Adding Revoke and Introspect methods to Provider

[mfridman]

Thanks for your continued support of this package.

Re #232 I like the idea of dropping the /x/oauth2 pkg and using this package exclusively when interfacing with oidc servers. But as you mentioned, this might be out-of-scope for v3.

What are your thoughts on adding support for additional endpoints:

• revocation_endpoint rfc7009
• introspection_endpoint rfc7662

We could add the endpoint URLs to the Provider struct and add 2 new methods:

• Revoke(..)
• Introspect(..)

I don't think these are mandatory, so calling these methods on empty URLs would return ErrNotSupported.

Thoughts?

[ericchiang]

I don't see anything in either of those RFCs about OpenID Connect :) You can already do this today:

p, err := oidc.NewProvider(ctx, issuerURL)
if err != nil {
    // ...
}
var c struct {
    RevocationEndpoint    string `json:"revocation_endpoint"`
    IntrospectionEndpoint string `json:"introspection_endpoint"`
}
if err := p.Claims(&c); err != nil {
    // ...
}

If that covers your use case I'm inclined to leave as is.

[mfridman]

Ye, not part of OIDC.

I figured it might be useful to have these two endpoints, similar to UserInfo which fetches from userinfo_endpoint but instead here we'd inspect/revoke tokens.

Easy enough to implement outside this core (no pun intended ;) package.

In retrospect, keeping this package lean makes sense sense.

p.s. @ericchiang if you need any help or need early users for v3 happy to help.