Access to auto discovery configuration

[jkroepke]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

Hi,

I'm using rp.NewRelyingPartyOIDC which does an auto-discovery by default. I'm missing a method to access the auto discovery and I would like to avoid call the endpoint twice.

A goal is to detect, if PKCE is supported by provider and if yes, enable it.
An other goal is a check, if the current configured scopes are present in the scopes_supported array.

Describe your ideal solution

Having a receiver function which allow the access to the discoveryConfiguration.

oidc/pkg/client/rp/relying_party.go

Line 213 in dce79a7

discoveryConfiguration, err := client.Discover(ctx, rp.issuer, rp.httpClient, rp.DiscoveryEndpoint)

Version

3.8.1

Environment

Self-hosted

Additional Context

No response

[hifabienne]

hei @livio-a @muhlemmer what do you think about this?

[muhlemmer]

With the proposed solution there would still be 2 discovery calls. As WithPKCE is an Option and discovery is always done during constructing the RP. If you would able to extract the obtained discovery response and enable PKCE afterwards, you need to rebuild the RP anyway.

Instead, I would propose an Option that enables PKCE if supported. For example:

// WithPKCEFromDiscovery enables Oauth2 Code Challenge if support is found in the discovery response from the OP.
// Passing this option to a Oauth2-only RP will result in an error, as there is no discovery call.
func WithPKCEFromDiscovery(cookieHandler *httphelper.CookieHandler) Option

[jkroepke]

That makes sense. Good idea