Merge branch 'main' into merge-main

# Conflicts: # README.md # example/client/app/app.go # example/server/exampleop/op.go # example/server/main.go # pkg/client/client.go # pkg/client/rp/relying_party.go # pkg/client/rp/relying_party_test.go # pkg/client/tokenexchange/tokenexchange.go # pkg/crypto/key_test.go # pkg/oidc/token.go # pkg/oidc/verifier.go # pkg/op/auth_request.go # pkg/op/device.go # pkg/op/server_http_routes_test.go # pkg/op/token.go # pkg/op/token_refresh.go
2026-01-23 03:40:08 -06:00 · 2025-11-28 11:19:02 +01:00
parent 14e8529b68 0fb4397c45
commit a4ecfb1c09
94 changed files with 2530 additions and 656 deletions
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/http"
 	"os"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -15,6 +16,7 @@ import (
 	"github.com/sirupsen/logrus"

 	"github.com/zitadel/logging"
+
 	"github.com/zitadel/oidc/v4/pkg/client/rp"
 	httphelper "github.com/zitadel/oidc/v4/pkg/http"
 	"github.com/zitadel/oidc/v4/pkg/oidc"
@@ -29,11 +31,20 @@ func main() {
 	clientID := os.Getenv("CLIENT_ID")
 	clientSecret := os.Getenv("CLIENT_SECRET")
 	keyPath := os.Getenv("KEY_PATH")
+	keyID := os.Getenv("KEY_ID")
 	issuer := os.Getenv("ISSUER")
 	port := os.Getenv("PORT")
 	scopes := strings.Split(os.Getenv("SCOPES"), " ")
 	responseMode := os.Getenv("RESPONSE_MODE")

+	var pkce bool
+	if pkceEnv, ok := os.LookupEnv("PKCE"); ok {
+		var err error
+		pkce, err = strconv.ParseBool(pkceEnv)
+		if err != nil {
+			logrus.Fatalf("error parsing PKCE %s", err.Error())
+		}
+	}
 	redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath)
 	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())

@@ -56,12 +67,20 @@ func main() {
 		rp.WithVerifierOpts(rp.WithIssuedAtOffset(5 * time.Second)),
 		rp.WithHTTPClient(client),
 		rp.WithLogger(logger),
+		rp.WithSigningAlgsFromDiscovery(),
 	}
 	if clientSecret == "" {
 		options = append(options, rp.WithPKCE(cookieHandler))
 	}
 	if keyPath != "" {
-		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
+		signingKey, err := os.ReadFile(keyPath)
+		if err != nil {
+			logrus.Fatalf("error reading key file %s", err.Error())
+		}
+		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyAndKeyID(signingKey, keyID)))
+	}
+	if pkce {
+		options = append(options, rp.WithPKCE(cookieHandler))
 	}

 	// One can add a logger to the context,
@@ -108,6 +127,7 @@ func main() {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		w.Header().Set("content-type", "application/json")
 		w.Write(data)
 	}

--- a/example/client/device/device.go
+++ b/example/client/device/device.go
@@ -60,6 +60,7 @@ func main() {
 	clientID := os.Getenv("CLIENT_ID")
 	clientSecret := os.Getenv("CLIENT_SECRET")
 	keyPath := os.Getenv("KEY_PATH")
+	keyID := os.Getenv("KEY_ID")
 	issuer := os.Getenv("ISSUER")
 	scopes := strings.Split(os.Getenv("SCOPES"), " ")

@@ -70,7 +71,11 @@ func main() {
 		options = append(options, rp.WithPKCE(cookieHandler))
 	}
 	if keyPath != "" {
-		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
+		signingKey, err := os.ReadFile(keyPath)
+		if err != nil {
+			logrus.Fatalf("error reading key file %s", err.Error())
+		}
+		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyAndKeyID(signingKey, keyID)))
 	}

 	provider, err := rp.NewRelyingPartyOIDC(ctx, issuer, clientID, clientSecret, "", scopes, options...)