feat: allow setting op.Crypto during provider setup (#778)

Add a `op.WithCrypto` `op.Option` that allows developers to specify
their custom `op.Crypto` implementations during setup. If the
`op.Option` is used, it will override `op.Config.CryptoKey`.

Closes #736.

### Definition of Ready

- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [ ] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [ ] My code has no repetitions
- [ ] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [ ] All non-functional requirements are met
- [ ] Functionality of the acceptance criteria is checked manually on
the dev system.

---------

Signed-off-by: mqf20 <[email protected]>
Co-authored-by: Tim Möhlmann <[email protected]>

Author: mqf20

example/server/crypto.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"github.com/zitadel/oidc/v3/pkg/crypto"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"log/slog"
+)
+
+var _ op.Crypto = &myCrypto{}
+
+// myCrypto demonstrates how to provide your custom implementation of op.Crypto.
+type myCrypto struct {
+	key    string
+	logger *slog.Logger
+}
+
+func newMyCrypto(key [32]byte, l *slog.Logger) *myCrypto {
+	return &myCrypto{
+		key:    string(key[:32]),
+		logger: l,
+	}
+}
+
+func (m *myCrypto) Decrypt(s string) (string, error) {
+	m.logger.Info("decrypting")
+	return crypto.DecryptAES(s, m.key)
+}
+
+func (m *myCrypto) Encrypt(s string) (string, error) {
+	m.logger.Info("encrypting")
+	return crypto.EncryptAES(s, m.key)
+}

example/server/exampleop/op.go

@@ -51,7 +51,13 @@ func SetupServer(issuer string, storage Storage, logger *slog.Logger, wrapServer
 	})
 
 	// creation of the OpenIDProvider with the just created in-memory Storage
-	provider, err := newOP(storage, issuer, key, logger, extraOptions...)
+	provider, err := newOP(
+		storage,
+		issuer,
+		key,
+		logger,
+		extraOptions...,
+	)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -84,10 +90,16 @@ func SetupServer(issuer string, storage Storage, logger *slog.Logger, wrapServer
 	return router
 }
 
-// newOP will create an OpenID Provider for localhost on a specified port with a given encryption key
+// newOP will create an OpenID Provider for localhost on a specified port
 // and a predefined default logout uri
 // it will enable all options (see descriptions)
-func newOP(storage op.Storage, issuer string, key [32]byte, logger *slog.Logger, extraOptions ...op.Option) (op.OpenIDProvider, error) {
+func newOP(
+	storage op.Storage,
+	issuer string,
+	key [32]byte, // encryption key
+	logger *slog.Logger,
+	extraOptions ...op.Option,
+) (op.OpenIDProvider, error) {
 	config := &op.Config{
 		CryptoKey: key,
 

example/server/main.go

@@ -44,8 +44,15 @@ func main() {
 		logger.Error("cannot create UserStore", "error", err)
 		os.Exit(1)
 	}
-	storage := storage.NewStorage(store)
-	router := exampleop.SetupServer(issuer, storage, logger, false)
+
+	stor := storage.NewStorage(store)
+	router := exampleop.SetupServer(
+		issuer,
+		stor,
+		logger,
+		false,
+		//op.WithCrypto(newMyCrypto(sha256.Sum256([]byte("test")), logger)),
+	)
 
 	server := &http.Server{
 		Addr:    ":" + cfg.Port,

pkg/op/op.go

@@ -158,7 +158,7 @@ func authCallbackPath(o OpenIDProvider) string {
 }
 
 type Config struct {
-	CryptoKey                         [32]byte
+	CryptoKey                         [32]byte // for encrypting access token via NewAESCrypto; will be overwritten by WithCrypto
 	DefaultLogoutRedirectURI          string
 	CodeMethodS256                    bool
 	AuthMethodPost                    bool
@@ -259,6 +259,7 @@ func NewProvider(config *Config, storage Storage, issuer func(insecure bool) (Is
 		storage:           storage,
 		accessTokenKeySet: keySet,
 		idTokenHinKeySet:  keySet,
+		crypto:            NewAESCrypto(config.CryptoKey),
 		endpoints:         DefaultEndpoints,
 		timer:             make(<-chan time.Time),
 		corsOpts:          &defaultCORSOptions,
@@ -279,7 +280,6 @@ func NewProvider(config *Config, storage Storage, issuer func(insecure bool) (Is
 	o.decoder = schema.NewDecoder()
 	o.decoder.IgnoreUnknownKeys(true)
 	o.encoder = oidc.NewEncoder()
-	o.crypto = NewAESCrypto(config.CryptoKey)
 	return o, nil
 }
 
@@ -661,6 +661,16 @@ func WithLogger(logger *slog.Logger) Option {
 	}
 }
 
+// WithCrypto allows the user to pass their own Crypto implementation.
+//
+// If provided, this will overwrite Config.CryptoKey.
+func WithCrypto(crypto Crypto) Option {
+	return func(o *Provider) error {
+		o.crypto = crypto
+		return nil
+	}
+}
+
 func intercept(i IssuerFromRequest, interceptors ...HttpInterceptor) func(handler http.Handler) http.Handler {
 	issuerInterceptor := NewIssuerInterceptor(i)
 	return func(handler http.Handler) http.Handler {