 }
-// AuthRequestByID mocks base method
+// AuthRequestByID mocks base method.
 func (m *MockStorage) AuthRequestByID(arg0 context.Context, arg1 string) (op.AuthRequest, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthRequestByID", arg0, arg1)
@ -61,13 +62,13 @@ func (m *MockStorage) AuthRequestByID(arg0 context.Context, arg1 string) (op.Aut
 	return ret0, ret1
 }
-// AuthRequestByID indicates an expected call of AuthRequestByID
+// AuthRequestByID indicates an expected call of AuthRequestByID.
 func (mr *MockStorageMockRecorder) AuthRequestByID(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthRequestByID", reflect.TypeOf((*MockStorage)(nil).AuthRequestByID), arg0, arg1)
 }
-// AuthorizeClientIDSecret mocks base method
+// AuthorizeClientIDSecret mocks base method.
 func (m *MockStorage) AuthorizeClientIDSecret(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthorizeClientIDSecret", arg0, arg1, arg2)
@ -75,13 +76,46 @@ func (m *MockStorage) AuthorizeClientIDSecret(arg0 context.Context, arg1, arg2 s
 	return ret0
 }
-// AuthorizeClientIDSecret indicates an expected call of AuthorizeClientIDSecret
+// AuthorizeClientIDSecret indicates an expected call of AuthorizeClientIDSecret.
 func (mr *MockStorageMockRecorder) AuthorizeClientIDSecret(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthorizeClientIDSecret", reflect.TypeOf((*MockStorage)(nil).AuthorizeClientIDSecret), arg0, arg1, arg2)
 }
-// CreateAuthRequest mocks base method
+// CreateAccessAndRefreshTokens mocks base method.
 func (m *MockStorage) CreateAccessAndRefreshTokens(arg0 context.Context, arg1 op.TokenRequest, arg2 string) (string, string, time.Time, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CreateAccessAndRefreshTokens", arg0, arg1, arg2)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(string)
 	ret2, _ := ret[2].(time.Time)
 	ret3, _ := ret[3].(error)
 	return ret0, ret1, ret2, ret3
 }
 // CreateAccessAndRefreshTokens indicates an expected call of CreateAccessAndRefreshTokens.
 func (mr *MockStorageMockRecorder) CreateAccessAndRefreshTokens(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAccessAndRefreshTokens", reflect.TypeOf((*MockStorage)(nil).CreateAccessAndRefreshTokens), arg0, arg1, arg2)
 }
 // CreateAccessToken mocks base method.
 func (m *MockStorage) CreateAccessToken(arg0 context.Context, arg1 op.TokenRequest) (string, time.Time, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CreateAccessToken", arg0, arg1)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(time.Time)
 	ret2, _ := ret[2].(error)
 	return ret0, ret1, ret2
 }
 // CreateAccessToken indicates an expected call of CreateAccessToken.
 func (mr *MockStorageMockRecorder) CreateAccessToken(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAccessToken", reflect.TypeOf((*MockStorage)(nil).CreateAccessToken), arg0, arg1)
 }
 // CreateAuthRequest mocks base method.
 func (m *MockStorage) CreateAuthRequest(arg0 context.Context, arg1 *oidc.AuthRequest, arg2 string) (op.AuthRequest, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CreateAuthRequest", arg0, arg1, arg2)
@ -90,29 +124,13 @@ func (m *MockStorage) CreateAuthRequest(arg0 context.Context, arg1 *oidc.AuthReq
 	return ret0, ret1
 }
-// CreateAuthRequest indicates an expected call of CreateAuthRequest
+// CreateAuthRequest indicates an expected call of CreateAuthRequest.
 func (mr *MockStorageMockRecorder) CreateAuthRequest(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAuthRequest", reflect.TypeOf((*MockStorage)(nil).CreateAuthRequest), arg0, arg1, arg2)
 }
-// CreateToken mocks base method
+// DeleteAuthRequest mocks base method.
 func (m *MockStorage) CreateToken(arg0 context.Context, arg1 op.TokenRequest) (string, time.Time, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CreateToken", arg0, arg1)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(time.Time)
 	ret2, _ := ret[2].(error)
 	return ret0, ret1, ret2
 }
 // CreateToken indicates an expected call of CreateToken
 func (mr *MockStorageMockRecorder) CreateToken(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateToken", reflect.TypeOf((*MockStorage)(nil).CreateToken), arg0, arg1)
 }
 // DeleteAuthRequest mocks base method
 func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteAuthRequest", arg0, arg1)
@ -120,13 +138,13 @@ func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error
 	return ret0
 }
-// DeleteAuthRequest indicates an expected call of DeleteAuthRequest
+// DeleteAuthRequest indicates an expected call of DeleteAuthRequest.
 func (mr *MockStorageMockRecorder) DeleteAuthRequest(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAuthRequest", reflect.TypeOf((*MockStorage)(nil).DeleteAuthRequest), arg0, arg1)
 }
-// GetClientByClientID mocks base method
+// GetClientByClientID mocks base method.
 func (m *MockStorage) GetClientByClientID(arg0 context.Context, arg1 string) (op.Client, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetClientByClientID", arg0, arg1)
@ -135,13 +153,13 @@ func (m *MockStorage) GetClientByClientID(arg0 context.Context, arg1 string) (op
 	return ret0, ret1
 }
-// GetClientByClientID indicates an expected call of GetClientByClientID
+// GetClientByClientID indicates an expected call of GetClientByClientID.
 func (mr *MockStorageMockRecorder) GetClientByClientID(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClientByClientID", reflect.TypeOf((*MockStorage)(nil).GetClientByClientID), arg0, arg1)
 }
-// GetKeyByIDAndUserID mocks base method
+// GetKeyByIDAndUserID mocks base method.
 func (m *MockStorage) GetKeyByIDAndUserID(arg0 context.Context, arg1, arg2 string) (*jose.JSONWebKey, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetKeyByIDAndUserID", arg0, arg1, arg2)
@ -150,13 +168,13 @@ func (m *MockStorage) GetKeyByIDAndUserID(arg0 context.Context, arg1, arg2 strin
 	return ret0, ret1
 }
-// GetKeyByIDAndUserID indicates an expected call of GetKeyByIDAndUserID
+// GetKeyByIDAndUserID indicates an expected call of GetKeyByIDAndUserID.
 func (mr *MockStorageMockRecorder) GetKeyByIDAndUserID(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeyByIDAndUserID", reflect.TypeOf((*MockStorage)(nil).GetKeyByIDAndUserID), arg0, arg1, arg2)
 }
-// GetKeySet mocks base method
+// GetKeySet mocks base method.
 func (m *MockStorage) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetKeySet", arg0)
@ -165,13 +183,13 @@ func (m *MockStorage) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, erro
 	return ret0, ret1
 }
-// GetKeySet indicates an expected call of GetKeySet
+// GetKeySet indicates an expected call of GetKeySet.
 func (mr *MockStorageMockRecorder) GetKeySet(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeySet", reflect.TypeOf((*MockStorage)(nil).GetKeySet), arg0)
 }
-// GetPrivateClaimsFromScopes mocks base method
+// GetPrivateClaimsFromScopes mocks base method.
 func (m *MockStorage) GetPrivateClaimsFromScopes(arg0 context.Context, arg1, arg2 string, arg3 []string) (map[string]interface{}, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetPrivateClaimsFromScopes", arg0, arg1, arg2, arg3)
@ -180,25 +198,25 @@ func (m *MockStorage) GetPrivateClaimsFromScopes(arg0 context.Context, arg1, arg
 	return ret0, ret1
 }
-// GetPrivateClaimsFromScopes indicates an expected call of GetPrivateClaimsFromScopes
+// GetPrivateClaimsFromScopes indicates an expected call of GetPrivateClaimsFromScopes.
 func (mr *MockStorageMockRecorder) GetPrivateClaimsFromScopes(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPrivateClaimsFromScopes", reflect.TypeOf((*MockStorage)(nil).GetPrivateClaimsFromScopes), arg0, arg1, arg2, arg3)
 }
-// GetSigningKey mocks base method
+// GetSigningKey mocks base method.
 func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "GetSigningKey", arg0, arg1)
 }
-// GetSigningKey indicates an expected call of GetSigningKey
+// GetSigningKey indicates an expected call of GetSigningKey.
 func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1)
 }
-// Health mocks base method
+// Health mocks base method.
 func (m *MockStorage) Health(arg0 context.Context) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Health", arg0)
@ -206,13 +224,13 @@ func (m *MockStorage) Health(arg0 context.Context) error {
 	return ret0
 }
-// Health indicates an expected call of Health
+// Health indicates an expected call of Health.
 func (mr *MockStorageMockRecorder) Health(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockStorage)(nil).Health), arg0)
 }
-// SaveAuthCode mocks base method
+// SaveAuthCode mocks base method.
 func (m *MockStorage) SaveAuthCode(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SaveAuthCode", arg0, arg1, arg2)
@ -220,13 +238,13 @@ func (m *MockStorage) SaveAuthCode(arg0 context.Context, arg1, arg2 string) erro
 	return ret0
 }
-// SaveAuthCode indicates an expected call of SaveAuthCode
+// SaveAuthCode indicates an expected call of SaveAuthCode.
 func (mr *MockStorageMockRecorder) SaveAuthCode(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveAuthCode", reflect.TypeOf((*MockStorage)(nil).SaveAuthCode), arg0, arg1, arg2)
 }
-// SetIntrospectionFromToken mocks base method
+// SetIntrospectionFromToken mocks base method.
 func (m *MockStorage) SetIntrospectionFromToken(arg0 context.Context, arg1 oidc.IntrospectionResponse, arg2, arg3, arg4 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SetIntrospectionFromToken", arg0, arg1, arg2, arg3, arg4)
@ -234,13 +252,13 @@ func (m *MockStorage) SetIntrospectionFromToken(arg0 context.Context, arg1 oidc.
 	return ret0
 }
-// SetIntrospectionFromToken indicates an expected call of SetIntrospectionFromToken
+// SetIntrospectionFromToken indicates an expected call of SetIntrospectionFromToken.
 func (mr *MockStorageMockRecorder) SetIntrospectionFromToken(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetIntrospectionFromToken", reflect.TypeOf((*MockStorage)(nil).SetIntrospectionFromToken), arg0, arg1, arg2, arg3, arg4)
 }
-// SetUserinfoFromScopes mocks base method
+// SetUserinfoFromScopes mocks base method.
 func (m *MockStorage) SetUserinfoFromScopes(arg0 context.Context, arg1 oidc.UserInfoSetter, arg2, arg3 string, arg4 []string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SetUserinfoFromScopes", arg0, arg1, arg2, arg3, arg4)
@ -248,13 +266,13 @@ func (m *MockStorage) SetUserinfoFromScopes(arg0 context.Context, arg1 oidc.User
 	return ret0
 }
-// SetUserinfoFromScopes indicates an expected call of SetUserinfoFromScopes
+// SetUserinfoFromScopes indicates an expected call of SetUserinfoFromScopes.
 func (mr *MockStorageMockRecorder) SetUserinfoFromScopes(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUserinfoFromScopes", reflect.TypeOf((*MockStorage)(nil).SetUserinfoFromScopes), arg0, arg1, arg2, arg3, arg4)
 }
-// SetUserinfoFromToken mocks base method
+// SetUserinfoFromToken mocks base method.
 func (m *MockStorage) SetUserinfoFromToken(arg0 context.Context, arg1 oidc.UserInfoSetter, arg2, arg3, arg4 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SetUserinfoFromToken", arg0, arg1, arg2, arg3, arg4)
@ -262,13 +280,13 @@ func (m *MockStorage) SetUserinfoFromToken(arg0 context.Context, arg1 oidc.UserI
 	return ret0
 }
-// SetUserinfoFromToken indicates an expected call of SetUserinfoFromToken
+// SetUserinfoFromToken indicates an expected call of SetUserinfoFromToken.
 func (mr *MockStorageMockRecorder) SetUserinfoFromToken(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).SetUserinfoFromToken), arg0, arg1, arg2, arg3, arg4)
 }
-// TerminateSession mocks base method
+// TerminateSession mocks base method.
 func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "TerminateSession", arg0, arg1, arg2)
@ -276,13 +294,28 @@ func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string)
 	return ret0
 }
-// TerminateSession indicates an expected call of TerminateSession
+// TerminateSession indicates an expected call of TerminateSession.
 func (mr *MockStorageMockRecorder) TerminateSession(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TerminateSession", reflect.TypeOf((*MockStorage)(nil).TerminateSession), arg0, arg1, arg2)
 }
-// ValidateJWTProfileScopes mocks base method
+// TokenRequestByRefreshToken mocks base method.
 func (m *MockStorage) TokenRequestByRefreshToken(arg0 context.Context, arg1 string) (op.RefreshTokenRequest, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "TokenRequestByRefreshToken", arg0, arg1)
 	ret0, _ := ret[0].(op.RefreshTokenRequest)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 // TokenRequestByRefreshToken indicates an expected call of TokenRequestByRefreshToken.
 func (mr *MockStorageMockRecorder) TokenRequestByRefreshToken(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TokenRequestByRefreshToken", reflect.TypeOf((*MockStorage)(nil).TokenRequestByRefreshToken), arg0, arg1)
 }
 // ValidateJWTProfileScopes mocks base method.
 func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string, arg2 oidc.Scopes) (oidc.Scopes, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ValidateJWTProfileScopes", arg0, arg1, arg2)
@ -291,7 +324,7 @@ func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string
 	return ret0, ret1
 }
-// ValidateJWTProfileScopes indicates an expected call of ValidateJWTProfileScopes
+// ValidateJWTProfileScopes indicates an expected call of ValidateJWTProfileScopes.
 func (mr *MockStorageMockRecorder) ValidateJWTProfileScopes(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateJWTProfileScopes", reflect.TypeOf((*MockStorage)(nil).ValidateJWTProfileScopes), arg0, arg1, arg2)
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -16,7 +16,9 @@ type AuthStorage interface {
 	SaveAuthCode(context.Context, string, string) error
 	DeleteAuthRequest(context.Context, string) error
-	CreateToken(context.Context, TokenRequest) (string, time.Time, error)
+	CreateAccessToken(context.Context, TokenRequest) (string, time.Time, error)
 	CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error)
 	TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (RefreshTokenRequest, error)
 	TerminateSession(context.Context, string, string) error
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@ -21,53 +21,61 @@ type TokenRequest interface {
 	GetScopes() []string
 }
-func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) {
+func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error) {
-	var accessToken string
+	var accessToken, newRefreshToken string
 	var validity time.Duration
 	if createAccessToken {
 		var err error
-		accessToken, validity, err = CreateAccessToken(ctx, authReq, client.AccessTokenType(), creator, client)
+		accessToken, newRefreshToken, validity, err = CreateAccessToken(ctx, request, client.AccessTokenType(), creator, client, refreshToken)
 		if err != nil {
 			return nil, err
 		}
 	}
-	idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client)
+	idToken, err := CreateIDToken(ctx, creator.Issuer(), request, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client)
 	if err != nil {
 		return nil, err
 	}
-	err = creator.Storage().DeleteAuthRequest(ctx, authReq.GetID())
+	if authRequest, ok := request.(AuthRequest); ok {
 		err = creator.Storage().DeleteAuthRequest(ctx, authRequest.GetID())
 		if err != nil {
 			return nil, err
 		}
 	}
 	exp := uint64(validity.Seconds())
 	return &oidc.AccessTokenResponse{
 		AccessToken:  accessToken,
 		IDToken:      idToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    oidc.BearerToken,
 		ExpiresIn:    exp,
 	}, nil
 }
-func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error) {
+func createTokens(ctx context.Context, tokenRequest TokenRequest, storage Storage, refreshToken string) (id, newRefreshToken string, exp time.Time, err error) {
-	accessToken, validity, err := CreateAccessToken(ctx, tokenRequest, AccessTokenTypeBearer, creator, nil)
+	if needsRefreshToken(tokenRequest) {
-	if err != nil {
+		return storage.CreateAccessAndRefreshTokens(ctx, tokenRequest, refreshToken)
-		return nil, err
+	}
 	id, exp, err = storage.CreateAccessToken(ctx, tokenRequest)
 	return
 }
-	exp := uint64(validity.Seconds())
+func needsRefreshToken(tokenRequest TokenRequest) bool {
-	return &oidc.AccessTokenResponse{
+	switch req := tokenRequest.(type) {
-		AccessToken: accessToken,
+	case AuthRequest:
-		TokenType:   oidc.BearerToken,
+		return utils.Contains(req.GetScopes(), oidc.ScopeOfflineAccess) && req.GetResponseType() == oidc.ResponseTypeCode
-		ExpiresIn:   exp,
+	case RefreshTokenRequest:
-	}, nil
+		return true
 	default:
 		return false
 	}
 }
-func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client) (token string, validity time.Duration, err error) {
+func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error) {
-	id, exp, err := creator.Storage().CreateToken(ctx, tokenRequest)
+	id, newRefreshToken, exp, err := createTokens(ctx, tokenRequest, creator.Storage(), refreshToken)
 	if err != nil {
-		return "", 0, err
+		return "", "", 0, err
 	}
 	var clockSkew time.Duration
 	if client != nil {
@ -75,10 +83,10 @@ func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTok
 	}
 	validity = exp.Add(clockSkew).Sub(time.Now().UTC())
 	if accessTokenType == AccessTokenTypeJWT {
-		token, err = CreateJWT(ctx, creator.Issuer(), tokenRequest, exp, id, creator.Signer(), client, creator.Storage())
+		accessToken, err = CreateJWT(ctx, creator.Issuer(), tokenRequest, exp, id, creator.Signer(), client, creator.Storage())
 		return
 	}
-	token, err = CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto())
+	accessToken, err = CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto())
 	return
 }
@ -99,10 +107,24 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
 	return utils.Sign(claims, signer.Signer())
 }
-func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, client Client) (string, error) {
+type IDTokenRequest interface {
 	GetAMR() []string
 	GetAudience() []string
 	GetAuthTime() time.Time
 	GetClientID() string
 	GetScopes() []string
 	GetSubject() string
 }
 func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, client Client) (string, error) {
 	exp := time.Now().UTC().Add(client.ClockSkew()).Add(validity)
-	claims := oidc.NewIDTokenClaims(issuer, authReq.GetSubject(), authReq.GetAudience(), exp, authReq.GetAuthTime(), authReq.GetNonce(), authReq.GetACR(), authReq.GetAMR(), authReq.GetClientID(), client.ClockSkew())
+	var acr, nonce string
-	scopes := client.RestrictAdditionalIdTokenScopes()(authReq.GetScopes())
+	if authRequest, ok := request.(AuthRequest); ok {
 		acr = authRequest.GetACR()
 		nonce = authRequest.GetNonce()
 	}
 	claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew())
 	scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes())
 	if accessToken != "" {
 		atHash, err := oidc.ClaimHash(accessToken, signer.SignatureAlgorithm())
 		if err != nil {
@ -115,7 +137,7 @@ func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, vali
 	}
 	if len(scopes) > 0 {
 		userInfo := oidc.NewUserInfo()
-		err := storage.SetUserinfoFromScopes(ctx, userInfo, authReq.GetSubject(), authReq.GetClientID(), scopes)
+		err := storage.SetUserinfoFromScopes(ctx, userInfo, request.GetSubject(), request.GetClientID(), scopes)
 		if err != nil {
 			return "", err
 		}
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@ -0,0 +1,107 @@
 package op
 import (
 	"context"
 	"errors"
 	"net/http"
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
 )
 //CodeExchange handles the OAuth 2.0 authorization_code grant, including
 //parsing, validating, authorizing the client and finally exchanging the code for tokens
 func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenReq, err := ParseAccessTokenRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	if tokenReq.Code == "" {
 		RequestError(w, r, ErrInvalidRequest("code missing"))
 		return
 	}
 	authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code, "")
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	utils.MarshalJSON(w, resp)
 }
 //ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest
 func ParseAccessTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.AccessTokenRequest, error) {
 	request := new(oidc.AccessTokenRequest)
 	err := ParseAuthenticatedTokenRequest(r, decoder, request)
 	if err != nil {
 		return nil, err
 	}
 	return request, nil
 }
 //ValidateAccessTokenRequest validates the token request parameters including authorization check of the client
 //and returns the previous created auth request corresponding to the auth code
 func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) {
 	authReq, client, err := AuthorizeCodeClient(ctx, tokenReq, exchanger)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.GetID() != authReq.GetClientID() {
 		return nil, nil, ErrInvalidRequest("invalid auth code")
 	}
 	if tokenReq.RedirectURI != authReq.GetRedirectURI() {
 		return nil, nil, ErrInvalidRequest("redirect_uri does not correspond")
 	}
 	return authReq, client, nil
 }
 //AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered.
 //It than returns the auth request corresponding to the auth code
 func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error) {
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
 		if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
 			return nil, nil, errors.New("auth_method private_key_jwt not supported")
 		}
 		client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger)
 		if err != nil {
 			return nil, nil, err
 		}
 		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 		return request, client, err
 	}
 	client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT {
 		return nil, nil, errors.New("invalid_grant")
 	}
 	if client.AuthMethod() == oidc.AuthMethodNone {
 		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 		if err != nil {
 			return nil, nil, err
 		}
 		err = AuthorizeCodeChallenge(tokenReq, request.GetCodeChallenge())
 		return request, client, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
 		return nil, nil, errors.New("auth_method post not supported")
 	}
 	err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage())
 	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 	return request, client, err
 }
 //AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error
 func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error) {
 	authReq, err := storage.AuthRequestByCode(ctx, code)
 	if err != nil {
 		return nil, ErrInvalidRequest("invalid code")
 	}
 	return authReq, nil
 }
--- a/pkg/op/token_exchange.go
+++ b/pkg/op/token_exchange.go
@ -0,0 +1,30 @@
 package op
 import (
 	"errors"
 	"net/http"
 	"github.com/caos/oidc/pkg/oidc"
 )
 //TokenExchange will handle the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange")
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	err = ValidateTokenExchangeRequest(tokenRequest, exchanger.Storage())
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 }
 func ParseTokenExchangeRequest(w http.ResponseWriter, r *http.Request) (oidc.TokenRequest, error) {
 	return nil, errors.New("Unimplemented") //TODO: impl
 }
 func ValidateTokenExchangeRequest(tokenReq oidc.TokenRequest, storage Storage) error {
 	return errors.New("Unimplemented") //TODO: impl
 }
--- a/pkg/op/token_jwt_profile.go
+++ b/pkg/op/token_jwt_profile.go
@ -0,0 +1,79 @@
 package op
 import (
 	"context"
 	"net/http"
 	"time"
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
 )
 type JWTAuthorizationGrantExchanger interface {
 	Exchanger
 	JWTProfileVerifier() JWTProfileVerifier
 }
 //JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1
 func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger) {
 	profileRequest, err := ParseJWTProfileGrantRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	tokenRequest, err := VerifyJWTAssertion(r.Context(), profileRequest.Assertion, exchanger.JWTProfileVerifier())
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	utils.MarshalJSON(w, resp)
 }
 func ParseJWTProfileGrantRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
 		return nil, ErrInvalidRequest("error parsing form")
 	}
 	tokenReq := new(oidc.JWTProfileGrantRequest)
 	err = decoder.Decode(tokenReq, r.Form)
 	if err != nil {
 		return nil, ErrInvalidRequest("error decoding form")
 	}
 	return tokenReq, nil
 }
 //CreateJWTTokenResponse creates
 func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error) {
 	id, exp, err := creator.Storage().CreateAccessToken(ctx, tokenRequest)
 	if err != nil {
 		return nil, err
 	}
 	accessToken, err := CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto())
 	if err != nil {
 		return nil, err
 	}
 	return &oidc.AccessTokenResponse{
 		AccessToken: accessToken,
 		TokenType:   oidc.BearerToken,
 		ExpiresIn:   uint64(exp.Sub(time.Now().UTC()).Seconds()),
 	}, nil
 }
 //ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest
 //
 //deprecated: use ParseJWTProfileGrantRequest
 func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) {
 	return ParseJWTProfileGrantRequest(r, decoder)
 }
--- a/pkg/op/token_refresh.go
+++ b/pkg/op/token_refresh.go
@ -0,0 +1,132 @@
 package op
 import (
 	"context"
 	"errors"
 	"net/http"
 	"time"
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
 )
 type RefreshTokenRequest interface {
 	GetAMR() []string
 	GetAudience() []string
 	GetAuthTime() time.Time
 	GetClientID() string
 	GetScopes() []string
 	GetSubject() string
 	SetCurrentScopes(scopes oidc.Scopes)
 }
 //RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including
 //parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens
 func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenReq, err := ParseRefreshTokenRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	validatedRequest, client, err := ValidateRefreshTokenRequest(r.Context(), tokenReq, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateTokenResponse(r.Context(), validatedRequest, client, exchanger, true, "", tokenReq.RefreshToken)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	utils.MarshalJSON(w, resp)
 }
 //ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest
 func ParseRefreshTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.RefreshTokenRequest, error) {
 	request := new(oidc.RefreshTokenRequest)
 	err := ParseAuthenticatedTokenRequest(r, decoder, request)
 	if err != nil {
 		return nil, err
 	}
 	return request, nil
 }
 //ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client
 //and returns the data representing the original auth request corresponding to the refresh_token
 func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) {
 	if tokenReq.RefreshToken == "" {
 		return nil, nil, ErrInvalidRequest("code missing")
 	}
 	request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.GetID() != request.GetClientID() {
 		return nil, nil, ErrInvalidRequest("invalid auth code")
 	}
 	if err = ValidateRefreshTokenScopes(tokenReq.Scopes, request); err != nil {
 		return nil, nil, err
 	}
 	return request, client, nil
 }
 //ValidateRefreshTokenScopes validates that requested scope is a subset of the original auth request scope
 //it will set the requested scopes as current scopes onto RefreshTokenRequest
 //if empty the original scopes will be used
 func ValidateRefreshTokenScopes(requestedScopes oidc.Scopes, authRequest RefreshTokenRequest) error {
 	if len(requestedScopes) == 0 {
 		return nil
 	}
 	for _, scope := range requestedScopes {
 		if !utils.Contains(authRequest.GetScopes(), scope) {
 			return errors.New("invalid_scope")
 		}
 	}
 	authRequest.SetCurrentScopes(requestedScopes)
 	return nil
 }
 //AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered.
 //It than returns the data representing the original auth request corresponding to the refresh_token
 func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error) {
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
 		if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
 			return nil, nil, errors.New("auth_method private_key_jwt not supported")
 		}
 		client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger)
 		if err != nil {
 			return nil, nil, err
 		}
 		request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken)
 		return request, client, err
 	}
 	client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT {
 		return nil, nil, errors.New("invalid_grant")
 	}
 	if client.AuthMethod() == oidc.AuthMethodNone {
 		request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken)
 		return request, client, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
 		return nil, nil, errors.New("auth_method post not supported")
 	}
 	if err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage()); err != nil {
 		return nil, nil, err
 	}
 	request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken)
 	return request, client, err
 }
 //RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request)
 //corresponding to the refresh_token from Storage or an error
 func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error) {
 	request, err := storage.TokenRequestByRefreshToken(ctx, refreshToken)
 	if err != nil {
 		return nil, ErrInvalidRequest("invalid refreshToken")
 	}
 	return request, nil
 }
--- a/pkg/op/token_request.go
+++ b/pkg/op/token_request.go
@ -0,0 +1,121 @@
 package op
 import (
 	"context"
 	"net/http"
 	"net/url"
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
 )
 type Exchanger interface {
 	Issuer() string
 	Storage() Storage
 	Decoder() utils.Decoder
 	Signer() Signer
 	Crypto() Crypto
 	AuthMethodPostSupported() bool
 	AuthMethodPrivateKeyJWTSupported() bool
 	GrantTypeTokenExchangeSupported() bool
 	GrantTypeJWTAuthorizationSupported() bool
 }
 func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		switch r.FormValue("grant_type") {
 		case string(oidc.GrantTypeCode):
 			CodeExchange(w, r, exchanger)
 			return
 		case string(oidc.GrantTypeRefreshToken):
 			RefreshTokenExchange(w, r, exchanger)
 			return
 		case string(oidc.GrantTypeBearer):
 			if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() {
 				JWTProfile(w, r, ex)
 				return
 			}
 		case string(oidc.GrantTypeTokenExchange):
 			if exchanger.GrantTypeTokenExchangeSupported() {
 				TokenExchange(w, r, exchanger)
 				return
 			}
 		case "":
 			RequestError(w, r, ErrInvalidRequest("grant_type missing"))
 			return
 		}
 		RequestError(w, r, ErrInvalidRequest("grant_type not supported"))
 	}
 }
 //authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
 //it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
 type AuthenticatedTokenRequest interface {
 	SetClientID(string)
 	SetClientSecret(string)
 }
 //ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either
 //HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface
 func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, request AuthenticatedTokenRequest) error {
 	err := r.ParseForm()
 	if err != nil {
 		return ErrInvalidRequest("error parsing form")
 	}
 	err = decoder.Decode(request, r.Form)
 	if err != nil {
 		return ErrInvalidRequest("error decoding form")
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
 	if ok {
 		clientID, err = url.QueryUnescape(clientID)
 		if err != nil {
 			return ErrInvalidRequest("invalid basic auth header")
 		}
 		clientSecret, err = url.QueryUnescape(clientSecret)
 		if err != nil {
 			return ErrInvalidRequest("invalid basic auth header")
 		}
 		request.SetClientID(clientID)
 		request.SetClientSecret(clientSecret)
 	}
 	return nil
 }
 //AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
 func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error {
 	err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
 	if err != nil {
 		return err //TODO: wrap?
 	}
 	return nil
 }
 //AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent
 //code_challenge of the auth request (PKCE)
 func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error {
 	if tokenReq.CodeVerifier == "" {
 		return ErrInvalidRequest("code_challenge required")
 	}
 	if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) {
 		return ErrInvalidRequest("code_challenge invalid")
 	}
 	return nil
 }
 //AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously
 //registered public key (JWT Profile)
 func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error) {
 	jwtReq, err := VerifyJWTAssertion(ctx, clientAssertion, exchanger.JWTProfileVerifier())
 	if err != nil {
 		return nil, err
 	}
 	client, err := exchanger.Storage().GetClientByClientID(ctx, jwtReq.Issuer)
 	if err != nil {
 		return nil, err
 	}
 	if client.AuthMethod() != oidc.AuthMethodPrivateKeyJWT {
 		return nil, ErrInvalidRequest("invalid_client")
 	}
 	return client, nil
 }
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@ -1,242 +0,0 @@
 package op
 import (
 	"context"
 	"errors"
 	"net/http"
 	"net/url"
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
 )
 type Exchanger interface {
 	Issuer() string
 	Storage() Storage
 	Decoder() utils.Decoder
 	Signer() Signer
 	Crypto() Crypto
 	AuthMethodPostSupported() bool
 	AuthMethodPrivateKeyJWTSupported() bool
 	GrantTypeTokenExchangeSupported() bool
 	GrantTypeJWTAuthorizationSupported() bool
 }
 type JWTAuthorizationGrantExchanger interface {
 	Exchanger
 	JWTProfileVerifier() JWTProfileVerifier
 }
 func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		switch r.FormValue("grant_type") {
 		case string(oidc.GrantTypeCode):
 			CodeExchange(w, r, exchanger)
 			return
 		case string(oidc.GrantTypeBearer):
 			if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() {
 				JWTProfile(w, r, ex)
 				return
 			}
 		case string(oidc.GrantTypeTokenExchange):
 			if exchanger.GrantTypeTokenExchangeSupported() {
 				TokenExchange(w, r, exchanger)
 				return
 			}
 		case "":
 			RequestError(w, r, ErrInvalidRequest("grant_type missing"))
 			return
 		}
 		RequestError(w, r, ErrInvalidRequest("grant_type not supported"))
 	}
 }
 func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenReq, err := ParseAccessTokenRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	if tokenReq.Code == "" {
 		RequestError(w, r, ErrInvalidRequest("code missing"))
 		return
 	}
 	authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	utils.MarshalJSON(w, resp)
 }
 func ParseAccessTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.AccessTokenRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
 		return nil, ErrInvalidRequest("error parsing form")
 	}
 	tokenReq := new(oidc.AccessTokenRequest)
 	err = decoder.Decode(tokenReq, r.Form)
 	if err != nil {
 		return nil, ErrInvalidRequest("error decoding form")
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
 	if ok {
 		tokenReq.ClientID, err = url.QueryUnescape(clientID)
 		if err != nil {
 			return nil, ErrInvalidRequest("invalid basic auth header")
 		}
 		tokenReq.ClientSecret, err = url.QueryUnescape(clientSecret)
 		if err != nil {
 			return nil, ErrInvalidRequest("invalid basic auth header")
 		}
 	}
 	return tokenReq, nil
 }
 func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) {
 	authReq, client, err := AuthorizeClient(ctx, tokenReq, exchanger)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.GetID() != authReq.GetClientID() {
 		return nil, nil, ErrInvalidRequest("invalid auth code")
 	}
 	if tokenReq.RedirectURI != authReq.GetRedirectURI() {
 		return nil, nil, ErrInvalidRequest("redirect_uri does no correspond")
 	}
 	return authReq, client, nil
 }
 func AuthorizeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) {
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
 		if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
 			return nil, nil, errors.New("auth_method private_key_jwt not supported")
 		}
 		return AuthorizePrivateJWTKey(ctx, tokenReq, jwtExchanger)
 	}
 	client, err := exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT {
 		return nil, nil, errors.New("invalid_grant")
 	}
 	if client.AuthMethod() == oidc.AuthMethodNone {
 		authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger)
 		return authReq, client, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
 		return nil, nil, errors.New("auth_method post not supported")
 	}
 	authReq, err := AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, tokenReq.Code, exchanger.Storage())
 	return authReq, client, err
 }
 func AuthorizePrivateJWTKey(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger JWTAuthorizationGrantExchanger) (AuthRequest, Client, error) {
 	jwtReq, err := VerifyJWTAssertion(ctx, tokenReq.ClientAssertion, exchanger.JWTProfileVerifier())
 	if err != nil {
 		return nil, nil, err
 	}
 	authReq, err := exchanger.Storage().AuthRequestByCode(ctx, tokenReq.Code)
 	if err != nil {
 		return nil, nil, ErrInvalidRequest("invalid code")
 	}
 	client, err := exchanger.Storage().GetClientByClientID(ctx, jwtReq.Issuer)
 	if err != nil {
 		return nil, nil, err
 	}
 	if client.AuthMethod() != oidc.AuthMethodPrivateKeyJWT {
 		return nil, nil, ErrInvalidRequest("invalid_client")
 	}
 	return authReq, client, nil
 }
 func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret, code string, storage Storage) (AuthRequest, error) {
 	err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
 	if err != nil {
 		return nil, err
 	}
 	authReq, err := storage.AuthRequestByCode(ctx, code)
 	if err != nil {
 		return nil, ErrInvalidRequest("invalid code")
 	}
 	return authReq, nil
 }
 func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, error) {
 	if tokenReq.CodeVerifier == "" {
 		return nil, ErrInvalidRequest("code_challenge required")
 	}
 	authReq, err := exchanger.Storage().AuthRequestByCode(ctx, tokenReq.Code)
 	if err != nil {
 		return nil, ErrInvalidRequest("invalid code")
 	}
 	if !oidc.VerifyCodeChallenge(authReq.GetCodeChallenge(), tokenReq.CodeVerifier) {
 		return nil, ErrInvalidRequest("code_challenge invalid")
 	}
 	return authReq, nil
 }
 func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger) {
 	profileRequest, err := ParseJWTProfileRequest(r, exchanger.Decoder())
 	if err != nil {
 		RequestError(w, r, err)
 	}
 	tokenRequest, err := VerifyJWTAssertion(r.Context(), profileRequest.Assertion, exchanger.JWTProfileVerifier())
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	utils.MarshalJSON(w, resp)
 }
 func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
 		return nil, ErrInvalidRequest("error parsing form")
 	}
 	tokenReq := new(oidc.JWTProfileGrantRequest)
 	err = decoder.Decode(tokenReq, r.Form)
 	if err != nil {
 		return nil, ErrInvalidRequest("error decoding form")
 	}
 	return tokenReq, nil
 }
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 	err = ValidateTokenExchangeRequest(tokenRequest, exchanger.Storage())
 	if err != nil {
 		RequestError(w, r, err)
 		return
 	}
 }
 func ParseTokenExchangeRequest(w http.ResponseWriter, r *http.Request) (oidc.TokenRequest, error) {
 	return nil, errors.New("Unimplemented") //TODO: impl
 }
 func ValidateTokenExchangeRequest(tokenReq oidc.TokenRequest, storage Storage) error {
 	return errors.New("Unimplemented") //TODO: impl
 }
--- a/pkg/op/verifier_jwt_profile.go
+++ b/pkg/op/verifier_jwt_profile.go
@ -23,6 +23,7 @@ type jwtProfileVerifier struct {
 	offset    time.Duration
 }
 //NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication)
 func NewJWTProfileVerifier(storage Storage, issuer string, maxAgeIAT, offset time.Duration) JWTProfileVerifier {
 	return &jwtProfileVerifier{
 		storage:   storage,
@ -48,6 +49,9 @@ func (v *jwtProfileVerifier) Offset() time.Duration {
 	return v.offset
 }
 //VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication)
 //
 //checks audience, exp, iat, signature and that issuer and sub are the same
 func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error) {
 	request := new(oidc.JWTTokenRequest)
 	payload, err := oidc.ParseToken(assertion, request)
@ -85,6 +89,7 @@ type jwtProfileKeySet struct {
 	userID string
 }
 //VerifySignature implements oidc.KeySet by getting the public key from Storage implementation
 func (k *jwtProfileKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
 	keyID := ""
 	for _, sig := range jws.Signatures {