feat: new '--keep-running' for authorization code flow

README.md

@@ -1,6 +1,7 @@
 # oidc-client-demo
 
-`oidc-client` is a CLI tool for testing OIDC integration. See CLI docs [here](https://github.com/vdbulcke/oidc-client-demo/blob/main/doc/oidc-client.md).
+`oidc-client` is a CLI tool for testing OIDC integration. It is also a reference implementation for [oauthx](https://github.com/vdbulcke/oauthx)
+the oauth2 library used.
 
 
 ## Documentation
@@ -9,6 +10,8 @@ The complete documentation is hosted [here](https://vdbulcke.github.io/oidc-clie
 
 ## Features
 
+`oidc-client` supports most of the feature of [oauthx](https://github.com/vdbulcke/oauthx).
+
 * OIDC Authorization Code flow 
 * Provider Discovery: Based on Issuer (`./well-known/openid-configuration`) or via an alternative endpoint
 * Token Signature validation (from jwk provider endpoint)
@@ -48,4 +51,4 @@ $ ./verify_signature.sh ~/Downloads/oidc-client-demo_0.15.0_Linux_x86_64.tar.gz
 Checking Signature for version: v0.15.0
 Verified OK
 
-```
+```

src/client/authorize.go

@@ -297,10 +297,17 @@ func (c *OIDCClient) OIDCAuthorizationCodeFlow() error {
 
 		if tokenResp.IDToken != "" {
 
-			opts := c.client.NewIDTokenDefaultValidation(
-				oauthx.WithIDTokenNonceValidation(oauthCtx.Nonce),
-			)
+			idToken, err := c.client.ParseIDToken(c.ctx, tokenResp.IDToken)
+			if err != nil {
+				c.logger.Error("ID Token standard validation failed", "err", err)
+				http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
+				return
+			}
 
+			// extra id_token validation
+			opts := []oauthx.IDTokenValidationFunc{
+				oauthx.WithIDTokenNonceValidation(oauthCtx.Nonce),
+			}
 			if len(c.config.ACRWhitelist) > 0 {
 				opts = append(opts, oauthx.WithIDTokenAcrWhitelist(c.config.ACRWhitelist))
 			}
@@ -325,11 +332,9 @@ func (c *OIDCClient) OIDCAuthorizationCodeFlow() error {
 				opts = append(opts, amrWhitelistValidationOpt)
 			}
 
-			idToken, err := c.client.ParseIDToken(c.ctx, tokenResp.IDToken,
-				oauthx.WithIDTokenParseOptCustomValidation(opts...),
-			)
+			err = idToken.Validate(c.ctx, opts...)
 			if err != nil {
-				c.logger.Error("ID Token validation failed", "err", err)
+				c.logger.Error("ID Token extra validation failed", "err", err)
 				http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
 				return
 			}
@@ -426,11 +431,13 @@ func (c *OIDCClient) OIDCAuthorizationCodeFlow() error {
 		//nolint
 		w.Write(data)
 
-		// stop program
-		go func() {
-			c.logger.Info("Stopping server")
-			close <- os.Interrupt
-		}()
+		if !c.config.KeepRunning {
+			// stop program
+			go func() {
+				c.logger.Info("Stopping server")
+				close <- os.Interrupt
+			}()
+		}
 	})
 
 	localAddress := fmt.Sprintf("%s:%d", c.config.ListenAddress, c.config.ListenPort)

src/client/config.go

@@ -88,6 +88,10 @@ type OIDCClientConfig struct {
 	MockNonce        string
 	MockCodeVerifier string
 
+	// keep server running during authorizaiton code flow
+	//
+	KeepRunning bool
+
 	// Output
 	OutputEnabled       bool
 	OutputDir           string

src/cmd/client.go

@@ -25,6 +25,7 @@ var mockCodeVerifier string
 var mockKid string
 var privateKey string
 var clientCertificate string
+var keepRunning bool
 
 // default
 var DefaultListeningAddress = "127.0.0.1"
@@ -45,6 +46,7 @@ func init() {
 	clientCmd.Flags().StringVarP(&mockKid, "mock-jwt-kid", "", "", "Use static jwt 'kid' value")
 	clientCmd.Flags().StringVarP(&privateKey, "pem-key", "", "", "private key (pem format) for jwt signature or mTLS")
 	clientCmd.Flags().StringVarP(&clientCertificate, "pem-cert", "", "", "client certificate (pem format) mTLS")
+	clientCmd.Flags().BoolVarP(&keepRunning, "keep-running", "", false, "keep http client running until explicit 'CTRL-C'")
 
 	// required flags
 	//nolint
@@ -155,6 +157,10 @@ func initClient() *oidcclient.OIDCClient {
 		config.FakePKCEVerifier = true
 	}
 
+	// set flag to keep http server running on
+	// response until explicit CTRL+C
+	config.KeepRunning = keepRunning
+
 	// set output flag
 	config.OutputEnabled = output
 	config.OutputDir = outputDir