feat: claims interface

README.md

@@ -22,9 +22,9 @@ following list of differences:
 - [x] Minimum dependency is go version 1.21
 - [x] Replace string values with constants where applicable
       <sup>[commit](https://github.com/authelia/oauth2-provider/commit/de536dc0c9cd5f080c387621799e644319587bd0)</sup>
-- [ ] Simplify the internal JWT logic to leverage `github.com/golang-jwt/jwt/v5`
+- [x] Simplify the internal JWT logic to leverage `github.com/golang-jwt/jwt/v5`
       or other such libraries
-- [ ] Implement internal JWKS logic
+- [x] Implement internal JWKS logic
 - [x] Higher Debug error information visibility (Debug Field includes the
       complete RFC6749 error with debug information if available)
 - Fixes:
@@ -103,10 +103,10 @@ following list of differences:
     - [x] General Refactor
     - [x] Prevent Multiple Client Authentication Methods
     - [x] Client Secret Validation Interface
-    - [ ] JWE support for Client Authentication and Issuance
+    - [x] JWE support for Client Authentication and Issuance
   - [x] Testing Package (mocks, etc)
   - [ ] Clock Drift Support
-  - [ ] Key Management
+  - [x] Key Management
   - [ ] Injectable Clock Configurator
   - [x] Support `s_hash`
         <sup>[commit](https://github.com/authelia/oauth2-provider/commit/edbbbe9467c70a2578db4b9af4d6cd319f74886e)</sup>
@@ -125,6 +125,7 @@ following list of differences:
   - [x] `github.com/gobuffalo/packr`
   - [x] `github.com/form3tech-oss/jwt-go`
   - [x] `github.com/dgrijalva/jwt-go`
+  - [x] `github.com/golang-jwt/jwt`
 - Migration of the following dependencies:
   - [x] `github.com/go-jose/go-jose/v3` => `github.com/go-jose/go-jose/v4`
   - [x] `github.com/golang/mock` => `github.com/uber-go/mock`

handler/oauth2/flow_authorize_code_token.go

@@ -12,6 +12,7 @@ import (
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/internal/consts"
 	"authelia.com/provider/oauth2/storage"
+	"authelia.com/provider/oauth2/token/jwt"
 	"authelia.com/provider/oauth2/x/errorsx"
 )
 
@@ -106,11 +107,11 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
 	request.SetID(authorizeRequest.GetID())
 
 	atLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeAuthorizationCode, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
-	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
+	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Truncate(jwt.TimePrecision))
 
 	rtLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeAuthorizationCode, oauth2.RefreshToken, c.Config.GetRefreshTokenLifespan(ctx))
 	if rtLifespan > -1 {
-		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Round(time.Second))
+		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Truncate(jwt.TimePrecision))
 	}
 
 	return nil

handler/oauth2/flow_authorize_code_token_test.go

@@ -19,6 +19,7 @@ import (
 	"authelia.com/provider/oauth2/internal/consts"
 	"authelia.com/provider/oauth2/storage"
 	"authelia.com/provider/oauth2/testing/mock"
+	"authelia.com/provider/oauth2/token/jwt"
 )
 
 func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) {
@@ -462,8 +463,8 @@ func TestAuthorizeExplicitGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 				require.NoError(t, s.InvalidateAuthorizeCodeSession(context.TODO(), sig))
 			},
 			func(t *testing.T, s CoreStorage, r *oauth2.AccessRequest, ar *oauth2.AuthorizeRequest) {
-				assert.Equal(t, time.Now().Add(time.Minute).UTC().Round(time.Second), r.GetSession().GetExpiresAt(oauth2.AccessToken))
-				assert.Equal(t, time.Now().Add(time.Minute).UTC().Round(time.Second), r.GetSession().GetExpiresAt(oauth2.RefreshToken))
+				assert.Equal(t, time.Now().Add(time.Minute).UTC().Truncate(jwt.TimePrecision), r.GetSession().GetExpiresAt(oauth2.AccessToken))
+				assert.Equal(t, time.Now().Add(time.Minute).UTC().Truncate(jwt.TimePrecision), r.GetSession().GetExpiresAt(oauth2.RefreshToken))
 			},
 			"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used.",
 		},

handler/oauth2/flow_authorize_implicit.go

@@ -11,6 +11,7 @@ import (
 
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/internal/consts"
+	"authelia.com/provider/oauth2/token/jwt"
 	"authelia.com/provider/oauth2/x/errorsx"
 )
 
@@ -70,7 +71,7 @@ func (c *AuthorizeImplicitGrantTypeHandler) IssueImplicitAccessToken(ctx context
 	// Only override expiry if none is set.
 	atLifespan := oauth2.GetEffectiveLifespan(requester.GetClient(), oauth2.GrantTypeImplicit, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
 	if requester.GetSession().GetExpiresAt(oauth2.AccessToken).IsZero() {
-		requester.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
+		requester.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Truncate(jwt.TimePrecision))
 	}
 
 	// Generate the code

handler/oauth2/flow_generic_code_token.go

@@ -8,6 +8,7 @@ import (
 
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/storage"
+	"authelia.com/provider/oauth2/token/jwt"
 	"authelia.com/provider/oauth2/x/errorsx"
 )
 
@@ -130,11 +131,11 @@ func (c *GenericCodeTokenEndpointHandler) HandleTokenEndpointRequest(ctx context
 	request.SetID(authorizeRequest.GetID())
 
 	atLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeAuthorizationCode, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
-	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
+	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Truncate(jwt.TimePrecision))
 
 	rtLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeAuthorizationCode, oauth2.RefreshToken, c.Config.GetRefreshTokenLifespan(ctx))
 	if rtLifespan > -1 {
-		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Round(time.Second))
+		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Truncate(jwt.TimePrecision))
 	}
 
 	return nil

handler/oauth2/flow_refresh.go

@@ -13,6 +13,7 @@ import (
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/internal/consts"
 	"authelia.com/provider/oauth2/storage"
+	"authelia.com/provider/oauth2/token/jwt"
 	"authelia.com/provider/oauth2/x/errorsx"
 )
 
@@ -146,11 +147,11 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
 	}
 
 	atLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeRefreshToken, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
-	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
+	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Truncate(jwt.TimePrecision))
 
 	rtLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypeRefreshToken, oauth2.RefreshToken, c.Config.GetRefreshTokenLifespan(ctx))
 	if rtLifespan > -1 {
-		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Round(time.Second))
+		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Truncate(jwt.TimePrecision))
 	}
 
 	return nil

handler/oauth2/flow_refresh_test.go

@@ -20,6 +20,7 @@ import (
 	"authelia.com/provider/oauth2/internal/consts"
 	"authelia.com/provider/oauth2/storage"
 	"authelia.com/provider/oauth2/testing/mock"
+	"authelia.com/provider/oauth2/token/jwt"
 )
 
 func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
@@ -114,7 +115,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", consts.ScopeOffline},
 							Session:        expiredSess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -139,7 +140,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -165,18 +166,18 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
 					expect: func(t *testing.T) {
 						assert.NotEqual(t, sess, areq.Session)
-						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Round(time.Hour), areq.RequestedAt)
+						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Truncate(time.Hour), areq.RequestedAt)
 						assert.Equal(t, oauth2.Arguments{"foo", consts.ScopeOffline}, areq.GrantedScope)
 						assert.Equal(t, oauth2.Arguments{"foo", consts.ScopeOffline}, areq.RequestedScope)
 						assert.NotEqual(t, url.Values{"foo": []string{"bar"}}, areq.Form)
-						assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
-						assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
+						assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
+						assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
 					},
 				},
 				{
@@ -200,7 +201,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", "baz", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -232,7 +233,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", "baz", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -264,7 +265,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "baz", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -294,13 +295,13 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
 					expect: func(t *testing.T) {
 						assert.NotEqual(t, sess, areq.Session)
-						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Round(time.Hour), areq.RequestedAt)
+						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Truncate(time.Hour), areq.RequestedAt)
 						assert.Equal(t, oauth2.Arguments{"foo", consts.ScopeOffline}, areq.GrantedScope)
 						assert.Equal(t, oauth2.Arguments{"foo", consts.ScopeOffline}, areq.RequestedScope)
 						assert.NotEqual(t, url.Values{"foo": []string{"bar"}}, areq.Form)
@@ -328,7 +329,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar"},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
@@ -355,18 +356,18 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar"},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						})
 						require.NoError(t, err)
 					},
 					expect: func(t *testing.T) {
 						assert.NotEqual(t, sess, areq.Session)
-						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Round(time.Hour), areq.RequestedAt)
+						assert.NotEqual(t, time.Now().UTC().Add(-time.Hour).Truncate(time.Hour), areq.RequestedAt)
 						assert.Equal(t, oauth2.Arguments{"foo"}, areq.GrantedScope)
 						assert.Equal(t, oauth2.Arguments{"foo"}, areq.RequestedScope)
 						assert.NotEqual(t, url.Values{"foo": []string{"bar"}}, areq.Form)
-						assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
-						assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
+						assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
+						assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
 					},
 				},
 				{
@@ -389,7 +390,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
 							RequestedScope: oauth2.Arguments{"foo", "bar", consts.ScopeOffline},
 							Session:        sess,
 							Form:           url.Values{"foo": []string{"bar"}},
-							RequestedAt:    time.Now().UTC().Add(-time.Hour).Round(time.Hour),
+							RequestedAt:    time.Now().UTC().Add(-time.Hour).Truncate(time.Hour),
 						}
 						err = store.CreateRefreshTokenSession(context.TODO(), sig, req)
 						require.NoError(t, err)

handler/oauth2/flow_resource_owner.go

@@ -11,6 +11,7 @@ import (
 
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/internal/consts"
+	"authelia.com/provider/oauth2/token/jwt"
 	"authelia.com/provider/oauth2/x/errorsx"
 )
 
@@ -70,11 +71,11 @@ func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointReques
 	delete(request.GetRequestForm(), consts.FormParameterPassword)
 
 	atLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypePassword, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
-	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
+	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(atLifespan).Truncate(jwt.TimePrecision))
 
 	rtLifespan := oauth2.GetEffectiveLifespan(request.GetClient(), oauth2.GrantTypePassword, oauth2.RefreshToken, c.Config.GetRefreshTokenLifespan(ctx))
 	if rtLifespan > -1 {
-		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Round(time.Second))
+		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(rtLifespan).Truncate(jwt.TimePrecision))
 	}
 
 	return nil

handler/oauth2/flow_resource_owner_test.go

@@ -18,6 +18,7 @@ import (
 	"authelia.com/provider/oauth2"
 	"authelia.com/provider/oauth2/internal/consts"
 	"authelia.com/provider/oauth2/testing/mock"
+	"authelia.com/provider/oauth2/token/jwt"
 )
 
 func TestResourceOwnerFlow_HandleTokenEndpointRequest(t *testing.T) {
@@ -89,8 +90,8 @@ func TestResourceOwnerFlow_HandleTokenEndpointRequest(t *testing.T) {
 				store.EXPECT().Authenticate(context.TODO(), "peter", "pan").Return(nil)
 			},
 			check: func(areq *oauth2.AccessRequest) {
-				assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
-				assert.Equal(t, time.Now().Add(time.Hour).UTC().Round(time.Second), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
+				assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.AccessToken))
+				assert.Equal(t, time.Now().Add(time.Hour).UTC().Truncate(jwt.TimePrecision), areq.GetSession().GetExpiresAt(oauth2.RefreshToken))
 			},
 		},
 	} {

handler/oauth2/strategy_jwt_profile_test.go

@@ -23,8 +23,8 @@ import (
 
 var rsaKey = gen.MustRSAKey()
 
-// returns a valid JWT type. The JWTClaims.ExpiresAt time is intentionally
-// left empty to ensure it is pulled from the session's ExpiresAt map for
+// returns a valid JWT type. The JWTClaims.ExpirationTime time is intentionally
+// left empty to ensure it is pulled from the session's ExpirationTime map for
 // the given oauth2.TokenType.
 var jwtValidCase = func(tokenType oauth2.TokenType) *oauth2.Request {
 	r := &oauth2.Request{
@@ -132,7 +132,7 @@ var jwtValidCaseWithRefreshExpiry = func(tokenType oauth2.TokenType) *oauth2.Req
 			},
 			ExpiresAt: map[oauth2.TokenType]time.Time{
 				tokenType:           time.Now().UTC().Add(time.Hour),
-				oauth2.RefreshToken: time.Now().UTC().Add(time.Hour * 2).Round(time.Hour),
+				oauth2.RefreshToken: time.Now().UTC().Add(time.Hour * 2).Truncate(time.Hour),
 			},
 		},
 	}
@@ -144,8 +144,8 @@ var jwtValidCaseWithRefreshExpiry = func(tokenType oauth2.TokenType) *oauth2.Req
 	return r
 }
 
-// returns an expired JWT type. The JWTClaims.ExpiresAt time is intentionally
-// left empty to ensure it is pulled from the session's ExpiresAt map for
+// returns an expired JWT type. The JWTClaims.ExpirationTime time is intentionally
+// left empty to ensure it is pulled from the session's ExpirationTime map for
 // the given oauth2.TokenType.
 var jwtExpiredCase = func(tokenType oauth2.TokenType, now time.Time) *oauth2.Request {
 	r := &oauth2.Request{

handler/openid/flow_device_authorization_test.go

@@ -169,7 +169,7 @@ func TestOpenIDConnectDeviceAuthorizeHandler_PopulateTokenEndpointResponse(t *te
 			setup: func() {
 				sess := &DefaultSession{
 					Claims: &jwt.IDTokenClaims{
-						RequestedAt: time.Now().UTC(),
+						RequestedAt: jwt.Now(),
 						Subject:     "foobar",
 					},
 					Headers: &jwt.Headers{},
@@ -297,7 +297,7 @@ func TestOpenIDConnectDeviceAuthorizeHandler_PopulateTokenEndpointResponse(t *te
 			setup: func() {
 				sess := &DefaultSession{
 					Claims: &jwt.IDTokenClaims{
-						RequestedAt: time.Now().UTC(),
+						RequestedAt: jwt.Now(),
 						Subject:     "",
 					},
 					Headers: &jwt.Headers{},