feat: Token Revocation, Request Object and OP Certification (#130)

FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)

pkg/client/client.go

@@ -10,12 +10,13 @@ import (
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2"
 
+	"github.com/caos/oidc/pkg/crypto"
+	httphelper "github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/utils"
 )
 
 var (
-	Encoder = func() utils.Encoder {
+	Encoder = func() httphelper.Encoder {
 		e := schema.NewEncoder()
 		e.RegisterEncoder(oidc.SpaceDelimitedArray{}, func(value reflect.Value) string {
 			return value.Interface().(oidc.SpaceDelimitedArray).Encode()
@@ -32,7 +33,7 @@ func Discover(issuer string, httpClient *http.Client) (*oidc.DiscoveryConfigurat
 		return nil, err
 	}
 	discoveryConfig := new(oidc.DiscoveryConfiguration)
-	err = utils.HttpRequest(httpClient, req, &discoveryConfig)
+	err = httphelper.HttpRequest(httpClient, req, &discoveryConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -52,12 +53,12 @@ func CallTokenEndpoint(request interface{}, caller tokenEndpointCaller) (newToke
 }
 
 func callTokenEndpoint(request interface{}, authFn interface{}, caller tokenEndpointCaller) (newToken *oauth2.Token, err error) {
-	req, err := utils.FormRequest(caller.TokenEndpoint(), request, Encoder, authFn)
+	req, err := httphelper.FormRequest(caller.TokenEndpoint(), request, Encoder, authFn)
 	if err != nil {
 		return nil, err
 	}
 	tokenRes := new(oidc.AccessTokenResponse)
-	if err := utils.HttpRequest(caller.HttpClient(), req, &tokenRes); err != nil {
+	if err := httphelper.HttpRequest(caller.HttpClient(), req, &tokenRes); err != nil {
 		return nil, err
 	}
 	return &oauth2.Token{
@@ -69,7 +70,7 @@ func callTokenEndpoint(request interface{}, authFn interface{}, caller tokenEndp
 }
 
 func NewSignerFromPrivateKeyByte(key []byte, keyID string) (jose.Signer, error) {
-	privateKey, err := utils.BytesToPrivateKey(key)
+	privateKey, err := crypto.BytesToPrivateKey(key)
 	if err != nil {
 		return nil, err
 	}
@@ -83,7 +84,7 @@ func NewSignerFromPrivateKeyByte(key []byte, keyID string) (jose.Signer, error)
 func SignedJWTProfileAssertion(clientID string, audience []string, expiration time.Duration, signer jose.Signer) (string, error) {
 	iat := time.Now()
 	exp := iat.Add(expiration)
-	return utils.Sign(&oidc.JWTTokenRequest{
+	return crypto.Sign(&oidc.JWTTokenRequest{
 		Issuer:    clientID,
 		Subject:   clientID,
 		Audience:  audience,

pkg/client/jwt_profile.go

@@ -1,17 +1,16 @@
 package client
 
 import (
-	"context"
 	"net/url"
 
 	"golang.org/x/oauth2"
 
+	"github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/utils"
 )
 
 //JWTProfileExchange handles the oauth2 jwt profile exchange
-func JWTProfileExchange(ctx context.Context, jwtProfileGrantRequest *oidc.JWTProfileGrantRequest, caller tokenEndpointCaller) (*oauth2.Token, error) {
+func JWTProfileExchange(jwtProfileGrantRequest *oidc.JWTProfileGrantRequest, caller tokenEndpointCaller) (*oauth2.Token, error) {
 	return CallTokenEndpoint(jwtProfileGrantRequest, caller)
 }
 
@@ -22,7 +21,7 @@ func ClientAssertionCodeOptions(assertion string) []oauth2.AuthCodeOption {
 	}
 }
 
-func ClientAssertionFormAuthorization(assertion string) utils.FormAuthorization {
+func ClientAssertionFormAuthorization(assertion string) http.FormAuthorization {
 	return func(values url.Values) {
 		values.Set("client_assertion", assertion)
 		values.Set("client_assertion_type", oidc.ClientAssertionTypeJWTAssertion)

pkg/client/profile/jwt_profile.go

@@ -89,5 +89,5 @@ func (j *jwtProfileTokenSource) Token() (*oauth2.Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	return client.JWTProfileExchange(nil, oidc.NewJWTProfileGrantRequest(assertion, j.scopes...), j)
+	return client.JWTProfileExchange(oidc.NewJWTProfileGrantRequest(assertion, j.scopes...), j)
 }

pkg/client/rp/cli/browser.go

@@ -0,0 +1,26 @@
+package cli
+
+import (
+	"fmt"
+	"log"
+	"os/exec"
+	"runtime"
+)
+
+func OpenBrowser(url string) {
+	var err error
+
+	switch runtime.GOOS {
+	case "linux":
+		err = exec.Command("xdg-open", url).Start()
+	case "windows":
+		err = exec.Command("rundll32", "url.dll,FileProtocolHandler", url).Start()
+	case "darwin":
+		err = exec.Command("open", url).Start()
+	default:
+		err = fmt.Errorf("unsupported platform")
+	}
+	if err != nil {
+		log.Fatal(err)
+	}
+}

pkg/client/rp/cli/cli.go

@@ -5,8 +5,8 @@ import (
 	"net/http"
 
 	"github.com/caos/oidc/pkg/client/rp"
+	httphelper "github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/utils"
 )
 
 const (
@@ -28,9 +28,9 @@ func CodeFlow(ctx context.Context, relyingParty rp.RelyingParty, callbackPath, p
 	http.Handle(loginPath, rp.AuthURLHandler(stateProvider, relyingParty))
 	http.Handle(callbackPath, rp.CodeExchangeHandler(callback, relyingParty))
 
-	utils.StartServer(codeflowCtx, ":"+port)
+	httphelper.StartServer(codeflowCtx, ":"+port)
 
-	utils.OpenBrowser("http://localhost:" + port + loginPath)
+	OpenBrowser("http://localhost:" + port + loginPath)
 
 	return <-tokenChan
 }

pkg/client/rp/delegation.go

@@ -5,8 +5,8 @@ import (
 )
 
 //DelegationTokenRequest is an implementation of TokenExchangeRequest
-//it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional
-//"urn:ietf:params:oauth:token-type:access_token" actor token for a
+//it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
+//"urn:ietf:params:oauth:token-type:access_token" actor token for an
 //"urn:ietf:params:oauth:token-type:access_token" delegation token
 func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest {
 	return tokenexchange.NewTokenExchangeRequest(subjectToken, tokenexchange.AccessTokenType, opts...)

pkg/client/rp/jwks.go

@@ -7,9 +7,9 @@ import (
 	"net/http"
 	"sync"
 
-	"github.com/caos/oidc/pkg/utils"
 	"gopkg.in/square/go-jose.v2"
 
+	httphelper "github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
 )
 
@@ -207,7 +207,7 @@ func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey,
 	}
 
 	keySet := new(jsonWebKeySet)
-	if err = utils.HttpRequest(r.httpClient, req, keySet); err != nil {
+	if err = httphelper.HttpRequest(r.httpClient, req, keySet); err != nil {
 		return nil, fmt.Errorf("oidc: failed to get keys: %v", err)
 	}
 	return keySet.Keys, nil

pkg/client/rp/relaying_party.go

@@ -13,8 +13,8 @@ import (
 	"gopkg.in/square/go-jose.v2"
 
 	"github.com/caos/oidc/pkg/client"
+	httphelper "github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/utils"
 )
 
 const (
@@ -39,7 +39,7 @@ type RelyingParty interface {
 	IsPKCE() bool
 
 	//CookieHandler returns a http cookie handler used for various state transfer cookies
-	CookieHandler() *utils.CookieHandler
+	CookieHandler() *httphelper.CookieHandler
 
 	//HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
 	HttpClient() *http.Client
@@ -76,7 +76,7 @@ type relyingParty struct {
 	pkce        bool
 
 	httpClient    *http.Client
-	cookieHandler *utils.CookieHandler
+	cookieHandler *httphelper.CookieHandler
 
 	errorHandler    func(http.ResponseWriter, *http.Request, string, string, string)
 	idTokenVerifier IDTokenVerifier
@@ -96,7 +96,7 @@ func (rp *relyingParty) IsPKCE() bool {
 	return rp.pkce
 }
 
-func (rp *relyingParty) CookieHandler() *utils.CookieHandler {
+func (rp *relyingParty) CookieHandler() *httphelper.CookieHandler {
 	return rp.cookieHandler
 }
 
@@ -136,7 +136,7 @@ func (rp *relyingParty) ErrorHandler() func(http.ResponseWriter, *http.Request,
 func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error) {
 	rp := &relyingParty{
 		oauthConfig: config,
-		httpClient:  utils.DefaultHTTPClient,
+		httpClient:  httphelper.DefaultHTTPClient,
 		oauth2Only:  true,
 	}
 
@@ -161,7 +161,7 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
 			RedirectURL:  redirectURI,
 			Scopes:       scopes,
 		},
-		httpClient: utils.DefaultHTTPClient,
+		httpClient: httphelper.DefaultHTTPClient,
 		oauth2Only: false,
 	}
 
@@ -181,11 +181,11 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
 	return rp, nil
 }
 
-//Option is the type for providing dynamic options to the DefaultRP
+//Option is the type for providing dynamic options to the relyingParty
 type Option func(*relyingParty) error
 
 //WithCookieHandler set a `CookieHandler` for securing the various redirects
-func WithCookieHandler(cookieHandler *utils.CookieHandler) Option {
+func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
 	return func(rp *relyingParty) error {
 		rp.cookieHandler = cookieHandler
 		return nil
@@ -195,7 +195,7 @@ func WithCookieHandler(cookieHandler *utils.CookieHandler) Option {
 //WithPKCE sets the RP to use PKCE (oauth2 code challenge)
 //it also sets a `CookieHandler` for securing the various redirects
 //and exchanging the code challenge
-func WithPKCE(cookieHandler *utils.CookieHandler) Option {
+func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
 	return func(rp *relyingParty) error {
 		rp.pkce = true
 		rp.cookieHandler = cookieHandler
@@ -246,7 +246,7 @@ func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
 		return Endpoints{}, err
 	}
 	discoveryConfig := new(oidc.DiscoveryConfiguration)
-	err = utils.HttpRequest(httpClient, req, &discoveryConfig)
+	err = httphelper.HttpRequest(httpClient, req, &discoveryConfig)
 	if err != nil {
 		return Endpoints{}, err
 	}
@@ -395,7 +395,7 @@ func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo,
 	}
 	req.Header.Set("authorization", tokenType+" "+token)
 	userinfo := oidc.NewUserInfo()
-	if err := utils.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
+	if err := httphelper.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
 		return nil, err
 	}
 	if userinfo.GetSubject() != subject {

pkg/client/rs/resource_server.go

@@ -7,8 +7,8 @@ import (
 	"time"
 
 	"github.com/caos/oidc/pkg/client"
+	httphelper "github.com/caos/oidc/pkg/http"
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/utils"
 )
 
 type ResourceServer interface {
@@ -39,7 +39,7 @@ func (r *resourceServer) AuthFn() (interface{}, error) {
 
 func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
 	authorizer := func() (interface{}, error) {
-		return utils.AuthorizeBasic(clientID, clientSecret), nil
+		return httphelper.AuthorizeBasic(clientID, clientSecret), nil
 	}
 	return newResourceServer(issuer, authorizer, option...)
 }
@@ -61,7 +61,7 @@ func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, opt
 func newResourceServer(issuer string, authorizer func() (interface{}, error), options ...Option) (*resourceServer, error) {
 	rs := &resourceServer{
 		issuer:     issuer,
-		httpClient: utils.DefaultHTTPClient,
+		httpClient: httphelper.DefaultHTTPClient,
 	}
 	for _, optFunc := range options {
 		optFunc(rs)
@@ -111,12 +111,12 @@ func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.Intr
 	if err != nil {
 		return nil, err
 	}
-	req, err := utils.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
+	req, err := httphelper.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
 	if err != nil {
 		return nil, err
 	}
 	resp := oidc.NewIntrospectionResponse()
-	if err := utils.HttpRequest(rp.HttpClient(), req, resp); err != nil {
+	if err := httphelper.HttpRequest(rp.HttpClient(), req, resp); err != nil {
 		return nil, err
 	}
 	return resp, nil