Fix mock OAuth2 server to return valid JWTs instead of plain strings

[Copilot]

Problem

The mock OAuth2 server was returning plain strings as tokens (e.g., "mock-access-token-clientID-timestamp") instead of properly formatted JWTs. This caused issues with consuming services that use Go OIDC libraries to verify tokens, as these libraries expect valid, signed JWTs.

// Before: Plain string tokens
"access_token": "mock-access-token-test-client-20060102150405"
"id_token": "mock-id-token-test-client-20060102150405"

// After: Valid JWT tokens
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Im1vY2sta2V5LTEi..."
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Im1vY2sta2V5LTEi..."

Solution

Implemented proper JWT token generation with RSA-256 signing and JWKS endpoint support:

Key Changes

1. JWT Generation - Created a new internal/jwt package that:

   • Generates RSA key pairs (2048-bit) for signing tokens
   • Creates properly formatted ID tokens with standard OIDC claims (iss, sub, aud, exp, iat, nonce)
   • Creates access tokens with scope information
   • Supports token verification using the generated public key

2. JWKS Endpoint - Added /jwks endpoint that:

   • Exposes the public key in JSON Web Key Set format
   • Allows OIDC clients to retrieve and cache the public key for token verification
   • Returns standard JWKS structure with RSA key components (n, e)

3. Token Handler Updates - Modified the token generation to:

   • Accept issuer URL from configuration
   • Generate valid, signed JWTs for both ID tokens and access tokens
   • Include all standard OIDC claims in the tokens

4. Comprehensive Testing - Added tests to verify:

   • JWT structure has proper header, payload, and signature
   • Tokens can be parsed and verified
   • JWKS endpoint returns valid key information
   • All existing functionality remains intact

Token Format

ID Token Example:

{
  "alg": "RS256",
  "kid": "mock-key-1",
  "typ": "JWT"
}
{
  "aud": "test-client",
  "exp": 1760263656,
  "iat": 1760260056,
  "iss": "http://localhost:8080",
  "nonce": "d1IYgBZM8CzWfsKcyuncmQ",
  "sub": "user-test-client"
}

Access Token Example:

{
  "aud": "test-client",
  "exp": 1760263656,
  "iat": 1760260056,
  "iss": "http://localhost:8080",
  "scope": ["openid", "email", "profile"],
  "sub": "user-test-client"
}

Benefits

• ✅ Tokens are now valid JWTs that can be verified by standard OIDC libraries
• ✅ Compatible with Go's coreos/go-oidc and similar libraries
• ✅ Follows OpenID Connect specifications
• ✅ All existing tests pass with 73-100% code coverage
• ✅ Maintains backward compatibility for all other functionality
• ✅ The OpenID configuration endpoint already referenced /jwks, which is now functional

Testing

Verified the implementation with:

• Unit tests for JWT generation, verification, and JWKS endpoint
• Integration tests for the complete OAuth flow
• Manual testing with curl showing proper JWT structure
• All 12 test packages pass successfully

Fixes the issue where consuming services using Go OIDC libraries were failing to verify tokens from the mock server.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>the mock is returning a plain string, not a valid JWT</issue_title>
<issue_description>the mock is returning a plain string, not a valid JWT
Consuming services Go OIDC libraries are trying to verify this as a real JWT and failing.

The issue is that the mock OAuth server doesn't sign JWTs properly - it just returns placeholder strings. We need to have the mock OAuth server return a properly formatted (even if fake) JWT</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #3

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.