feat: Token Revocation, Request Object and OP Certification (#130)

FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)

pkg/oidc/discovery.go

@@ -9,49 +9,144 @@ const (
 )
 
 type DiscoveryConfiguration struct {
-	Issuer                                             string                `json:"issuer,omitempty"`
-	AuthorizationEndpoint                              string                `json:"authorization_endpoint,omitempty"`
-	TokenEndpoint                                      string                `json:"token_endpoint,omitempty"`
-	IntrospectionEndpoint                              string                `json:"introspection_endpoint,omitempty"`
-	UserinfoEndpoint                                   string                `json:"userinfo_endpoint,omitempty"`
-	RevocationEndpoint                                 string                `json:"revocation_endpoint,omitempty"`
-	EndSessionEndpoint                                 string                `json:"end_session_endpoint,omitempty"`
-	CheckSessionIframe                                 string                `json:"check_session_iframe,omitempty"`
-	JwksURI                                            string                `json:"jwks_uri,omitempty"`
-	ScopesSupported                                    []string              `json:"scopes_supported,omitempty"`
-	ResponseTypesSupported                             []string              `json:"response_types_supported,omitempty"`
-	ResponseModesSupported                             []string              `json:"response_modes_supported,omitempty"`
-	GrantTypesSupported                                []GrantType           `json:"grant_types_supported,omitempty"`
-	ACRValuesSupported                                 []string              `json:"acr_values_supported,omitempty"`
-	SubjectTypesSupported                              []string              `json:"subject_types_supported,omitempty"`
-	IDTokenSigningAlgValuesSupported                   []string              `json:"id_token_signing_alg_values_supported,omitempty"`
-	IDTokenEncryptionAlgValuesSupported                []string              `json:"id_token_encryption_alg_values_supported,omitempty"`
-	IDTokenEncryptionEncValuesSupported                []string              `json:"id_token_encryption_enc_values_supported,omitempty"`
-	UserinfoSigningAlgValuesSupported                  []string              `json:"userinfo_signing_alg_values_supported,omitempty"`
-	UserinfoEncryptionAlgValuesSupported               []string              `json:"userinfo_encryption_alg_values_supported,omitempty"`
-	UserinfoEncryptionEncValuesSupported               []string              `json:"userinfo_encryption_enc_values_supported,omitempty"`
-	RequestObjectSigningAlgValuesSupported             []string              `json:"request_object_signing_alg_values_supported,omitempty"`
-	RequestObjectEncryptionAlgValuesSupported          []string              `json:"request_object_encryption_alg_values_supported,omitempty"`
-	RequestObjectEncryptionEncValuesSupported          []string              `json:"request_object_encryption_enc_values_supported,omitempty"`
-	TokenEndpointAuthMethodsSupported                  []AuthMethod          `json:"token_endpoint_auth_methods_supported,omitempty"`
-	TokenEndpointAuthSigningAlgValuesSupported         []string              `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
-	RevocationEndpointAuthMethodsSupported             []AuthMethod          `json:"revocation_endpoint_auth_methods_supported,omitempty"`
-	RevocationEndpointAuthSigningAlgValuesSupported    []string              `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
-	IntrospectionEndpointAuthMethodsSupported          []AuthMethod          `json:"introspection_endpoint_auth_methods_supported,omitempty"`
-	IntrospectionEndpointAuthSigningAlgValuesSupported []string              `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
-	DisplayValuesSupported                             []Display             `json:"display_values_supported,omitempty"`
-	ClaimTypesSupported                                []string              `json:"claim_types_supported,omitempty"`
-	ClaimsSupported                                    []string              `json:"claims_supported,omitempty"`
-	ClaimsParameterSupported                           bool                  `json:"claims_parameter_supported,omitempty"`
-	CodeChallengeMethodsSupported                      []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
-	ServiceDocumentation                               string                `json:"service_documentation,omitempty"`
-	ClaimsLocalesSupported                             []language.Tag        `json:"claims_locales_supported,omitempty"`
-	UILocalesSupported                                 []language.Tag        `json:"ui_locales_supported,omitempty"`
-	RequestParameterSupported                          bool                  `json:"request_parameter_supported,omitempty"`
-	RequestURIParameterSupported                       bool                  `json:"request_uri_parameter_supported"` //no omitempty because: If omitted, the default value is true
-	RequireRequestURIRegistration                      bool                  `json:"require_request_uri_registration,omitempty"`
-	OPPolicyURI                                        string                `json:"op_policy_uri,omitempty"`
-	OPTermsOfServiceURI                                string                `json:"op_tos_uri,omitempty"`
+	//Issuer is the identifier of the OP and is used in the tokens as `iss` claim.
+	Issuer string `json:"issuer,omitempty"`
+
+	//AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start
+	AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
+
+	//TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow
+	TokenEndpoint string `json:"token_endpoint,omitempty"`
+
+	//IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint.
+	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
+
+	//UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo.
+	UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"`
+
+	//RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint.
+	RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
+
+	//EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
+	EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
+
+	//CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client.
+	CheckSessionIframe string `json:"check_session_iframe,omitempty"`
+
+	//JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature.
+	//It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP.
+	JwksURI string `json:"jwks_uri,omitempty"`
+
+	//RegistrationEndpoint is the URL for the Dynamic Client Registration.
+	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
+
+	//ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP.
+	ScopesSupported []string `json:"scopes_supported,omitempty"`
+
+	//ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...).
+	ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
+
+	//ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"].
+	ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
+
+	//GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"].
+	GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"`
+
+	//ACRValuesSupported contains a list of Authentication Context Class References that the OP supports.
+	ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
+
+	//SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public).
+	SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
+
+	//IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token.
+	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
+
+	//IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token.
+	IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"`
+
+	//IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token.
+	IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"`
+
+	//UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint.
+	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"`
+
+	//UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint.
+	UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
+
+	//UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint.
+	UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
+
+	//RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects.
+	//These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).
+	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"`
+
+	//RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects.
+	//These algorithms are used both when the Request Object is passed by value and by reference.
+	RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"`
+
+	//RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects.
+	//These algorithms are used both when the Request Object is passed by value and by reference.
+	RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"`
+
+	//TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic.
+	TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"`
+
+	//TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint
+	//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
+	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
+
+	//RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic.
+	RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"`
+
+	//RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
+	//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
+	RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
+
+	//IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint.
+	IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"`
+
+	//IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint
+	//for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt.
+	IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
+
+	//DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap).
+	DisplayValuesSupported []Display `json:"display_values_supported,omitempty"`
+
+	//ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims.
+	ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
+
+	//ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive.
+	ClaimsSupported []string `json:"claims_supported,omitempty"`
+
+	//ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false.
+	ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
+
+	//CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP.
+	CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
+
+	//ServiceDocumentation is a URL where developers can get information about the OP and its usage.
+	ServiceDocumentation string `json:"service_documentation,omitempty"`
+
+	//ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned.
+	ClaimsLocalesSupported []language.Tag `json:"claims_locales_supported,omitempty"`
+
+	//UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface.
+	UILocalesSupported []language.Tag `json:"ui_locales_supported,omitempty"`
+
+	//RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false.
+	RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
+
+	//RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty)
+	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
+
+	//RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false.
+	RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
+
+	//OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP.
+	OPPolicyURI string `json:"op_policy_uri,omitempty"`
+
+	//OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service.
+	OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"`
 }
 
 type AuthMethod string