Without IdleTimeout, clients holding keep-alive connections open indefinitely
caused server-side goroutines (and their ~16KB of buffers) to accumulate
linearly until OOM.
Some providers require that the `typ` header has a value exactly equal
to `client-authentication+jwt` in accordance with changes introduced by
RFC7523bis.
This commit allows for opting in to setting the `typ` header with this new value.
The default behaviour is to use the previous de facto standard value, `JWT`.
Once the changes in RFC7523bis lands in the affected standards and
identity providers start supporting the new `typ` header (Entra ID being
notable for not supporting this as of this commit), we will default to
use `client-authentication+jwt`.
This adds an optional health probe listener, mostly for use in rutime
environments where you want separate public and private listeners.
The existing /oauth2/ping endpoint on the main listener is kept for
backwards compatibility.
This drops the calling function, filepath and line number attributes
for redisotel tracing. The underlying implementation here calls
runtime.Callers, which are more expensive than we'd like.
While RFC 6749 specify this field as recommended:
> If omitted, the authorization server SHOULD provide the
> expiration time via other means or document the default value.
and equivalently the OIDC Core spec specifies the same field as optional,
we will explicitly enforce that these fields are returned from the AS.
This isn't a breaking change as the existing session refresh logic implicitly
depends on this field and its value.
While there are probably some providers that omit the `expires_in` field
or sets it to zero with the intent of returning access tokens that do not
expire, we assume these are relatively rare. We might revisit this
at some point in the future, should our assumptions be wrong.
In accordance with OpenID Connect 1.0 Core, draft 36 incorporating
errata set 3:
> aud
> REQUIRED. Audience. The aud (audience) Claim. [...] The Audience value MUST be the OP's Issuer Identifier passed as a string, and not a single-element array.
Unfortunately, public pages may have older user-agents that does not support Sec-Fetch- headers.
This is mostly Safari <16.3. We only apply this limitation for forward-auth for now.
