feat: Token Revocation, Request Object and OP Certification (#130)

FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)

pkg/op/token_revocation.go

@@ -0,0 +1,136 @@
+package op
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"strings"
+
+	httphelper "github.com/caos/oidc/pkg/http"
+	"github.com/caos/oidc/pkg/oidc"
+)
+
+type Revoker interface {
+	Decoder() httphelper.Decoder
+	Crypto() Crypto
+	Storage() Storage
+	AccessTokenVerifier() AccessTokenVerifier
+	AuthMethodPrivateKeyJWTSupported() bool
+	AuthMethodPostSupported() bool
+}
+
+type RevokerJWTProfile interface {
+	Revoker
+	JWTProfileVerifier() JWTProfileVerifier
+}
+
+func revocationHandler(revoker Revoker) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		Revoke(w, r, revoker)
+	}
+}
+
+func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker) {
+	token, _, clientID, err := ParseTokenRevocationRequest(r, revoker)
+	if err != nil {
+		RevocationRequestError(w, r, err)
+		return
+	}
+	tokenID, subject, ok := getTokenIDAndSubjectForRevocation(r.Context(), revoker, token)
+	if ok {
+		token = tokenID
+	}
+	if err := revoker.Storage().RevokeToken(r.Context(), token, subject, clientID); err != nil {
+		RevocationRequestError(w, r, err)
+		return
+	}
+	httphelper.MarshalJSON(w, nil)
+}
+
+func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error) {
+	err = r.ParseForm()
+	if err != nil {
+		return "", "", "", oidc.ErrInvalidRequest().WithDescription("unable to parse request").WithParent(err)
+	}
+	req := new(struct {
+		oidc.RevocationRequest
+		oidc.ClientAssertionParams        //for auth_method private_key_jwt
+		ClientID                   string `schema:"client_id"`     //for auth_method none and post
+		ClientSecret               string `schema:"client_secret"` //for auth_method post
+	})
+	err = revoker.Decoder().Decode(req, r.Form)
+	if err != nil {
+		return "", "", "", oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
+	}
+	if req.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
+		revokerJWTProfile, ok := revoker.(RevokerJWTProfile)
+		if !ok || !revoker.AuthMethodPrivateKeyJWTSupported() {
+			return "", "", "", oidc.ErrInvalidClient().WithDescription("auth_method private_key_jwt not supported")
+		}
+		profile, err := VerifyJWTAssertion(r.Context(), req.ClientAssertion, revokerJWTProfile.JWTProfileVerifier())
+		if err == nil {
+			return req.Token, req.TokenTypeHint, profile.Issuer, nil
+		}
+		return "", "", "", err
+	}
+	clientID, clientSecret, ok := r.BasicAuth()
+	if ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+		}
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
+		}
+		if err = AuthorizeClientIDSecret(r.Context(), clientID, clientSecret, revoker.Storage()); err != nil {
+			return "", "", "", err
+		}
+		return req.Token, req.TokenTypeHint, clientID, nil
+	}
+	if req.ClientID == "" {
+		return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid authorization")
+	}
+	client, err := revoker.Storage().GetClientByClientID(r.Context(), req.ClientID)
+	if err != nil {
+		return "", "", "", oidc.ErrInvalidClient().WithParent(err)
+	}
+	if req.ClientSecret == "" {
+		if client.AuthMethod() != oidc.AuthMethodNone {
+			return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid authorization")
+		}
+		return req.Token, req.TokenTypeHint, req.ClientID, nil
+	}
+	if client.AuthMethod() == oidc.AuthMethodPost && !revoker.AuthMethodPostSupported() {
+		return "", "", "", oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
+	}
+	if err = AuthorizeClientIDSecret(r.Context(), req.ClientID, req.ClientSecret, revoker.Storage()); err != nil {
+		return "", "", "", err
+	}
+	return req.Token, req.TokenTypeHint, req.ClientID, nil
+}
+
+func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error) {
+	e := oidc.DefaultToServerError(err, err.Error())
+	status := http.StatusBadRequest
+	if e.ErrorType == oidc.InvalidClient {
+		status = 401
+	}
+	httphelper.MarshalJSONWithStatus(w, e, status)
+}
+
+func getTokenIDAndSubjectForRevocation(ctx context.Context, userinfoProvider UserinfoProvider, accessToken string) (string, string, bool) {
+	tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
+	if err == nil {
+		splitToken := strings.Split(tokenIDSubject, ":")
+		if len(splitToken) != 2 {
+			return "", "", false
+		}
+		return splitToken[0], splitToken[1], true
+	}
+	accessTokenClaims, err := VerifyAccessToken(ctx, accessToken, userinfoProvider.AccessTokenVerifier())
+	if err != nil {
+		return "", "", false
+	}
+	return accessTokenClaims.GetTokenID(), accessTokenClaims.GetSubject(), true
+}