feat: multi tenant support

pkg/client/client.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 	"time"
 
@@ -27,11 +28,15 @@ var (
 
 // Discover calls the discovery endpoint of the provided issuer and returns its configuration
 // It accepts an optional argument "wellknownUrl" which can be used to overide the dicovery endpoint url
-func Discover(ctx context.Context, issuer string, httpClient *http.Client, wellKnownUrl ...string) (*oidc.DiscoveryConfiguration, error) {
+func Discover(ctx context.Context, issuers []string, httpClient *http.Client, wellKnownUrl ...string) (*oidc.DiscoveryConfiguration, error) {
 	ctx, span := Tracer.Start(ctx, "Discover")
 	defer span.End()
 
-	wellKnown := strings.TrimSuffix(issuer, "/") + oidc.DiscoveryEndpoint
+	wellKnown := ""
+	if len(issuers) > 0 {
+		wellKnown = strings.TrimSuffix(issuers[0], "/") + oidc.DiscoveryEndpoint
+	}
+
 	if len(wellKnownUrl) == 1 && wellKnownUrl[0] != "" {
 		wellKnown = wellKnownUrl[0]
 	}
@@ -48,7 +53,7 @@ func Discover(ctx context.Context, issuer string, httpClient *http.Client, wellK
 		logger.Debug("discover", "config", discoveryConfig)
 	}
 
-	if false && discoveryConfig.Issuer != issuer {
+	if !slices.Contains(issuers, discoveryConfig.Issuer) {
 		return nil, oidc.ErrIssuerInvalid
 	}
 	return discoveryConfig, nil

pkg/client/client_test.go

@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/datasapiens/oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/datasapiens/oidc/v3/pkg/oidc"
 )
 
 func TestDiscover(t *testing.T) {
@@ -45,7 +45,7 @@ func TestDiscover(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Discover(context.Background(), tt.args.issuer, http.DefaultClient, tt.args.wellKnownUrl...)
+			got, err := Discover(context.Background(), []string{tt.args.issuer}, http.DefaultClient, tt.args.wellKnownUrl...)
 			require.ErrorIs(t, err, tt.wantErr)
 			if tt.wantFields == nil {
 				return

pkg/client/profile/jwt_profile.go

@@ -82,7 +82,7 @@ func NewJWTProfileTokenSource(ctx context.Context, issuer, clientID, keyID strin
 		opt(source)
 	}
 	if source.tokenEndpoint == "" {
-		config, err := client.Discover(ctx, issuer, source.httpClient)
+		config, err := client.Discover(ctx, []string{issuer}, source.httpClient)
 		if err != nil {
 			return nil, err
 		}

pkg/client/rp/relying_party.go

@@ -102,7 +102,7 @@ var DefaultUnauthorizedHandler UnauthorizedHandler = func(w http.ResponseWriter,
 }
 
 type relyingParty struct {
-	issuer                      string
+	issuers                     []string
 	DiscoveryEndpoint           string
 	endpoints                   Endpoints
 	oauthConfig                 *oauth2.Config
@@ -128,7 +128,15 @@ func (rp *relyingParty) OAuthConfig() *oauth2.Config {
 }
 
 func (rp *relyingParty) Issuer() string {
-	return rp.issuer
+	if len(rp.issuers) == 0 {
+		return ""
+	}
+
+	return rp.issuers[0]
+}
+
+func (rp *relyingParty) Issuers() []string {
+	return rp.issuers
 }
 
 func (rp *relyingParty) IsPKCE() bool {
@@ -169,7 +177,7 @@ func (rp *relyingParty) GetRevokeEndpoint() string {
 
 func (rp *relyingParty) IDTokenVerifier() *IDTokenVerifier {
 	if rp.idTokenVerifier == nil {
-		rp.idTokenVerifier = NewIDTokenVerifier(rp.issuer, rp.oauthConfig.ClientID, NewRemoteKeySet(rp.httpClient, rp.endpoints.JKWsURL), rp.verifierOpts...)
+		rp.idTokenVerifier = NewIDTokenVerifier(rp.issuers, rp.oauthConfig.ClientID, NewRemoteKeySet(rp.httpClient, rp.endpoints.JKWsURL), rp.verifierOpts...)
 	}
 	return rp.idTokenVerifier
 }
@@ -236,8 +244,16 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
 // issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
 // it will run discovery on the provided issuer and use the found endpoints
 func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error) {
+
+	return NewRelyingPartyOIDCWithIssuers(ctx, []string{issuer}, clientID, clientSecret, redirectURI, scopes, options...)
+}
+
+// NewRelyingPartyOIDCWithIssuers creates an (OIDC) RelyingParty with the given
+// issuers, clientID, clientSecret, redirectURI, scopes and possible configOptions
+// it will run discovery on the provided issuers and use the found endpoints
+func NewRelyingPartyOIDCWithIssuers(ctx context.Context, issuers []string, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error) {
 	rp := &relyingParty{
-		issuer: issuer,
+		issuers: issuers,
 		oauthConfig: &oauth2.Config{
 			ClientID:     clientID,
 			ClientSecret: clientSecret,
@@ -256,7 +272,7 @@ func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, re
 		}
 	}
 	ctx = logCtxWithRPData(ctx, rp, "function", "NewRelyingPartyOIDC")
-	discoveryConfiguration, err := client.Discover(ctx, rp.issuer, rp.httpClient, rp.DiscoveryEndpoint)
+	discoveryConfiguration, err := client.Discover(ctx, rp.issuers, rp.httpClient, rp.DiscoveryEndpoint)
 	if err != nil {
 		return nil, err
 	}

pkg/client/rp/relying_party_test.go

@@ -20,7 +20,7 @@ import (
 
 func Test_verifyTokenResponse(t *testing.T) {
 	verifier := &IDTokenVerifier{
-		Issuer:            tu.ValidIssuer,
+		Issuers:           []string{tu.ValidIssuer},
 		MaxAgeIAT:         2 * time.Minute,
 		ClientID:          tu.ValidClientID,
 		Offset:            time.Second,

pkg/client/rp/verifier.go

@@ -49,7 +49,7 @@ func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenV
 		return nilClaims, err
 	}
 
-	if err = oidc.CheckIssuer(claims, v.Issuer); err != nil {
+	if err = oidc.CheckIssuer(claims, v.Issuers); err != nil {
 		return nilClaims, err
 	}
 
@@ -110,9 +110,9 @@ func VerifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAl
 }
 
 // NewIDTokenVerifier returns a oidc.Verifier suitable for ID token verification.
-func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...VerifierOption) *IDTokenVerifier {
+func NewIDTokenVerifier(issuers []string, clientID string, keySet oidc.KeySet, options ...VerifierOption) *IDTokenVerifier {
 	v := &IDTokenVerifier{
-		Issuer:   issuer,
+		Issuers:  issuers,
 		ClientID: clientID,
 		KeySet:   keySet,
 		Offset:   time.Second,

pkg/client/rp/verifier_test.go

@@ -5,16 +5,16 @@ import (
 	"testing"
 	"time"
 
+	tu "github.com/datasapiens/oidc/v3/internal/testutil"
+	"github.com/datasapiens/oidc/v3/pkg/oidc"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	tu "github.com/datasapiens/oidc/v3/internal/testutil"
-	"github.com/datasapiens/oidc/v3/pkg/oidc"
 )
 
 func TestVerifyTokens(t *testing.T) {
 	verifier := &IDTokenVerifier{
-		Issuer:            tu.ValidIssuer,
+		Issuers:           []string{tu.ValidIssuer},
 		MaxAgeIAT:         2 * time.Minute,
 		Offset:            time.Second,
 		SupportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
@@ -93,7 +93,7 @@ func TestVerifyTokens(t *testing.T) {
 
 func TestVerifyIDToken(t *testing.T) {
 	verifier := &IDTokenVerifier{
-		Issuer:            tu.ValidIssuer,
+		Issuers:           []string{tu.ValidIssuer},
 		MaxAgeIAT:         2 * time.Minute,
 		Offset:            time.Second,
 		SupportedSignAlgs: []string{string(tu.SignatureAlgorithm)},
@@ -341,7 +341,7 @@ func TestNewIDTokenVerifier(t *testing.T) {
 				},
 			},
 			want: &IDTokenVerifier{
-				Issuer:            tu.ValidIssuer,
+				Issuers:           []string{tu.ValidIssuer},
 				Offset:            time.Minute,
 				MaxAgeIAT:         time.Hour,
 				ClientID:          tu.ValidClientID,
@@ -355,7 +355,7 @@ func TestNewIDTokenVerifier(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := NewIDTokenVerifier(tt.args.issuer, tt.args.clientID, tt.args.keySet, tt.args.options...)
+			got := NewIDTokenVerifier([]string{tt.args.issuer}, tt.args.clientID, tt.args.keySet, tt.args.options...)
 			assert.Equal(t, tt.want, got)
 		})
 	}

pkg/client/rp/verifier_tokens_example_test.go

@@ -71,7 +71,7 @@ const idToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhY3IiOiJzb21ldGhpbmciLCJh
 const accessToken = `eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOlsidW5pdCIsInRlc3QiXSwiYmFyIjp7ImNvdW50IjoyMiwidGFncyI6WyJzb21lIiwidGFncyJdfSwiZXhwIjo0ODAyMjM4NjgyLCJmb28iOiJIZWxsbywgV29ybGQhIiwiaWF0IjoxNjc4MTAxMDIxLCJpc3MiOiJsb2NhbC5jb20iLCJqdGkiOiI5ODc2IiwibmJmIjoxNjc4MTAxMDIxLCJzdWIiOiJ0aW1AbG9jYWwuY29tIn0.Zrz3LWSRjCMJZUMaI5dUbW4vGdSmEeJQ3ouhaX0bcW9rdFFLgBI4K2FWJhNivq8JDmCGSxwLu3mI680GWmDaEoAx1M5sCO9lqfIZHGZh-lfAXk27e6FPLlkTDBq8Bx4o4DJ9Fw0hRJGjUTjnYv5cq1vo2-UqldasL6CwTbkzNC_4oQFfRtuodC4Ql7dZ1HRv5LXuYx7KPkOssLZtV9cwtJp5nFzKjcf2zEE_tlbjcpynMwypornRUp1EhCWKRUGkJhJeiP71ECY5pQhShfjBu9Nc5wDpSnZmnk2S4YsPrRK3QkE-iEkas8BfsOCrGoErHjEJexAIDjasGO5PFLWfCA`
 
 func ExampleVerifyTokens_customClaims() {
-	v := rp.NewIDTokenVerifier("local.com", "555666", tu.KeySet{},
+	v := rp.NewIDTokenVerifier([]string{"local.com"}, "555666", tu.KeySet{},
 		rp.WithNonce(func(ctx context.Context) string { return "12345" }),
 	)
 

pkg/client/rs/resource_server.go

@@ -73,7 +73,7 @@ func newResourceServer(ctx context.Context, issuer string, authorizer func() (an
 		optFunc(rs)
 	}
 	if rs.introspectURL == "" || rs.tokenURL == "" {
-		config, err := client.Discover(ctx, rs.issuer, rs.httpClient)
+		config, err := client.Discover(ctx, []string{issuer}, rs.httpClient)
 		if err != nil {
 			return nil, err
 		}

pkg/client/tokenexchange/tokenexchange.go

@@ -6,10 +6,10 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/go-jose/go-jose/v4"
 	"github.com/datasapiens/oidc/v3/pkg/client"
 	httphelper "github.com/datasapiens/oidc/v3/pkg/http"
 	"github.com/datasapiens/oidc/v3/pkg/oidc"
+	"github.com/go-jose/go-jose/v4"
 )
 
 type TokenExchanger interface {
@@ -55,7 +55,7 @@ func newOAuthTokenExchange(ctx context.Context, issuer string, authorizer func()
 	}
 
 	if te.tokenEndpoint == "" {
-		config, err := client.Discover(ctx, issuer, te.httpClient)
+		config, err := client.Discover(ctx, []string{issuer}, te.httpClient)
 		if err != nil {
 			return nil, err
 		}

pkg/oidc/verifier.go

@@ -65,7 +65,7 @@ var (
 // functions. Use package specific constructor functions to know
 // which values need to be set.
 type Verifier struct {
-	Issuer            string
+	Issuers           []string
 	MaxAgeIAT         time.Duration
 	Offset            time.Duration
 	ClientID          string
@@ -115,10 +115,9 @@ func CheckSubject(claims Claims) error {
 	return nil
 }
 
-func CheckIssuer(claims Claims, issuer string) error {
-	return nil
-	if claims.GetIssuer() != issuer {
-		return fmt.Errorf("%w: Expected: %s, got: %s", ErrIssuerInvalid, issuer, claims.GetIssuer())
+func CheckIssuer(claims Claims, issuers []string) error {
+	if !slices.Contains(issuers, claims.GetIssuer()) {
+		return fmt.Errorf("%w: Expected one of: %v, got: %s", ErrIssuerInvalid, issuers, claims.GetIssuer())
 	}
 	return nil
 }

pkg/oidc/verifier_test.go

@@ -100,7 +100,7 @@ func TestCheckIssuer(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := CheckIssuer(tt.claims, issuer)
+			err := CheckIssuer(tt.claims, []string{issuer})
 			assert.ErrorIs(t, err, tt.wantErr)
 		})
 	}

pkg/op/verifier_access_token.go

@@ -19,8 +19,8 @@ func WithSupportedAccessTokenSigningAlgorithms(algs ...string) AccessTokenVerifi
 // NewAccessTokenVerifier returns a AccessTokenVerifier suitable for access token verification.
 func NewAccessTokenVerifier(issuer string, keySet oidc.KeySet, opts ...AccessTokenVerifierOpt) *AccessTokenVerifier {
 	verifier := &AccessTokenVerifier{
-		Issuer: issuer,
-		KeySet: keySet,
+		Issuers: []string{issuer},
+		KeySet:  keySet,
 	}
 	for _, opt := range opts {
 		opt(verifier)
@@ -44,7 +44,7 @@ func VerifyAccessToken[C oidc.Claims](ctx context.Context, token string, v *Acce
 		return nilClaims, err
 	}
 
-	if err := oidc.CheckIssuer(claims, v.Issuer); err != nil {
+	if err := oidc.CheckIssuer(claims, v.Issuers); err != nil {
 		return nilClaims, err
 	}
 

pkg/op/verifier_access_token_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	tu "github.com/datasapiens/oidc/v3/internal/testutil"
 	"github.com/datasapiens/oidc/v3/pkg/oidc"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewAccessTokenVerifier(t *testing.T) {
@@ -29,8 +29,8 @@ func TestNewAccessTokenVerifier(t *testing.T) {
 				keySet: tu.KeySet{},
 			},
 			want: &AccessTokenVerifier{
-				Issuer: tu.ValidIssuer,
-				KeySet: tu.KeySet{},
+				Issuers: []string{tu.ValidIssuer},
+				KeySet:  tu.KeySet{},
 			},
 		},
 		{
@@ -43,7 +43,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
 				},
 			},
 			want: &AccessTokenVerifier{
-				Issuer:            tu.ValidIssuer,
+				Issuers:           []string{tu.ValidIssuer},
 				KeySet:            tu.KeySet{},
 				SupportedSignAlgs: []string{"ABC", "DEF"},
 			},
@@ -59,7 +59,7 @@ func TestNewAccessTokenVerifier(t *testing.T) {
 
 func TestVerifyAccessToken(t *testing.T) {
 	verifier := &AccessTokenVerifier{
-		Issuer:            tu.ValidIssuer,
+		Issuers:           []string{tu.ValidIssuer},
 		MaxAgeIAT:         2 * time.Minute,
 		Offset:            time.Second,
 		SupportedSignAlgs: []string{string(tu.SignatureAlgorithm)},

pkg/op/verifier_id_token_hint.go

@@ -19,8 +19,8 @@ func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifi
 
 func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) *IDTokenHintVerifier {
 	verifier := &IDTokenHintVerifier{
-		Issuer: issuer,
-		KeySet: keySet,
+		Issuers: []string{issuer},
+		KeySet:  keySet,
 	}
 	for _, opt := range opts {
 		opt(verifier)
@@ -60,7 +60,7 @@ func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTo
 		return nilClaims, err
 	}
 
-	if err := oidc.CheckIssuer(claims, v.Issuer); err != nil {
+	if err := oidc.CheckIssuer(claims, v.Issuers); err != nil {
 		return nilClaims, err
 	}
 

pkg/op/verifier_id_token_hint_test.go

@@ -6,10 +6,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	tu "github.com/datasapiens/oidc/v3/internal/testutil"
 	"github.com/datasapiens/oidc/v3/pkg/oidc"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewIDTokenHintVerifier(t *testing.T) {
@@ -30,8 +30,8 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
 				keySet: tu.KeySet{},
 			},
 			want: &IDTokenHintVerifier{
-				Issuer: tu.ValidIssuer,
-				KeySet: tu.KeySet{},
+				Issuers: []string{tu.ValidIssuer},
+				KeySet:  tu.KeySet{},
 			},
 		},
 		{
@@ -44,7 +44,7 @@ func TestNewIDTokenHintVerifier(t *testing.T) {
 				},
 			},
 			want: &IDTokenHintVerifier{
-				Issuer:            tu.ValidIssuer,
+				Issuers:           []string{tu.ValidIssuer},
 				KeySet:            tu.KeySet{},
 				SupportedSignAlgs: []string{"ABC", "DEF"},
 			},
@@ -67,7 +67,7 @@ func Test_IDTokenHintExpiredError(t *testing.T) {
 
 func TestVerifyIDTokenHint(t *testing.T) {
 	verifier := &IDTokenHintVerifier{
-		Issuer:            tu.ValidIssuer,
+		Issuers:           []string{tu.ValidIssuer},
 		MaxAgeIAT:         2 * time.Minute,
 		Offset:            time.Second,
 		SupportedSignAlgs: []string{string(tu.SignatureAlgorithm)},