Add basic support for OIDC provider instantiation through discovery

authority/provisioner/acme.go

@@ -244,6 +244,11 @@ func (p *ACME) initializeWireOptions() error {
 		return fmt.Errorf("failed validating Wire options: %w", err)
 	}
 
+	// at this point the Wire options have been validated, and (mostly)
+	// initialized. Remote keys will be loaded upon the first verification,
+	// currently.
+	// TODO(hs): can/should we "prime" the underlying remote keyset?
+
 	return nil
 }
 

authority/provisioner/wire/oidc_options.go

@@ -15,6 +15,7 @@ import (
 )
 
 type Provider struct {
+	DiscoveryBaseURL string   `json:"discoveryBaseUrl,omitempty"` // TODO: probably safe to change to our usual configuration style
 	IssuerURL        string   `json:"issuer,omitempty"`
 	AuthURL          string   `json:"authorization_endpoint,omitempty"`
 	TokenURL         string   `json:"token_endpoint,omitempty"`
@@ -43,13 +44,29 @@ type OIDCOptions struct {
 	target             *template.Template
 	transform          *template.Template
 	oidcProviderConfig *oidc.ProviderConfig
+	provider           *oidc.Provider
 	verifier           *oidc.IDTokenVerifier
 }
 
 func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
 	if o.verifier == nil {
-		provider := o.oidcProviderConfig.NewProvider(ctx) // TODO: support the OIDC discovery flow
-		o.verifier = provider.Verifier(o.getConfig())
+		switch {
+		case o.Provider.DiscoveryBaseURL != "":
+			// creates a new OIDC provider using automatic discovery and the default HTTP client
+			if provider, err := oidc.NewProvider(ctx, o.Provider.DiscoveryBaseURL); err != nil {
+				return nil, fmt.Errorf("failed creating new OIDC provider using discovery: %w", err)
+			} else {
+				o.provider = provider
+			}
+		default:
+			o.provider = o.oidcProviderConfig.NewProvider(ctx)
+		}
+
+		if o.provider == nil {
+			return nil, errors.New("no OIDC provider available")
+		}
+
+		o.verifier = o.provider.Verifier(o.getConfig())
 	}
 
 	return o.verifier, nil