Replace Fosite OIDC provider with embedded Dex

Dockerfile

@@ -22,7 +22,7 @@ FROM scratch
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /server /
-COPY --from=builder /oidc-provider/templates /oidc-provider/templates
+COPY --from=builder /oidc-provider/web /oidc-provider/web
 
 EXPOSE 8080
 EXPOSE 80

go.mod

@@ -3,87 +3,116 @@ module gitlab.com/mobicoop/solidarity/services/mobility-accounts
 go 1.24
 
 require (
-	ariga.io/atlas v0.10.1
+	ariga.io/atlas v0.31.1-0.20250212144724-069be8033e83
+	github.com/dexidp/dex v0.0.0-20250219130842-7d1a7473c8a0
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/csrf v1.7.1
+	github.com/lib/pq v1.10.9
-	github.com/gorilla/mux v1.8.0
-	github.com/lib/pq v1.10.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/ory/fosite v0.42.2
 	github.com/rs/zerolog v1.33.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.0.0
 	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.10.0
-	go.etcd.io/etcd/client/v3 v3.5.6
+	go.etcd.io/etcd/client/v3 v3.5.18
 	go.mongodb.org/mongo-driver v1.11.4
-	golang.org/x/crypto v0.27.0
+	golang.org/x/crypto v0.33.0
-	google.golang.org/grpc v1.68.0
+	google.golang.org/grpc v1.70.0
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/protobuf v1.36.5
-	gopkg.in/square/go-jose.v2 v2.5.2-0.20210529014059-a5c7eec3c614
 )
 
 require (
+	cloud.google.com/go/auth v0.14.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/agext/levenshtein v1.2.1 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/cespare/xxhash v1.1.0 // indirect
+	github.com/beevik/etree v1.5.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.12.0 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgraph-io/ristretto v0.0.3 // indirect
+	github.com/dexidp/dex/api/v2 v2.3.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/inflect v0.19.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.16.2 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/jonboulle/clockwork v0.2.2 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/goveralls v0.0.6 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
-	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
-	github.com/ory/go-acc v0.2.6 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/ory/go-convenience v0.1.0 // indirect
-	github.com/ory/viper v1.7.5 // indirect
-	github.com/ory/x v0.0.214 // indirect
-	github.com/pborman/uuid v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/russellhaering/goxmldsig v1.4.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.0.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/tidwall/pretty v1.1.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.1 // indirect
 	github.com/xdg-go/stringprep v1.0.3 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
-	github.com/zclconf/go-cty v1.12.1 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.6 // indirect
+	github.com/zclconf/go-cty-yaml v1.1.0 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.6 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.18 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.18 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/exp v0.0.0-20221004215720-b9f4876ce741 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/oauth2 v0.26.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/sys v0.30.0 // indirect
-	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/api v0.221.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-
-//replace github.com/ory/fosite => ../../../github.com/ory/fosite

oidc-provider/connector/connector.go

@@ -0,0 +1,151 @@
+package connector
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+
+	"github.com/dexidp/dex/connector"
+	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
+	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
+)
+
+// Config is the connector configuration used by Dex's ConnectorConfig interface.
+// Fields are injected in-process (not via JSON unmarshaling).
+type Config struct {
+	Handler   *handlers.MobilityAccountsHandler
+	Storage   storage.Storage
+	Namespace string
+}
+
+// Open satisfies server.ConnectorConfig. It returns a Connector that implements
+// connector.PasswordConnector and connector.RefreshConnector.
+func (c *Config) Open(id string, logger *slog.Logger) (connector.Connector, error) {
+	if c.Handler == nil {
+		return nil, fmt.Errorf("mobilityaccounts connector: handler is nil")
+	}
+	return &Connector{
+		handler:   c.Handler,
+		storage:   c.Storage,
+		namespace: c.Namespace,
+		logger:    logger,
+	}, nil
+}
+
+// Connector bridges Dex authentication to the mobility-accounts handler.
+// It implements connector.PasswordConnector and connector.RefreshConnector.
+type Connector struct {
+	handler   *handlers.MobilityAccountsHandler
+	storage   storage.Storage
+	namespace string
+	logger    *slog.Logger
+}
+
+// Prompt returns the label displayed on the password form input.
+func (c *Connector) Prompt() string { return "Email" }
+
+// Login authenticates a user via the mobility-accounts handler and maps the
+// account data to a Dex Identity with standard OIDC claims.
+func (c *Connector) Login(ctx context.Context, s connector.Scopes, username, password string) (connector.Identity, bool, error) {
+	account, err := c.handler.Login(username, password, c.namespace)
+	if err != nil {
+		// Invalid credentials: return validPassword=false, no error
+		return connector.Identity{}, false, nil
+	}
+
+	c.logger.Info("connector login", "account_id", account.ID, "data_keys", dataKeys(account.Data), "groups_raw", fmt.Sprintf("%T: %v", account.Data["groups"], account.Data["groups"]))
+
+	identity := buildIdentity(account)
+	c.logger.Info("connector identity", "groups", identity.Groups, "email", identity.Email, "username", identity.Username)
+	return identity, true, nil
+}
+
+// Refresh is called when a client uses a refresh token. It reloads the account
+// from storage to reflect any changes since the last authentication.
+func (c *Connector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
+	account, err := c.storage.DB.GetAccount(identity.UserID)
+	if err != nil {
+		return identity, fmt.Errorf("mobilityaccounts connector: refresh failed: %w", err)
+	}
+
+	return buildIdentity(account), nil
+}
+
+// buildIdentity maps a mobility-accounts Account to a Dex connector.Identity.
+// Dex maps Identity.Username to the "name" OIDC claim and
+// Identity.PreferredUsername to the "preferred_username" claim.
+func buildIdentity(account *storage.Account) connector.Identity {
+	displayName := getStringData(account, "display_name")
+	if displayName == "" {
+		displayName = derefString(account.Authentication.Local.Username)
+	}
+	return connector.Identity{
+		UserID:            account.ID,
+		Username:          displayName,
+		PreferredUsername: derefString(account.Authentication.Local.Username),
+		Email:             getStringData(account, "email"),
+		EmailVerified:     true,
+		Groups:            getGroups(account),
+		ConnectorData:     nil,
+	}
+}
+
+// dataKeys returns the keys of a map for debug logging.
+func dataKeys(m map[string]any) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}
+
+// derefString safely dereferences a *string, returning "" if nil.
+func derefString(s *string) string {
+	if s == nil {
+		return ""
+	}
+	return *s
+}
+
+// getStringData retrieves a string value from account.Data by key.
+func getStringData(account *storage.Account, key string) string {
+	if account.Data == nil {
+		return ""
+	}
+	v, ok := account.Data[key]
+	if !ok {
+		return ""
+	}
+	s, ok := v.(string)
+	if !ok {
+		return ""
+	}
+	return s
+}
+
+// getGroups retrieves the groups slice from account.Data["groups"].
+// Uses JSON round-tripping to handle any BSON/primitive type from MongoDB.
+func getGroups(account *storage.Account) []string {
+	if account.Data == nil {
+		return []string{}
+	}
+	v, ok := account.Data["groups"]
+	if !ok || v == nil {
+		return []string{}
+	}
+
+	// JSON round-trip handles primitive.A, []interface{}, []string, etc.
+	b, err := json.Marshal(v)
+	if err != nil {
+		return []string{}
+	}
+	var groups []string
+	if err := json.Unmarshal(b, &groups); err != nil {
+		return []string{}
+	}
+	if groups == nil {
+		return []string{}
+	}
+	return groups
+}

oidc-provider/endpoints_auth.go

@@ -1,101 +0,0 @@
-package op
-
-import (
-	"fmt"
-	"html/template"
-	"net/http"
-	"time"
-
-	"github.com/gorilla/csrf"
-	"github.com/gorilla/mux"
-	"github.com/ory/fosite"
-	"github.com/ory/fosite/handler/openid"
-	"github.com/ory/fosite/token/jwt"
-)
-
-func (op *OIDCHandler) AuthEndpoint(w http.ResponseWriter, r *http.Request) {
-	namespace := mux.Vars(r)["namespace"]
-	oauth2Provider := op.NamespaceProviders[namespace]
-	templates_dir := op.config.Namespaces[namespace].TemplatesDir
-
-	t := template.New("auth")
-	t = template.Must(t.ParseFiles(
-		templates_dir + "/auth.html",
-	))
-
-	ctx := r.Context()
-	ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r)
-	if err != nil {
-		oauth2Provider.WriteAuthorizeError(w, ar, err)
-		return
-	}
-
-	if r.Method == "POST" {
-		if r.Form.Get("username") == "" || r.Form.Get("password") == "" {
-			oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied)
-			return
-		}
-
-		account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace)
-		if err != nil {
-			if err = t.ExecuteTemplate(w, "auth", map[string]any{
-				csrf.TemplateTag: csrf.TemplateField(r),
-				"error":          fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace),
-				"realError":      err,
-			}); err != nil {
-				oauth2Provider.WriteAuthorizeError(w, ar, err)
-			}
-			return
-		}
-
-		sessionData := &openid.DefaultSession{
-			Claims: &jwt.IDTokenClaims{
-				Issuer:      fmt.Sprintf("%s://%s/%s", op.Protocol, r.Host, namespace),
-				Subject:     account.ID,
-				Audience:    []string{},
-				ExpiresAt:   time.Now().Add(time.Hour * 30),
-				IssuedAt:    time.Now(),
-				RequestedAt: time.Now(),
-				AuthTime:    time.Now(),
-				Extra:       make(map[string]interface{}),
-			},
-			Username: r.Form.Get("username"),
-			Subject:  account.ID,
-			Headers: &jwt.Headers{
-				Extra: make(map[string]interface{}),
-			},
-		}
-
-		// Manage claims
-		for _, v := range ar.GetRequestedScopes() {
-			ar.GrantScope(v)
-
-			if v != "openid" { // TODO handle standard claims like profile, email, ...
-				if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok {
-					if d, ok := account.Data[mc]; ok {
-						sessionData.Claims.Extra[v] = d
-					}
-				} else if d, ok := account.Data[v]; ok {
-					sessionData.Claims.Extra[v] = d
-				}
-			}
-		}
-
-		response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData)
-		if err != nil {
-			oauth2Provider.WriteAuthorizeError(w, ar, err)
-			return
-		}
-
-		oauth2Provider.WriteAuthorizeResponse(w, ar, response)
-		return
-	}
-
-	err = t.ExecuteTemplate(w, "auth", map[string]any{
-		// csrf.TemplateTag: csrf.TemplateField(r),
-	})
-
-	if err != nil {
-		panic(err)
-	}
-}

oidc-provider/endpoints_introspection.go

@@ -1,26 +0,0 @@
-package op
-
-import (
-	"log"
-	"net/http"
-
-	"github.com/gorilla/mux"
-	"github.com/ory/fosite"
-)
-
-func (op *OIDCHandler) IntrospectionEndpoint(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Access-Control-Allow-Origin", "*")
-	namespace := mux.Vars(r)["namespace"]
-	oauth2Provider := op.NamespaceProviders[namespace]
-
-	ctx := r.Context()
-	mySessionData := new(fosite.DefaultSession)
-	ir, err := oauth2Provider.NewIntrospectionRequest(ctx, r, mySessionData)
-	if err != nil {
-		log.Printf("Error occurred in NewIntrospectionRequest: %+v", err)
-		oauth2Provider.WriteIntrospectionError(w, err)
-		return
-	}
-
-	oauth2Provider.WriteIntrospectionResponse(w, ir)
-}

oidc-provider/endpoints_token.go

@@ -1,41 +0,0 @@
-package op
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/gorilla/mux"
-	"github.com/ory/fosite/handler/openid"
-)
-
-func (op *OIDCHandler) TokenEndpoint(w http.ResponseWriter, req *http.Request) {
-	w.Header().Set("Access-Control-Allow-Origin", "*")
-	namespace := mux.Vars(req)["namespace"]
-	provider := op.NamespaceProviders[namespace]
-
-	ctx := req.Context()
-
-	mySessionData := openid.NewDefaultSession()
-
-	accessRequest, err := provider.NewAccessRequest(ctx, req, mySessionData)
-	if err != nil {
-		fmt.Printf("Error occurred in NewAccessRequest: %+v", err)
-		provider.WriteAccessError(w, accessRequest, err)
-		return
-	}
-
-	if accessRequest.GetGrantTypes().ExactOne("client_credentials") {
-		for _, scope := range accessRequest.GetRequestedScopes() {
-			accessRequest.GrantScope(scope)
-		}
-	}
-
-	response, err := provider.NewAccessResponse(ctx, accessRequest)
-	if err != nil {
-		fmt.Printf("Error occurred in NewAccessResponse: %+v", err)
-		provider.WriteAccessError(w, accessRequest, err)
-		return
-	}
-
-	provider.WriteAccessResponse(w, accessRequest, response)
-}

oidc-provider/endpoints_userinfo.go

@@ -1,8 +0,0 @@
-package op
-
-import "net/http"
-
-func (op *OIDCHandler) UserinfoEndpoint(w http.ResponseWriter, req *http.Request) {
-	// TODO
-	w.WriteHeader(http.StatusNotFound)
-}

oidc-provider/endpoints_wellknown.go

@@ -1,63 +0,0 @@
-package op
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/gorilla/mux"
-	"gopkg.in/square/go-jose.v2"
-)
-
-func (op *OIDCHandler) WellKnownOIDCEndpoint(w http.ResponseWriter, r *http.Request) {
-
-	var (
-		host      = r.Host
-		namespace = mux.Vars(r)["namespace"]
-		protocol  = op.Protocol
-		issuer    = fmt.Sprintf("%s://%s/%s", protocol, host, namespace)
-	)
-
-	response := map[string]any{
-		"issuer":                                issuer,
-		"authorization_endpoint":                issuer + "/auth",
-		"token_endpoint":                        issuer + "/token",
-		"userinfo_endpoint":                     issuer + "/userinfo",
-		"id_token_signing_alg_values_supported": []string{"RS256"},
-		"grant_types_supported":                 []string{"authorization_code", "implicit", "client_credentials", "refresh_token"},
-		"response_types":                        []string{"code", "code id_token", "id_token", "token id_token", "token", "token id_token code"},
-		"response_modes_supported":              []string{"query", "fragment"},
-		"jwks_uri":                              issuer + "/.well-known/jwks.json",
-	}
-
-	json, err := json.Marshal(response)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusOK)
-	w.Write(json)
-}
-
-func (op *OIDCHandler) WellKnownJWKSEndpoint(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "application/json")
-	jwks := &jose.JSONWebKeySet{
-		Keys: []jose.JSONWebKey{
-			{
-				KeyID: "kid-foo",
-				Use:   "sig",
-				Key:   &op.PrivateKey.PublicKey,
-			},
-		},
-	}
-
-	jsonJwks, err := json.Marshal(jwks)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-	}
-
-	w.WriteHeader(http.StatusOK)
-	w.Write(jsonJwks)
-}

oidc-provider/fosite.go

@@ -1,574 +0,0 @@
-package op
-
-import (
-	"context"
-	"crypto/rsa"
-	"errors"
-	"net/url"
-	"reflect"
-	"strings"
-	"time"
-
-	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
-	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
-	"github.com/mitchellh/mapstructure"
-	"github.com/ory/fosite"
-	"github.com/ory/fosite/compose"
-	"github.com/ory/fosite/handler/openid"
-	"gopkg.in/square/go-jose.v2"
-)
-
-func NewProvider(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, s storage.Storage, privateKey *rsa.PrivateKey) fosite.OAuth2Provider {
-
-	config := &compose.Config{
-		RedirectSecureChecker: func(checkUrl *url.URL) bool {
-			if strings.HasSuffix(checkUrl.Host, "svc.cluster.local") || strings.HasSuffix(checkUrl.Host, "localhost") {
-				return true
-			}
-			return false
-		},
-	}
-	storage := NewOIDCProviderStore(c, h, s.KV)
-	secret := []byte(c.SecretKey)
-	return compose.ComposeAllEnabled(config, storage, secret, privateKey)
-}
-
-type OIDCProviderStore struct {
-	Namespace               string
-	MobilityAccountsHandler handlers.MobilityAccountsHandler
-	KV                      storage.KVStore
-	Clients                 map[string]fosite.Client
-}
-
-func NewOIDCProviderStore(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, storage storage.KVStore) *OIDCProviderStore {
-	clients := map[string]fosite.Client{}
-
-	for _, v := range c.Clients {
-		client := &fosite.DefaultClient{
-			ID:            v.ID,
-			Secret:        []byte(v.Secret),
-			RedirectURIs:  v.RedirectURIs,
-			ResponseTypes: v.ResponseTypes,
-			GrantTypes:    v.GrantTypes,
-			Scopes:        v.Scopes,
-			Audience:      v.Audience,
-			Public:        v.Public,
-		}
-
-		if v.OIDC {
-			oidc_client := &fosite.DefaultOpenIDConnectClient{
-				DefaultClient:           client,
-				TokenEndpointAuthMethod: v.TokenEndpointAuthMethod,
-			}
-			clients[v.ID] = oidc_client
-		} else {
-			clients[v.ID] = client
-		}
-	}
-
-	return &OIDCProviderStore{
-		MobilityAccountsHandler: h,
-		KV:                      storage,
-		Clients:                 clients,
-	}
-}
-
-func (s *OIDCProviderStore) GetClient(_ context.Context, id string) (fosite.Client, error) {
-	cl, ok := s.Clients[id]
-	if !ok {
-		return nil, fosite.ErrNotFound
-	}
-	return cl, nil
-}
-
-func (s *OIDCProviderStore) Authenticate(_ context.Context, name string, secret string) error {
-	_, err := s.MobilityAccountsHandler.Login(name, secret, s.Namespace)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error {
-	err := s.KV.Put("id_sessions/"+authorizeCode, requester)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error) {
-	d, err := s.KV.Get("id_sessions/" + authorizeCode)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-	//return d.(fosite.Requester), nil
-
-	return DecodeRequest(d)
-
-	// req := fosite.NewRequest()
-	// req.Session = new(openid.DefaultSession)
-
-	// decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-	// 	Metadata: nil,
-	// 	DecodeHook: mapstructure.ComposeDecodeHookFunc(
-	// 		ToTimeHookFunc()),
-	// 	Result: &req,
-	// })
-	// if err != nil {
-	// 	return req, err
-	// }
-	// if err = decoder.Decode(d); err != nil {
-	// 	return req, err
-	// }
-
-	// return req, nil
-}
-
-// DeleteOpenIDConnectSession is not really called from anywhere and it is deprecated.
-func (s *OIDCProviderStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error {
-	err := s.KV.Delete("id_sessions/" + authorizeCode)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) ClientAssertionJWTValid(_ context.Context, jti string) error {
-	if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil {
-		return fosite.ErrJTIKnown
-	}
-
-	return nil
-}
-
-func (s *OIDCProviderStore) SetClientAssertionJWT(_ context.Context, jti string, exp time.Time) error {
-
-	if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil {
-		return fosite.ErrJTIKnown
-	}
-
-	duration := exp.Sub(time.Now())
-
-	if duration < 0 {
-		return errors.New("already expired")
-	}
-
-	err := s.KV.PutWithTTL("blacklisted_jtis/"+jti, true, duration)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error {
-	res := StoreAuthorizeCode{
-		Active:    true,
-		Requester: req.(*fosite.Request),
-	}
-	err := s.KV.Put("authorize_codes/"+code, res)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) {
-	rel, err := s.KV.Get("authorize_codes/" + code)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-
-	sac, err := DecodeStoreAuthorizeCode(rel)
-	if err != nil {
-		return nil, err
-	}
-
-	if !sac.Active {
-		return sac.Requester, fosite.ErrInvalidatedAuthorizeCode
-	}
-
-	return sac.Requester, nil
-}
-
-func (s *OIDCProviderStore) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error {
-	rel, err := s.KV.Get("authorize_codes/" + code)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-
-	sac, err := DecodeStoreAuthorizeCode(rel)
-	if err != nil {
-		return err
-	}
-
-	sac.Active = false
-	err = s.KV.Put("authorize_codes/"+code, sac)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) CreatePKCERequestSession(_ context.Context, code string, req fosite.Requester) error {
-	err := s.KV.Put("pkce/"+code, req)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetPKCERequestSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) {
-	rel, err := s.KV.Get("pkce/" + code)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-
-	req := fosite.NewRequest()
-	req.Session = new(fosite.DefaultSession)
-
-	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-		Metadata: nil,
-		DecodeHook: mapstructure.ComposeDecodeHookFunc(
-			ToTimeHookFunc()),
-		Result: &req,
-	})
-	if err != nil {
-		return req, err
-	}
-	if err = decoder.Decode(rel); err != nil {
-		return req, err
-	}
-
-	return req, nil
-}
-
-func (s *OIDCProviderStore) DeletePKCERequestSession(_ context.Context, code string) error {
-	err := s.KV.Delete("pkce/" + code)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error {
-	err := s.KV.Put("access_tokens/"+signature, req)
-	if err != nil {
-		return err
-	}
-	err = s.KV.Put("access_tokens_request_ids/"+req.GetID(), signature)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
-	rel, err := s.KV.Get("access_tokens/" + signature)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-	//return rel.(fosite.Requester), nil
-	req := fosite.NewRequest()
-	req.Session = new(fosite.DefaultSession)
-
-	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-		Metadata: nil,
-		DecodeHook: mapstructure.ComposeDecodeHookFunc(
-			ToTimeHookFunc()),
-		Result: &req,
-	})
-	if err != nil {
-		return req, err
-	}
-	if err = decoder.Decode(rel); err != nil {
-		return req, err
-	}
-
-	return req, nil
-}
-
-func (s *OIDCProviderStore) DeleteAccessTokenSession(_ context.Context, signature string) error {
-	err := s.KV.Delete("access_tokens/" + signature)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error {
-
-	err := s.KV.Put("refresh_tokens/"+signature, StoreRefreshToken{Active: true, Requester: req})
-	if err != nil {
-		return err
-	}
-	err = s.KV.Put("refresh_tokens_request_ids/"+req.GetID(), signature)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
-	rel, err := s.KV.Get("refresh_tokens/" + signature)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-	var srt StoreRefreshToken
-	if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil {
-		return nil, err
-	}
-	if !srt.Active {
-		return nil, fosite.ErrInactiveToken
-	}
-	return srt.Requester, nil
-}
-
-func (s *OIDCProviderStore) DeleteRefreshTokenSession(_ context.Context, signature string) error {
-	err := s.KV.Delete("refresh_tokens/" + signature)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) RevokeRefreshToken(ctx context.Context, requestID string) error {
-
-	if signature, err := s.KV.Get("refresh_tokens_request_ids" + requestID); err == nil {
-		rel, err := s.KV.Get("refresh_tokens/" + signature.(string))
-		if err != nil {
-			return fosite.ErrNotFound
-		}
-		var srt StoreRefreshToken
-		if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil {
-			return err
-		}
-		srt.Active = false
-
-		err = s.KV.Put("refresh_tokens/"+signature.(string), srt)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error {
-	// no configuration option is available; grace period is not available with memory store
-	return s.RevokeRefreshToken(ctx, requestID)
-}
-
-func (s *OIDCProviderStore) RevokeAccessToken(ctx context.Context, requestID string) error {
-	if signature, err := s.KV.Get("access_tokens_request_ids/" + requestID); err != nil {
-		if err := s.DeleteAccessTokenSession(ctx, signature.(string)); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *OIDCProviderStore) GetPublicKey(ctx context.Context, issuer string, subject string, keyId string) (*jose.JSONWebKey, error) {
-	if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
-		var ipk IssuerPublicKeys
-		if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
-			return nil, err
-		}
-		if subKeys, ok := ipk.KeysBySub[subject]; ok {
-			if keyScopes, ok := subKeys.Keys[keyId]; ok {
-				return keyScopes.Key, nil
-			}
-		}
-	}
-
-	return nil, fosite.ErrNotFound
-}
-func (s *OIDCProviderStore) GetPublicKeys(ctx context.Context, issuer string, subject string) (*jose.JSONWebKeySet, error) {
-
-	if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
-		var ipk IssuerPublicKeys
-		if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
-			return nil, err
-		}
-		if subKeys, ok := ipk.KeysBySub[subject]; ok {
-			if len(subKeys.Keys) == 0 {
-				return nil, fosite.ErrNotFound
-			}
-
-			keys := make([]jose.JSONWebKey, 0, len(subKeys.Keys))
-			for _, keyScopes := range subKeys.Keys {
-				keys = append(keys, *keyScopes.Key)
-			}
-
-			return &jose.JSONWebKeySet{Keys: keys}, nil
-		}
-	}
-
-	return nil, fosite.ErrNotFound
-}
-
-func (s *OIDCProviderStore) GetPublicKeyScopes(ctx context.Context, issuer string, subject string, keyId string) ([]string, error) {
-
-	if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
-		var ipk IssuerPublicKeys
-		if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
-			return nil, err
-		}
-		if subKeys, ok := ipk.KeysBySub[subject]; ok {
-			if keyScopes, ok := subKeys.Keys[keyId]; ok {
-				return keyScopes.Scopes, nil
-			}
-		}
-	}
-
-	return nil, fosite.ErrNotFound
-}
-
-func (s *OIDCProviderStore) IsJWTUsed(ctx context.Context, jti string) (bool, error) {
-	err := s.ClientAssertionJWTValid(ctx, jti)
-	if err != nil {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func (s *OIDCProviderStore) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) error {
-	return s.SetClientAssertionJWT(ctx, jti, exp)
-}
-
-// CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key.
-func (s *OIDCProviderStore) CreatePARSession(ctx context.Context, requestURI string, request fosite.AuthorizeRequester) error {
-	err := s.KV.Put("par_sessions/"+requestURI, request)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPARSession gets the push authorization request context. If the request is nil, a new request object
-// is created. Otherwise, the same object is updated.
-func (s *OIDCProviderStore) GetPARSession(ctx context.Context, requestURI string) (fosite.AuthorizeRequester, error) {
-	rel, err := s.KV.Get("par_sessions/" + requestURI)
-	if err != nil {
-		return nil, fosite.ErrNotFound
-	}
-
-	return rel.(fosite.AuthorizeRequester), nil
-}
-
-// DeletePARSession deletes the context.
-func (s *OIDCProviderStore) DeletePARSession(ctx context.Context, requestURI string) error {
-	err := s.KV.Delete("par_sessions/" + requestURI)
-	if err != nil {
-		return fosite.ErrNotFound
-	}
-	return nil
-}
-
-type StoreAuthorizeCode struct {
-	Active    bool            `json:"active"`
-	Requester *fosite.Request `json:"requester"`
-}
-
-func DecodeStoreAuthorizeCode(rel interface{}) (StoreAuthorizeCode, error) {
-	sac := StoreAuthorizeCode{
-		Active:    false,
-		Requester: fosite.NewRequest(),
-	}
-	// metadata := mapstructure.Metadata{}
-	sac.Requester.Session = new(openid.DefaultSession)
-	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-		// Metadata: &metadata,
-		DecodeHook: mapstructure.ComposeDecodeHookFunc(
-			ToTimeHookFunc(),
-			ToBytes(),
-		),
-		TagName: "json",
-		Result:  &sac,
-	})
-	if err != nil {
-		return sac, err
-	}
-	if err = decoder.Decode(rel); err != nil {
-		return sac, err
-	}
-	return sac, nil
-}
-
-func DecodeRequest(rel interface{}) (*fosite.Request, error) {
-	req := fosite.NewRequest()
-	req.Session = new(openid.DefaultSession)
-	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
-		// Metadata: &metadata,
-		DecodeHook: mapstructure.ComposeDecodeHookFunc(
-			ToTimeHookFunc(),
-			ToBytes(),
-		),
-		TagName: "json",
-		Result:  &req,
-	})
-	if err != nil {
-		return req, err
-	}
-	if err = decoder.Decode(rel); err != nil {
-		return req, err
-	}
-	return req, nil
-}
-
-type StoreRefreshToken struct {
-	Active    bool
-	Requester fosite.Requester
-}
-
-type IssuerPublicKeys struct {
-	Issuer    string
-	KeysBySub map[string]SubjectPublicKeys `mapstructure:"keys_by_sub"`
-}
-
-type SubjectPublicKeys struct {
-	Subject string
-	Keys    map[string]PublicKeyScopes
-}
-
-type PublicKeyScopes struct {
-	Key    *jose.JSONWebKey
-	Scopes []string
-}
-
-func ToTimeHookFunc() mapstructure.DecodeHookFunc {
-	return func(
-		f reflect.Type,
-		t reflect.Type,
-		data interface{}) (interface{}, error) {
-		if t != reflect.TypeOf(time.Time{}) {
-			return data, nil
-		}
-
-		switch f.Kind() {
-		case reflect.String:
-			return time.Parse(time.RFC3339, data.(string))
-		case reflect.Float64:
-			return time.Unix(0, int64(data.(float64))*int64(time.Millisecond)), nil
-		case reflect.Int64:
-			return time.Unix(0, data.(int64)*int64(time.Millisecond)), nil
-		default:
-			return data, nil
-		}
-		// Convert it by parsing
-	}
-}
-
-func ToBytes() mapstructure.DecodeHookFunc {
-	return func(
-		f reflect.Type,
-		t reflect.Type,
-		data interface{}) (interface{}, error) {
-
-		if t == reflect.TypeOf([]byte("")) && f.Kind() == reflect.String {
-			return []byte(data.(string)), nil
-		}
-
-		return data, nil
-	}
-}

oidc-provider/oidc-provider.go

@@ -1,24 +1,33 @@
 package op
 
 import (
-	"crypto/rand"
+	"context"
-	"crypto/rsa"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
 
-	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
+	"github.com/dexidp/dex/server"
-	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
+	dexstorage "github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/memory"
 	"github.com/mitchellh/mapstructure"
-	"github.com/ory/fosite"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
+	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
+	maconnector "gitlab.com/mobicoop/solidarity/services/mobility-accounts/oidc-provider/connector"
+	"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
 )
 
+// OIDCConfig holds the full OIDC provider configuration, decoded from viper.
 type OIDCConfig struct {
 	Enable     bool
-	CSRFKey    bool `mapstructure:"csrf_key"`
+	Port       string
-	Port       bool
+	BaseURL    string `mapstructure:"base_url"`
 	Namespaces map[string]OIDCNamespaceConfig
 }
 
+// OIDCNamespaceConfig holds per-namespace OIDC settings.
 type OIDCNamespaceConfig struct {
 	Namespace    string
 	SecretKey    string            `mapstructure:"secret_key"`
@@ -27,6 +36,7 @@ type OIDCNamespaceConfig struct {
 	Clients      []OIDCClient
 }
 
+// OIDCClient represents a static OIDC client.
 type OIDCClient struct {
 	ID            string
 	OIDC          bool
@@ -41,60 +51,139 @@ type OIDCClient struct {
 	TokenEndpointAuthMethod string `mapstructure:"token_endpoint_auth_method"`
 }
 
-type OIDCHandler struct {
+// NewDexServer creates an http.ServeMux that hosts one Dex OIDC server per namespace.
-	NamespaceProviders map[string]fosite.OAuth2Provider
+// Each namespace is mounted at /{namespaceName}/ and has its own storage, clients,
-	config             OIDCConfig
+// and connector instance.
-	handler            handlers.MobilityAccountsHandler
+func NewDexServer(handler *handlers.MobilityAccountsHandler, stor storage.Storage, cfg *viper.Viper) (*http.ServeMux, error) {
-	Protocol           string //HTTP (dev env) or HTTPS
+	var oidcConfig OIDCConfig
-	PrivateKey         *rsa.PrivateKey
+	mapstructure.Decode(cfg.Get("services.oidc_provider").(map[string]any), &oidcConfig)
+
+	baseURL := oidcConfig.BaseURL
+	if baseURL == "" {
+		protocol := "https"
+		if cfg.GetBool("dev_env") {
+			protocol = "http"
+		}
+		baseURL = fmt.Sprintf("%s://0.0.0.0:%s", protocol, cfg.GetString("services.oidc_provider.port"))
+	}
+
+	mux := http.NewServeMux()
+	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelInfo}))
+
+	// Register our custom connector type in Dex's global registry
+	server.ConnectorsConfig["mobilityaccounts"] = func() server.ConnectorConfig {
+		return &maconnector.Config{
+			Handler:   handler,
+			Storage:   stor,
+			Namespace: "", // will be set per-namespace below
+		}
+	}
+
+	for nsName, nsCfg := range oidcConfig.Namespaces {
+		dexServer, err := createNamespaceDexServer(handler, stor, nsCfg, nsName, baseURL, logger)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create Dex server for namespace %q: %w", nsName, err)
+		}
+
+		prefix := "/" + nsName
+		mux.Handle(prefix+"/", dexServer)
+	}
+
+	return mux, nil
 }
 
-func NewOIDCHandler(h handlers.MobilityAccountsHandler, storage storage.Storage, config *viper.Viper) *OIDCHandler {
+// createNamespaceDexServer builds a single Dex server.Server for one namespace.
-	var oidc_config OIDCConfig
+func createNamespaceDexServer(handler *handlers.MobilityAccountsHandler, stor storage.Storage, nsCfg OIDCNamespaceConfig, nsName, baseURL string, logger *slog.Logger) (*server.Server, error) {
+	ctx := context.Background()
 
-	mapstructure.Decode(config.Get("services.oidc_provider").(map[string]any), &oidc_config)
+	// In-memory Dex storage
+	dexStore := memory.New(logger)
 
-	providers := map[string]fosite.OAuth2Provider{}
+	// Register static clients
+	clients := buildDexClients(nsCfg.Clients)
+	dexStore = dexstorage.WithStaticClients(dexStore, clients)
 
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	// Register the connector — we override ConnectorsConfig factory for this namespace
+	// so that Open() will get the right handler/storage/namespace.
+	server.ConnectorsConfig["mobilityaccounts"] = func() server.ConnectorConfig {
+		return &maconnector.Config{
+			Handler:   handler,
+			Storage:   stor,
+			Namespace: nsCfg.Namespace,
+		}
+	}
+
+	conn := dexstorage.Connector{
+		ID:   "mobilityaccounts",
+		Type: "mobilityaccounts",
+		Name: "Mobility Accounts",
+	}
+	dexStore = dexstorage.WithStaticConnectors(dexStore, []dexstorage.Connector{conn})
+
+	issuer := fmt.Sprintf("%s/%s", baseURL, nsName)
+
+	// Determine web config
+	webCfg := server.WebConfig{
+		Issuer: nsName,
+	}
+	if nsCfg.TemplatesDir != "" {
+		webCfg.Dir = nsCfg.TemplatesDir
+	}
+
+	// Dex v2.42 manages signing keys internally via storage.
+	dexServer, err := server.NewServer(ctx, server.Config{
+		Issuer:             issuer,
+		Storage:            dexStore,
+		SkipApprovalScreen: true,
+		IDTokensValidFor:   30 * time.Hour,
+		Web:                webCfg,
+		Logger:             logger,
+		Now:                time.Now,
+	})
 	if err != nil {
-		return nil
+		return nil, fmt.Errorf("failed to create Dex server: %w", err)
 	}
 
-	for _, c := range oidc_config.Namespaces {
+	return dexServer, nil
-		np := NewProvider(c, h, storage, privateKey)
-
-		providers[c.Namespace] = np
-	}
-
-	protocol := "https"
-	if config.GetBool("dev_env") {
-		protocol = "http"
-	}
-
-	return &OIDCHandler{
-		config:             oidc_config,
-		handler:            h,
-		NamespaceProviders: providers,
-		Protocol:           protocol,
-		PrivateKey:         privateKey,
-	}
 }
 
-func Run(done chan error, cfg *viper.Viper, handler handlers.MobilityAccountsHandler, storage storage.Storage) {
+// buildDexClients converts the config OIDCClient list to Dex storage.Client list.
-	var (
+func buildDexClients(clients []OIDCClient) []dexstorage.Client {
-		address = "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
+	dexClients := make([]dexstorage.Client, 0, len(clients))
-	)
+	for _, c := range clients {
+		dexClients = append(dexClients, dexstorage.Client{
+			ID:           c.ID,
+			Secret:       c.Secret,
+			RedirectURIs: c.RedirectURIs,
+			Public:       c.Public,
+			Name:         c.ID,
+		})
+	}
+	return dexClients
+}
 
-	log.Info().Str("address", address).Msg("Running OIDC provider")
+// Run starts the OIDC provider HTTP server. Called from main.go as a goroutine.
-
+func Run(done chan error, cfg *viper.Viper, handler handlers.MobilityAccountsHandler, stor storage.Storage) {
-	s := NewOIDCHandler(handler, storage, cfg)
+	address := "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
-
+	log.Info().Str("address", address).Msg("Running Dex OIDC provider")
-	err := NewOIDCServer(s, cfg)
 
+	mux, err := NewDexServer(&handler, stor, cfg)
 	if err != nil {
-		log.Error().Err(err).Msg("OIDC server ended")
+		log.Error().Err(err).Msg("Failed to create Dex OIDC server")
+		done <- err
+		return
 	}
 
+	srv := &http.Server{
+		Handler:      mux,
+		Addr:         address,
+		WriteTimeout: 15 * time.Second,
+		ReadTimeout:  15 * time.Second,
+	}
+
+	err = srv.ListenAndServe()
+	if err != nil {
+		log.Error().Err(err).Msg("Dex OIDC server ended")
+	}
 	done <- err
 }

oidc-provider/server.go

@@ -1,40 +0,0 @@
-package op
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/gorilla/csrf"
-	"github.com/gorilla/mux"
-	"github.com/spf13/viper"
-)
-
-func NewOIDCServer(oidc_handler *OIDCHandler, cfg *viper.Viper) error {
-	var (
-		dev_env = cfg.GetBool("dev_env")
-		address = "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
-		//csrf_key = cfg.GetString("services.oidc_provider.csrf_key")
-	)
-
-	router := mux.NewRouter()
-	router.HandleFunc("/{namespace}/auth", oidc_handler.AuthEndpoint)
-	router.HandleFunc("/{namespace}/token", oidc_handler.TokenEndpoint)
-	router.HandleFunc("/{namespace}/introspect", oidc_handler.IntrospectionEndpoint)
-	router.HandleFunc("/{namespace}/userinfo", oidc_handler.UserinfoEndpoint)
-	router.HandleFunc("/{namespace}/.well-known/openid-configuration", oidc_handler.WellKnownOIDCEndpoint)
-	router.HandleFunc("/{namespace}/.well-known/jwks.json", oidc_handler.WellKnownJWKSEndpoint)
-
-	if dev_env {
-		csrf.Secure(false)
-	}
-
-	srv := &http.Server{
-		Handler:      router,
-		Addr:         address,
-		WriteTimeout: 15 * time.Second,
-		ReadTimeout:  15 * time.Second,
-	}
-	err := srv.ListenAndServe()
-
-	return err
-}

oidc-provider/web/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

oidc-provider/web/static/main.css

@@ -0,0 +1 @@
+/* Mobicoop Solidaire — static styles are inlined in header.html */

oidc-provider/web/templates/approval.html

@@ -0,0 +1,22 @@
+{{ template "header.html" . }}
+
+    <h2>Autorisation</h2>
+
+    <p style="text-align:center; font-size:0.875rem; margin-bottom:1rem;">
+      <strong>{{ .Client }}</strong> souhaite acceder a votre compte.
+    </p>
+
+    {{ if .Scopes }}
+    <p style="font-size:0.875rem;">Permissions demandees :</p>
+    <ul class="scopes-list">
+      {{ range $s := .Scopes }}
+      <li>{{ $s }}</li>
+      {{ end }}
+    </ul>
+    {{ end }}
+
+    <form method="POST" action="{{ .Approval }}">
+      <button type="submit" class="btn-primary">Autoriser</button>
+    </form>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/device.html

@@ -0,0 +1,21 @@
+{{ template "header.html" . }}
+
+    <h2>Connexion appareil</h2>
+
+    {{ if .Invalid }}
+    <div class="error-box">
+      Code invalide. Veuillez reessayer.
+    </div>
+    {{ end }}
+
+    <form method="POST" action="{{ .PostURL }}">
+      <div class="form-group">
+        <label for="user_code">Code utilisateur</label>
+        <input required id="user_code" name="user_code" type="text"
+               {{ if .UserCode }}value="{{ .UserCode }}"{{ end }}
+               placeholder="XXXX-XXXX" autofocus>
+      </div>
+      <button type="submit" class="btn-primary">Valider</button>
+    </form>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/device_success.html

@@ -0,0 +1,9 @@
+{{ template "header.html" . }}
+
+    <h2>Appareil connecte</h2>
+
+    <p style="text-align:center; font-size:0.875rem;">
+      Votre appareil <strong>{{ .ClientName }}</strong> est maintenant connecte. Vous pouvez fermer cette page.
+    </p>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/error.html

@@ -0,0 +1,14 @@
+{{ template "header.html" . }}
+
+    <h2>Erreur</h2>
+
+    <div class="error-box">
+      {{ if .ErrType }}<strong>{{ .ErrType }}</strong><br>{{ end }}
+      {{ if .ErrMsg }}{{ .ErrMsg }}{{ else }}Une erreur inattendue est survenue.{{ end }}
+    </div>
+
+    <div class="link-center">
+      <a href="javascript:history.back()">Retour</a>
+    </div>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/footer.html

@@ -0,0 +1,3 @@
+  </div>
+</body>
+</html>

oidc-provider/web/templates/header.html

@@ -0,0 +1,161 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{ issuer }} - Connexion</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;500;600;700&display=swap" rel="stylesheet">
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+    body {
+      font-family: 'Poppins', sans-serif;
+      background-color: #f9fafb;
+      color: #1f2937;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+
+    .card {
+      background: #fff;
+      border-radius: 1rem;
+      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
+      padding: 2.5rem 2rem;
+      width: 100%;
+      max-width: 28rem;
+      margin: 1rem;
+    }
+
+    .logo {
+      display: block;
+      margin: 0 auto 1.5rem;
+      max-width: 200px;
+      height: auto;
+    }
+
+    h2 {
+      text-align: center;
+      font-size: 1.5rem;
+      font-weight: 600;
+      color: #243887;
+      margin-bottom: 1.5rem;
+    }
+
+    .form-group { margin-bottom: 1rem; }
+
+    label {
+      display: block;
+      font-size: 0.875rem;
+      font-weight: 500;
+      color: #374151;
+      margin-bottom: 0.25rem;
+    }
+
+    input[type="text"],
+    input[type="email"],
+    input[type="password"] {
+      width: 100%;
+      padding: 0.625rem 0.875rem;
+      border: 1px solid #d1d5db;
+      border-radius: 1rem;
+      font-family: 'Poppins', sans-serif;
+      font-size: 0.875rem;
+      outline: none;
+      transition: border-color 0.15s;
+    }
+
+    input[type="text"]:focus,
+    input[type="email"]:focus,
+    input[type="password"]:focus {
+      border-color: #243887;
+      box-shadow: 0 0 0 2px rgba(36,56,135,0.15);
+    }
+
+    .btn-primary {
+      display: block;
+      width: 100%;
+      padding: 0.625rem;
+      background-color: #243887;
+      color: #fff;
+      border: none;
+      border-radius: 1rem;
+      font-family: 'Poppins', sans-serif;
+      font-size: 0.875rem;
+      font-weight: 600;
+      cursor: pointer;
+      transition: background-color 0.15s;
+      margin-top: 1.25rem;
+    }
+
+    .btn-primary:hover { background-color: #1c2d6e; }
+
+    .error-box {
+      background-color: #fef2f2;
+      border: 1px solid #fecaca;
+      color: #991b1b;
+      padding: 0.75rem 1rem;
+      border-radius: 0.75rem;
+      font-size: 0.8125rem;
+      margin-bottom: 1rem;
+    }
+
+    .link-center {
+      text-align: center;
+      margin-top: 1rem;
+    }
+
+    .link-center a {
+      color: #243887;
+      font-size: 0.8125rem;
+      text-decoration: none;
+      font-weight: 500;
+    }
+
+    .link-center a:hover { text-decoration: underline; }
+
+    .back-link {
+      text-align: center;
+      margin-top: 0.75rem;
+    }
+
+    .back-link a {
+      color: #6b7280;
+      font-size: 0.8125rem;
+      text-decoration: none;
+    }
+
+    .back-link a:hover { text-decoration: underline; }
+
+    .connector-list { list-style: none; }
+
+    .connector-list li { margin-bottom: 0.5rem; }
+
+    .connector-list a {
+      display: block;
+      text-align: center;
+      padding: 0.625rem;
+      background-color: #243887;
+      color: #fff;
+      border-radius: 1rem;
+      text-decoration: none;
+      font-weight: 600;
+      font-size: 0.875rem;
+      transition: background-color 0.15s;
+    }
+
+    .connector-list a:hover { background-color: #1c2d6e; }
+
+    .scopes-list {
+      list-style: disc;
+      padding-left: 1.5rem;
+      margin: 1rem 0;
+      font-size: 0.875rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="card">

oidc-provider/web/templates/login.html

@@ -0,0 +1,18 @@
+{{ template "header.html" . }}
+
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 240 48" class="logo">
+      <text x="50%" y="50%" dominant-baseline="central" text-anchor="middle"
+            font-family="Poppins, sans-serif" font-weight="700" font-size="18" fill="#243887">
+        Mobicoop Solidaire
+      </text>
+    </svg>
+
+    <h2>Connexion</h2>
+
+    <ul class="connector-list">
+    {{ range $c := .Connectors }}
+      <li><a href="{{ $c.URL }}">{{ $c.Name }}</a></li>
+    {{ end }}
+    </ul>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/oob.html

@@ -0,0 +1,13 @@
+{{ template "header.html" . }}
+
+    <h2>Code d'autorisation</h2>
+
+    <p style="text-align:center; font-size:0.875rem; margin-bottom:1rem;">
+      Copiez ce code dans votre application :
+    </p>
+
+    <div style="text-align:center; font-size:1.25rem; font-weight:600; color:#243887; background:#f3f4f6; padding:1rem; border-radius:0.75rem; font-family:monospace;">
+      {{ .Code }}
+    </div>
+
+{{ template "footer.html" . }}

oidc-provider/web/templates/password.html

@@ -0,0 +1,41 @@
+{{ template "header.html" . }}
+
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 240 48" class="logo">
+      <text x="50%" y="50%" dominant-baseline="central" text-anchor="middle"
+            font-family="Poppins, sans-serif" font-weight="700" font-size="18" fill="#243887">
+        Mobicoop Solidaire
+      </text>
+    </svg>
+
+    <h2>Connexion</h2>
+
+    {{ if .Invalid }}
+    <div class="error-box">
+      Identifiant ou mot de passe incorrect.
+    </div>
+    {{ end }}
+
+    <form method="POST" action="{{ .PostURL }}">
+      <div class="form-group">
+        <label for="login">{{ .UsernamePrompt }}</label>
+        <input tabindex="1" required id="login" name="login" type="email"
+               placeholder="email@exemple.fr"
+               {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}>
+      </div>
+
+      <div class="form-group">
+        <label for="password">Mot de passe</label>
+        <input tabindex="2" required id="password" name="password" type="password"
+               placeholder="mot de passe" {{ if .Invalid }}autofocus{{ end }}>
+      </div>
+
+      <button tabindex="3" type="submit" class="btn-primary">Se connecter</button>
+    </form>
+
+    {{ if .BackLink }}
+    <div class="back-link">
+      <a href="{{ .BackLink }}">Choisir une autre methode de connexion</a>
+    </div>
+    {{ end }}
+
+{{ template "footer.html" . }}

oidc-provider/web/themes/light/styles.css

@@ -0,0 +1 @@
+/* Mobicoop Solidaire theme — styles are inlined in header.html */