Merge pull request #117 from opencloud-eu/dependabot/go_modules/github.com/coreos/go-oidc/v3-3.12.0

Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/beevik/etree v1.4.1
 	github.com/blevesearch/bleve/v2 v2.4.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/cs3org/go-cs3apis v0.0.0-20241105092511-3ad35d174fc1
 	github.com/davidbyttow/govips/v2 v2.15.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8

go.sum

@@ -230,8 +230,8 @@ github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKk
 github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
-github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=

vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go

@@ -154,40 +154,65 @@ var supportedAlgorithms = map[string]bool{
 	EdDSA: true,
 }
 
-// ProviderConfig allows creating providers when discovery isn't supported. It's
-// generally easier to use NewProvider directly.
+// ProviderConfig allows direct creation of a [Provider] from metadata
+// configuration. This is intended for interop with providers that don't support
+// discovery, or host the JSON discovery document at an off-spec path.
+//
+// The ProviderConfig struct specifies JSON struct tags to support document
+// parsing.
+//
+//	// Directly fetch the metadata document.
+// 	resp, err := http.Get("https://login.example.com/custom-metadata-path")
+//	if err != nil {
+//		// ...
+//	}
+//	defer resp.Body.Close()
+//
+//	// Parse config from JSON metadata.
+//	config := &oidc.ProviderConfig{}
+//	if err := json.NewDecoder(resp.Body).Decode(config); err != nil {
+//		// ...
+//	}
+//	p := config.NewProvider(context.Background())
+//
+// For providers that implement discovery, use [NewProvider] instead.
+//
+// See: https://openid.net/specs/openid-connect-discovery-1_0.html
 type ProviderConfig struct {
 	// IssuerURL is the identity of the provider, and the string it uses to sign
 	// ID tokens with. For example "https://accounts.google.com". This value MUST
 	// match ID tokens exactly.
-	IssuerURL string
+	IssuerURL string `json:"issuer"`
 	// AuthURL is the endpoint used by the provider to support the OAuth 2.0
 	// authorization endpoint.
-	AuthURL string
+	AuthURL string `json:"authorization_endpoint"`
 	// TokenURL is the endpoint used by the provider to support the OAuth 2.0
 	// token endpoint.
-	TokenURL string
+	TokenURL string `json:"token_endpoint"`
 	// DeviceAuthURL is the endpoint used by the provider to support the OAuth 2.0
 	// device authorization endpoint.
-	DeviceAuthURL string
+	DeviceAuthURL string `json:"device_authorization_endpoint"`
 	// UserInfoURL is the endpoint used by the provider to support the OpenID
 	// Connect UserInfo flow.
 	//
 	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
-	UserInfoURL string
+	UserInfoURL string `json:"userinfo_endpoint"`
 	// JWKSURL is the endpoint used by the provider to advertise public keys to
 	// verify issued ID tokens. This endpoint is polled as new keys are made
 	// available.
-	JWKSURL string
+	JWKSURL string `json:"jwks_uri"`
 
 	// Algorithms, if provided, indicate a list of JWT algorithms allowed to sign
 	// ID tokens. If not provided, this defaults to the algorithms advertised by
 	// the JWK endpoint, then the set of algorithms supported by this package.
-	Algorithms []string
+	Algorithms []string `json:"id_token_signing_alg_values_supported"`
 }
 
 // NewProvider initializes a provider from a set of endpoints, rather than
 // through discovery.
+//
+// The provided context is only used for [http.Client] configuration through
+// [ClientContext], not cancelation.
 func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
 	return &Provider{
 		issuer:        p.IssuerURL,
@@ -202,9 +227,14 @@ func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
 }
 
 // NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
-//
 // The issuer is the URL identifier for the service. For example: "https://accounts.google.com"
 // or "https://login.salesforce.com".
+//
+// OpenID Connect providers that don't implement discovery or host the discovery
+// document at a non-spec complaint path (such as requiring a URL parameter),
+// should use [ProviderConfig] instead.
+//
+// See: https://openid.net/specs/openid-connect-discovery-1_0.html
 func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 	wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
 	req, err := http.NewRequest("GET", wellKnown, nil)

vendor/modules.txt

@@ -319,7 +319,7 @@ github.com/containerd/cgroups/v3/cgroup1
 github.com/containerd/cgroups/v3/cgroup1/stats
 github.com/containerd/cgroups/v3/cgroup2
 github.com/containerd/cgroups/v3/cgroup2/stats
-# github.com/coreos/go-oidc/v3 v3.11.0
+# github.com/coreos/go-oidc/v3 v3.12.0
 ## explicit; go 1.21
 github.com/coreos/go-oidc/v3/oidc
 # github.com/coreos/go-semver v0.3.0