refactor: use struct types for claim related types (#283)

* oidc: add regression tests for token claim json

this helps to verify that the same JSON is produced,
after these types are refactored.

* refactor: use struct types for claim related types

BREAKING CHANGE:
The following types are changed from interface to struct type:

- AccessTokenClaims
- IDTokenClaims
- IntrospectionResponse
- UserInfo and related types.

The following methods of OPStorage now take a pointer to a struct type,
instead of an interface:

- SetUserinfoFromScopes
- SetUserinfoFromToken
- SetIntrospectionFromToken

The following functions are now generic, so that type-safe extension
of Claims is now possible:

- op.VerifyIDTokenHint
- op.VerifyAccessToken
- rp.VerifyTokens
- rp.VerifyIDToken

- Changed UserInfoAddress to pointer in UserInfo and
IntrospectionResponse.
This was needed to make omitempty work correctly.
- Copy or merge maps in IntrospectionResponse and SetUserInfo

* op: add example for VerifyAccessToken

* fix: rp: wrong assignment in WithIssuedAtMaxAge

WithIssuedAtMaxAge assigned its value to v.maxAge, which was wrong.
This change fixes that by assiging the duration to v.maxAgeIAT.

* rp: add VerifyTokens example

* oidc: add standard references to:

- IDTokenClaims
- IntrospectionResponse
- UserInfo

* only count coverage for `./pkg/...`

pkg/client/client.go

@@ -176,8 +176,8 @@ func SignedJWTProfileAssertion(clientID string, audience []string, expiration ti
 		Issuer:    clientID,
 		Subject:   clientID,
 		Audience:  audience,
-		ExpiresAt: oidc.Time(exp),
-		IssuedAt:  oidc.Time(iat),
+		ExpiresAt: oidc.FromTime(exp),
+		IssuedAt:  oidc.FromTime(iat),
 	}, signer)
 }
 

pkg/client/integration_test.go

@@ -235,19 +235,19 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID,
 	}
 
 	var email string
-	redirect := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp rp.RelyingParty, info oidc.UserInfo) {
+	redirect := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, rp rp.RelyingParty, info *oidc.UserInfo) {
 		require.NotNil(t, tokens, "tokens")
 		require.NotNil(t, info, "info")
 		t.Log("access token", tokens.AccessToken)
 		t.Log("refresh token", tokens.RefreshToken)
 		t.Log("id token", tokens.IDToken)
-		t.Log("email", info.GetEmail())
+		t.Log("email", info.Email)
 
 		accessToken = tokens.AccessToken
 		refreshToken = tokens.RefreshToken
 		idToken = tokens.IDToken
-		email = info.GetEmail()
-		http.Redirect(w, r, targetURL, http.StatusFound)
+		email = info.Email
+		http.Redirect(w, r, targetURL, 302)
 	}
 	rp.CodeExchangeHandler(rp.UserinfoCallback(redirect), provider)(capturedW, get)
 
@@ -258,7 +258,6 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID,
 		}
 	}()
 	require.Less(t, capturedW.Code, 400, "token exchange response code")
-	require.Less(t, capturedW.Code, 400, "token exchange response code")
 
 	//nolint:bodyclose
 	resp = capturedW.Result()

pkg/client/rp/cli/cli.go

@@ -13,13 +13,13 @@ const (
 	loginPath = "/login"
 )
 
-func CodeFlow(ctx context.Context, relyingParty rp.RelyingParty, callbackPath, port string, stateProvider func() string) *oidc.Tokens {
+func CodeFlow[C oidc.IDClaims](ctx context.Context, relyingParty rp.RelyingParty, callbackPath, port string, stateProvider func() string) *oidc.Tokens[C] {
 	codeflowCtx, codeflowCancel := context.WithCancel(ctx)
 	defer codeflowCancel()
 
-	tokenChan := make(chan *oidc.Tokens, 1)
+	tokenChan := make(chan *oidc.Tokens[C], 1)
 
-	callback := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp rp.RelyingParty) {
+	callback := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, rp rp.RelyingParty) {
 		tokenChan <- tokens
 		msg := "<p><strong>Success!</strong></p>"
 		msg = msg + "<p>You are authenticated and can now return to the CLI.</p>"

pkg/client/rp/mock/generate.go

@@ -1,3 +0,0 @@
-package mock
-
-//go:generate mockgen -package mock -destination ./verifier.mock.go github.com/zitadel/oidc/v2/pkg/client/rp IDTokenVerifier

pkg/client/rp/mock/verifier.mock.go

@@ -1,163 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v2/pkg/client/rp (interfaces: IDTokenVerifier)
-
-// Package mock is a generated GoMock package.
-package mock
-
-import (
-	context "context"
-	reflect "reflect"
-	time "time"
-
-	gomock "github.com/golang/mock/gomock"
-	oidc "github.com/zitadel/oidc/v2/pkg/oidc"
-)
-
-// MockIDTokenVerifier is a mock of IDTokenVerifier interface.
-type MockIDTokenVerifier struct {
-	ctrl     *gomock.Controller
-	recorder *MockIDTokenVerifierMockRecorder
-}
-
-// MockIDTokenVerifierMockRecorder is the mock recorder for MockIDTokenVerifier.
-type MockIDTokenVerifierMockRecorder struct {
-	mock *MockIDTokenVerifier
-}
-
-// NewMockIDTokenVerifier creates a new mock instance.
-func NewMockIDTokenVerifier(ctrl *gomock.Controller) *MockIDTokenVerifier {
-	mock := &MockIDTokenVerifier{ctrl: ctrl}
-	mock.recorder = &MockIDTokenVerifierMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockIDTokenVerifier) EXPECT() *MockIDTokenVerifierMockRecorder {
-	return m.recorder
-}
-
-// ACR mocks base method.
-func (m *MockIDTokenVerifier) ACR() oidc.ACRVerifier {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ACR")
-	ret0, _ := ret[0].(oidc.ACRVerifier)
-	return ret0
-}
-
-// ACR indicates an expected call of ACR.
-func (mr *MockIDTokenVerifierMockRecorder) ACR() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ACR", reflect.TypeOf((*MockIDTokenVerifier)(nil).ACR))
-}
-
-// ClientID mocks base method.
-func (m *MockIDTokenVerifier) ClientID() string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ClientID")
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// ClientID indicates an expected call of ClientID.
-func (mr *MockIDTokenVerifierMockRecorder) ClientID() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClientID", reflect.TypeOf((*MockIDTokenVerifier)(nil).ClientID))
-}
-
-// Issuer mocks base method.
-func (m *MockIDTokenVerifier) Issuer() string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Issuer")
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// Issuer indicates an expected call of Issuer.
-func (mr *MockIDTokenVerifierMockRecorder) Issuer() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockIDTokenVerifier)(nil).Issuer))
-}
-
-// KeySet mocks base method.
-func (m *MockIDTokenVerifier) KeySet() oidc.KeySet {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "KeySet")
-	ret0, _ := ret[0].(oidc.KeySet)
-	return ret0
-}
-
-// KeySet indicates an expected call of KeySet.
-func (mr *MockIDTokenVerifierMockRecorder) KeySet() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeySet", reflect.TypeOf((*MockIDTokenVerifier)(nil).KeySet))
-}
-
-// MaxAge mocks base method.
-func (m *MockIDTokenVerifier) MaxAge() time.Duration {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MaxAge")
-	ret0, _ := ret[0].(time.Duration)
-	return ret0
-}
-
-// MaxAge indicates an expected call of MaxAge.
-func (mr *MockIDTokenVerifierMockRecorder) MaxAge() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MaxAge", reflect.TypeOf((*MockIDTokenVerifier)(nil).MaxAge))
-}
-
-// MaxAgeIAT mocks base method.
-func (m *MockIDTokenVerifier) MaxAgeIAT() time.Duration {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MaxAgeIAT")
-	ret0, _ := ret[0].(time.Duration)
-	return ret0
-}
-
-// MaxAgeIAT indicates an expected call of MaxAgeIAT.
-func (mr *MockIDTokenVerifierMockRecorder) MaxAgeIAT() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MaxAgeIAT", reflect.TypeOf((*MockIDTokenVerifier)(nil).MaxAgeIAT))
-}
-
-// Nonce mocks base method.
-func (m *MockIDTokenVerifier) Nonce(arg0 context.Context) string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Nonce", arg0)
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// Nonce indicates an expected call of Nonce.
-func (mr *MockIDTokenVerifierMockRecorder) Nonce(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Nonce", reflect.TypeOf((*MockIDTokenVerifier)(nil).Nonce), arg0)
-}
-
-// Offset mocks base method.
-func (m *MockIDTokenVerifier) Offset() time.Duration {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Offset")
-	ret0, _ := ret[0].(time.Duration)
-	return ret0
-}
-
-// Offset indicates an expected call of Offset.
-func (mr *MockIDTokenVerifierMockRecorder) Offset() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Offset", reflect.TypeOf((*MockIDTokenVerifier)(nil).Offset))
-}
-
-// SupportedSignAlgs mocks base method.
-func (m *MockIDTokenVerifier) SupportedSignAlgs() []string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SupportedSignAlgs")
-	ret0, _ := ret[0].([]string)
-	return ret0
-}
-
-// SupportedSignAlgs indicates an expected call of SupportedSignAlgs.
-func (mr *MockIDTokenVerifierMockRecorder) SupportedSignAlgs() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SupportedSignAlgs", reflect.TypeOf((*MockIDTokenVerifier)(nil).SupportedSignAlgs))
-}

pkg/client/rp/relying_party.go

@@ -373,7 +373,7 @@ func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (stri
 
 // CodeExchange handles the oauth2 code exchange, extracting and validating the id_token
 // returning it parsed together with the oauth2 tokens (access, refresh)
-func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens, err error) {
+func CodeExchange[C oidc.IDClaims](ctx context.Context, code string, rp RelyingParty, opts ...CodeExchangeOpt) (tokens *oidc.Tokens[C], err error) {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, rp.HttpClient())
 	codeOpts := make([]oauth2.AuthCodeOption, 0)
 	for _, opt := range opts {
@@ -386,7 +386,7 @@ func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...Cod
 	}
 
 	if rp.IsOAuth2Only() {
-		return &oidc.Tokens{Token: token}, nil
+		return &oidc.Tokens[C]{Token: token}, nil
 	}
 
 	idTokenString, ok := token.Extra(idTokenKey).(string)
@@ -394,20 +394,20 @@ func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...Cod
 		return nil, errors.New("id_token missing")
 	}
 
-	idToken, err := VerifyTokens(ctx, token.AccessToken, idTokenString, rp.IDTokenVerifier())
+	idToken, err := VerifyTokens[C](ctx, token.AccessToken, idTokenString, rp.IDTokenVerifier())
 	if err != nil {
 		return nil, err
 	}
 
-	return &oidc.Tokens{Token: token, IDTokenClaims: idToken, IDToken: idTokenString}, nil
+	return &oidc.Tokens[C]{Token: token, IDTokenClaims: idToken, IDToken: idTokenString}, nil
 }
 
-type CodeExchangeCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty)
+type CodeExchangeCallback[C oidc.IDClaims] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, rp RelyingParty)
 
 // CodeExchangeHandler extends the `CodeExchange` method with a http handler
 // including cookie handling for secure `state` transfer
 // and optional PKCE code verifier checking
-func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.HandlerFunc {
+func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp RelyingParty) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		state, err := tryReadStateCookie(w, r, rp)
 		if err != nil {
@@ -436,7 +436,7 @@ func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.Ha
 			}
 			codeOpts = append(codeOpts, WithClientAssertionJWT(assertion))
 		}
-		tokens, err := CodeExchange(r.Context(), params.Get("code"), rp, codeOpts...)
+		tokens, err := CodeExchange[C](r.Context(), params.Get("code"), rp, codeOpts...)
 		if err != nil {
 			http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
 			return
@@ -445,13 +445,13 @@ func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.Ha
 	}
 }
 
-type CodeExchangeUserinfoCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, provider RelyingParty, info oidc.UserInfo)
+type CodeExchangeUserinfoCallback[C oidc.IDClaims] func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, provider RelyingParty, info *oidc.UserInfo)
 
 // UserinfoCallback wraps the callback function of the CodeExchangeHandler
 // and calls the userinfo endpoint with the access token
 // on success it will pass the userinfo into its callback function as well
-func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
-	return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty) {
+func UserinfoCallback[C oidc.IDClaims](f CodeExchangeUserinfoCallback[C]) CodeExchangeCallback[C] {
+	return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[C], state string, rp RelyingParty) {
 		info, err := Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.GetSubject(), rp)
 		if err != nil {
 			http.Error(w, "userinfo failed: "+err.Error(), http.StatusUnauthorized)
@@ -462,17 +462,17 @@ func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
 }
 
 // Userinfo will call the OIDC Userinfo Endpoint with the provided token
-func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo, error) {
+func Userinfo(token, tokenType, subject string, rp RelyingParty) (*oidc.UserInfo, error) {
 	req, err := http.NewRequest("GET", rp.UserinfoEndpoint(), nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("authorization", tokenType+" "+token)
-	userinfo := oidc.NewUserInfo()
+	userinfo := new(oidc.UserInfo)
 	if err := httphelper.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
 		return nil, err
 	}
-	if userinfo.GetSubject() != subject {
+	if userinfo.Subject != subject {
 		return nil, ErrUserInfoSubNotMatching
 	}
 	return userinfo, nil

pkg/client/rp/verifier.go

@@ -21,69 +21,71 @@ type IDTokenVerifier interface {
 
 // VerifyTokens implement the Token Response Validation as defined in OIDC specification
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponseValidation
-func VerifyTokens(ctx context.Context, accessToken, idTokenString string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
-	idToken, err := VerifyIDToken(ctx, idTokenString, v)
+func VerifyTokens[C oidc.IDClaims](ctx context.Context, accessToken, idToken string, v IDTokenVerifier) (claims C, err error) {
+	var nilClaims C
+
+	claims, err = VerifyIDToken[C](ctx, idToken, v)
 	if err != nil {
-		return nil, err
+		return nilClaims, err
 	}
-	if err := VerifyAccessToken(accessToken, idToken.GetAccessTokenHash(), idToken.GetSignatureAlgorithm()); err != nil {
-		return nil, err
+	if err := VerifyAccessToken(accessToken, claims.GetAccessTokenHash(), claims.GetSignatureAlgorithm()); err != nil {
+		return nilClaims, err
 	}
-	return idToken, nil
+	return claims, nil
 }
 
 // VerifyIDToken validates the id token according to
 // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
-func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (oidc.IDTokenClaims, error) {
-	claims := oidc.EmptyIDTokenClaims()
+func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v IDTokenVerifier) (claims C, err error) {
+	var nilClaims C
 
 	decrypted, err := oidc.DecryptToken(token)
 	if err != nil {
-		return nil, err
+		return nilClaims, err
 	}
-	payload, err := oidc.ParseToken(decrypted, claims)
+	payload, err := oidc.ParseToken(decrypted, &claims)
 	if err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err := oidc.CheckSubject(claims); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckIssuer(claims, v.Issuer()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckAudience(claims, v.ClientID()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckAuthorizedParty(claims, v.ClientID()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs(), v.KeySet()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckExpiration(claims, v.Offset()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckIssuedAt(claims, v.MaxAgeIAT(), v.Offset()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckNonce(claims, v.Nonce(ctx)); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckAuthorizationContextClassReference(claims, v.ACR()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 
 	if err = oidc.CheckAuthTime(claims, v.MaxAge()); err != nil {
-		return nil, err
+		return nilClaims, err
 	}
 	return claims, nil
 }
@@ -112,7 +114,7 @@ func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...
 		issuer:   issuer,
 		clientID: clientID,
 		keySet:   keySet,
-		offset:   1 * time.Second,
+		offset:   time.Second,
 		nonce: func(_ context.Context) string {
 			return ""
 		},
@@ -139,7 +141,7 @@ func WithIssuedAtOffset(offset time.Duration) func(*idTokenVerifier) {
 // WithIssuedAtMaxAge provides the ability to define the maximum duration between iat and now
 func WithIssuedAtMaxAge(maxAge time.Duration) func(*idTokenVerifier) {
 	return func(v *idTokenVerifier) {
-		v.maxAge = maxAge
+		v.maxAgeIAT = maxAge
 	}
 }
 

pkg/client/rp/verifier_test.go

@@ -0,0 +1,339 @@
+package rp
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v2/internal/testutil"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"gopkg.in/square/go-jose.v2"
+)
+
+func TestVerifyTokens(t *testing.T) {
+	verifier := &idTokenVerifier{
+		issuer:            tu.ValidIssuer,
+		maxAgeIAT:         2 * time.Minute,
+		offset:            time.Second,
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
+		keySet:            tu.KeySet{},
+		maxAge:            2 * time.Minute,
+		acr:               tu.ACRVerify,
+		nonce:             func(context.Context) string { return tu.ValidNonce },
+		clientID:          tu.ValidClientID,
+	}
+	accessToken, _ := tu.ValidAccessToken()
+	atHash, err := oidc.ClaimHash(accessToken, tu.SignatureAlgorithm)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name          string
+		accessToken   string
+		idTokenClaims func() (string, *oidc.IDTokenClaims)
+		wantErr       bool
+	}{
+		{
+			name:          "without access token",
+			idTokenClaims: tu.ValidIDToken,
+		},
+		{
+			name:        "with access token",
+			accessToken: accessToken,
+			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash,
+				)
+			},
+		},
+		{
+			name:        "expired id token",
+			accessToken: accessToken,
+			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, atHash,
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:        "wrong access token",
+			accessToken: accessToken,
+			idTokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "~~~",
+				)
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			idToken, want := tt.idTokenClaims()
+			got, err := VerifyTokens[*oidc.IDTokenClaims](context.Background(), tt.accessToken, idToken, verifier)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Nil(t, got)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			assert.Equal(t, got, want)
+		})
+	}
+}
+
+func TestVerifyIDToken(t *testing.T) {
+	verifier := &idTokenVerifier{
+		issuer:            tu.ValidIssuer,
+		maxAgeIAT:         2 * time.Minute,
+		offset:            time.Second,
+		supportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
+		keySet:            tu.KeySet{},
+		maxAge:            2 * time.Minute,
+		acr:               tu.ACRVerify,
+		nonce:             func(context.Context) string { return tu.ValidNonce },
+	}
+
+	tests := []struct {
+		name        string
+		clientID    string
+		tokenClaims func() (string, *oidc.IDTokenClaims)
+		wantErr     bool
+	}{
+		{
+			name:        "success",
+			clientID:    tu.ValidClientID,
+			tokenClaims: tu.ValidIDToken,
+		},
+		{
+			name:        "parse err",
+			clientID:    tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) { return "~~~~", nil },
+			wantErr:     true,
+		},
+		{
+			name:        "invalid signature",
+			clientID:    tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) { return tu.InvalidSignatureToken, nil },
+			wantErr:     true,
+		},
+		{
+			name:     "empty subject",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, "", tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:     "wrong issuer",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					"foo", tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:        "wrong clientID",
+			clientID:    "foo",
+			tokenClaims: tu.ValidIDToken,
+			wantErr:     true,
+		},
+		{
+			name:     "expired",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:     "wrong IAT",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:     "wrong acr",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					"else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:     "expired auth",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime.Add(-time.Hour), tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+		{
+			name:     "wrong nonce",
+			clientID: tu.ValidClientID,
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, "foo",
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			token, want := tt.tokenClaims()
+			verifier.clientID = tt.clientID
+			got, err := VerifyIDToken[*oidc.IDTokenClaims](context.Background(), token, verifier)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Nil(t, got)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			assert.Equal(t, got, want)
+		})
+	}
+}
+
+func TestVerifyAccessToken(t *testing.T) {
+	token, _ := tu.ValidAccessToken()
+	hash, err := oidc.ClaimHash(token, tu.SignatureAlgorithm)
+	require.NoError(t, err)
+
+	type args struct {
+		accessToken  string
+		atHash       string
+		sigAlgorithm jose.SignatureAlgorithm
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "empty hash",
+		},
+		{
+			name: "success",
+			args: args{
+				accessToken:  token,
+				atHash:       hash,
+				sigAlgorithm: tu.SignatureAlgorithm,
+			},
+		},
+		{
+			name: "invalid algorithm",
+			args: args{
+				accessToken:  token,
+				atHash:       hash,
+				sigAlgorithm: "foo",
+			},
+			wantErr: true,
+		},
+		{
+			name: "mismatch",
+			args: args{
+				accessToken:  token,
+				atHash:       "~~",
+				sigAlgorithm: tu.SignatureAlgorithm,
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := VerifyAccessToken(tt.args.accessToken, tt.args.atHash, tt.args.sigAlgorithm)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestNewIDTokenVerifier(t *testing.T) {
+	type args struct {
+		issuer   string
+		clientID string
+		keySet   oidc.KeySet
+		options  []VerifierOption
+	}
+	tests := []struct {
+		name string
+		args args
+		want IDTokenVerifier
+	}{
+		{
+			name: "nil nonce", // otherwise assert.Equal will fail on the function
+			args: args{
+				issuer:   tu.ValidIssuer,
+				clientID: tu.ValidClientID,
+				keySet:   tu.KeySet{},
+				options: []VerifierOption{
+					WithIssuedAtOffset(time.Minute),
+					WithIssuedAtMaxAge(time.Hour),
+					WithNonce(nil), // otherwise assert.Equal will fail on the function
+					WithACRVerifier(nil),
+					WithAuthTimeMaxAge(2 * time.Hour),
+					WithSupportedSigningAlgorithms("ABC", "DEF"),
+				},
+			},
+			want: &idTokenVerifier{
+				issuer:            tu.ValidIssuer,
+				offset:            time.Minute,
+				maxAgeIAT:         time.Hour,
+				clientID:          tu.ValidClientID,
+				keySet:            tu.KeySet{},
+				nonce:             nil,
+				acr:               nil,
+				maxAge:            2 * time.Hour,
+				supportedSignAlgs: []string{"ABC", "DEF"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := NewIDTokenVerifier(tt.args.issuer, tt.args.clientID, tt.args.keySet, tt.args.options...)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/client/rp/verifier_tokens_example_test.go

@@ -0,0 +1,86 @@
+package rp_test
+
+import (
+	"context"
+	"fmt"
+
+	tu "github.com/zitadel/oidc/v2/internal/testutil"
+	"github.com/zitadel/oidc/v2/pkg/client/rp"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+)
+
+// MyCustomClaims extends the TokenClaims base,
+// so it implmeents the oidc.Claims interface.
+// Instead of carrying a map, we add needed fields// to the struct for type safe access.
+type MyCustomClaims struct {
+	oidc.TokenClaims
+	NotBefore       oidc.Time `json:"nbf,omitempty"`
+	AccessTokenHash string    `json:"at_hash,omitempty"`
+	Foo             string    `json:"foo,omitempty"`
+	Bar             *Nested   `json:"bar,omitempty"`
+}
+
+// GetAccessTokenHash is required to implement
+// the oidc.IDClaims interface.
+func (c *MyCustomClaims) GetAccessTokenHash() string {
+	return c.AccessTokenHash
+}
+
+// Nested struct types are also possible.
+type Nested struct {
+	Count int      `json:"count,omitempty"`
+	Tags  []string `json:"tags,omitempty"`
+}
+
+/*
+idToken carries the following claims. foo and bar are custom claims
+
+	{
+		"acr": "something",
+		"amr": [
+			"foo",
+			"bar"
+		],
+		"at_hash": "2dzbm_vIxy-7eRtqUIGPPw",
+		"aud": [
+			"unit",
+			"test",
+			"555666"
+		],
+		"auth_time": 1678100961,
+		"azp": "555666",
+		"bar": {
+			"count": 22,
+			"tags": [
+				"some",
+				"tags"
+			]
+		},
+		"client_id": "555666",
+		"exp": 4802238682,
+		"foo": "Hello, World!",
+		"iat": 1678101021,
+		"iss": "local.com",
+		"jti": "9876",
+		"nbf": 1678101021,
+		"nonce": "12345",
+		"sub": "tim@local.com"
+	}
+*/
+const idToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhY3IiOiJzb21ldGhpbmciLCJhbXIiOlsiZm9vIiwiYmFyIl0sImF0X2hhc2giOiIyZHpibV92SXh5LTdlUnRxVUlHUFB3IiwiYXVkIjpbInVuaXQiLCJ0ZXN0IiwiNTU1NjY2Il0sImF1dGhfdGltZSI6MTY3ODEwMDk2MSwiYXpwIjoiNTU1NjY2IiwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiY2xpZW50X2lkIjoiNTU1NjY2IiwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJub25jZSI6IjEyMzQ1Iiwic3ViIjoidGltQGxvY2FsLmNvbSJ9.t3GXSfVNNwiW1Suv9_84v0sdn2_-RWHVxhphhRozDXnsO7SDNOlGnEioemXABESxSzMclM7gB7mYy5Qah2ZUNx7eP5t2njoxEYfavgHwx7UJZ2NCg8NDPQyr-hlxelEcfdXK-I0oTd-FRDvF4rqPkD9Us52IpnplChCxnHFgh4wKwPqZZjv2IXVCtn0ilKW3hff1rMOYKEuLRcN2YP0gkyuqyHvcf2dMmjod0t4sLOTJ82rsCbMBC5CLpqv3nIC9HOGITkt1Kd-Am0n1LrdZvWwTo6RFe8AnzF0gpqjcB5Wg4Qeh58DIjZOz4f_8wnmJ_gCqyRh5vfSW4XHdbum0Tw`
+const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.Zrz3LWSRjCMJZUMaI5dUbW4vGdSmEeJQ3ouhaX0bcW9rdFFLgBI4K2FWJhNivq8JDmCGSxwLu3mI680GWmDaEoAx1M5sCO9lqfIZHGZh-lfAXk27e6FPLlkTDBq8Bx4o4DJ9Fw0hRJGjUTjnYv5cq1vo2-UqldasL6CwTbkzNC_4oQFfRtuodC4Ql7dZ1HRv5LXuYx7KPkOssLZtV9cwtJp5nFzKjcf2zEE_tlbjcpynMwypornRUp1EhCWKRUGkJhJeiP71ECY5pQhShfjBu9Nc5wDpSnZmnk2S4YsPrRK3QkE-iEkas8BfsOCrGoErHjEJexAIDjasGO5PFLWfCA`
+
+func ExampleVerifyTokens_customClaims() {
+	v := rp.NewIDTokenVerifier("local.com", "555666", tu.KeySet{},
+		rp.WithNonce(func(ctx context.Context) string { return "12345" }),
+	)
+
+	// VerifyAccessToken can be called with the *MyCustomClaims.
+	claims, err := rp.VerifyTokens[*MyCustomClaims](context.TODO(), accessToken, idToken, v)
+	if err != nil {
+		panic(err)
+	}
+	// Here we have typesafe access to the custom claims
+	fmt.Println(claims.Foo, claims.Bar.Count, claims.Bar.Tags)
+	// Output: Hello, World! 22 [some tags]
+}

pkg/client/rs/resource_server.go

@@ -112,7 +112,7 @@ func WithStaticEndpoints(tokenURL, introspectURL string) Option {
 	}
 }
 
-func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.IntrospectionResponse, error) {
+func Introspect(ctx context.Context, rp ResourceServer, token string) (*oidc.IntrospectionResponse, error) {
 	authFn, err := rp.AuthFn()
 	if err != nil {
 		return nil, err
@@ -121,7 +121,7 @@ func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.Intr
 	if err != nil {
 		return nil, err
 	}
-	resp := oidc.NewIntrospectionResponse()
+	resp := new(oidc.IntrospectionResponse)
 	if err := httphelper.HttpRequest(rp.HttpClient(), req, resp); err != nil {
 		return nil, err
 	}