identity_store_oidc_provider.go

package vault

import (
	"context"
	"crypto/sha256"
	"crypto/sha512"
	"crypto/subtle"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"hash"
	"net/http"
	"net/url"
	"sort"
	"strings"
	"time"

	"github.com/hashicorp/go-memdb"
	"github.com/hashicorp/go-secure-stdlib/base62"
	"github.com/hashicorp/go-secure-stdlib/strutil"
	"github.com/hashicorp/vault/helper/identity"
	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/identitytpl"
	"github.com/hashicorp/vault/sdk/logical"
	"gopkg.in/square/go-jose.v2"
)

const (
	// OIDC-related constants
	openIDScope             = "openid"
	scopesDelimiter         = " "
	accessTokenScopesMeta   = "scopes"
	accessTokenClientIDMeta = "client_id"
	clientIDLength          = 32
	clientSecretLength      = 64
	clientSecretPrefix      = "hvo_secret_"

	// Storage path constants
	oidcProviderPrefix = "oidc_provider/"
	assignmentPath     = oidcProviderPrefix + "assignment/"
	scopePath          = oidcProviderPrefix + "scope/"
	clientPath         = oidcProviderPrefix + "client/"
	providerPath       = oidcProviderPrefix + "provider/"

	// Error constants used in the Authorization Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#AuthError.
	ErrAuthUnsupportedResponseType = "unsupported_response_type"
	ErrAuthInvalidRequest          = "invalid_request"
	ErrAuthAccessDenied            = "access_denied"
	ErrAuthUnauthorizedClient      = "unauthorized_client"
	ErrAuthServerError             = "server_error"
	ErrAuthRequestNotSupported     = "request_not_supported"
	ErrAuthRequestURINotSupported  = "request_uri_not_supported"

	// Error constants used in the Token Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse
	ErrTokenInvalidRequest       = "invalid_request"
	ErrTokenInvalidClient        = "invalid_client"
	ErrTokenInvalidGrant         = "invalid_grant"
	ErrTokenUnsupportedGrantType = "unsupported_grant_type"
	ErrTokenServerError          = "server_error"

	// Error constants used in the UserInfo Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
	ErrUserInfoServerError    = "server_error"
	ErrUserInfoInvalidRequest = "invalid_request"
	ErrUserInfoInvalidToken   = "invalid_token"
	ErrUserInfoAccessDenied   = "access_denied"

	// The following errors are used by the UI for specific behavior of
	// the OIDC specification. Any changes to their values must come with
	// a corresponding change in the UI code.
	ErrAuthInvalidClientID      = "invalid_client_id"
	ErrAuthInvalidRedirectURI   = "invalid_redirect_uri"
	ErrAuthMaxAgeReAuthenticate = "max_age_violation"
)

type assignment struct {
	GroupIDs  []string `json:"group_ids"`
	EntityIDs []string `json:"entity_ids"`
}

type scope struct {
	Template    string `json:"template"`
	Description string `json:"description"`
}

type client struct {
	// Used for indexing in memdb
	Name        string `json:"name"`
	NamespaceID string `json:"namespace_id"`

	// User-supplied parameters
	RedirectURIs   []string      `json:"redirect_uris"`
	Assignments    []string      `json:"assignments"`
	Key            string        `json:"key"`
	IDTokenTTL     time.Duration `json:"id_token_ttl"`
	AccessTokenTTL time.Duration `json:"access_token_ttl"`

	// Generated values that are used in OIDC endpoints
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
}

type provider struct {
	Issuer           string   `json:"issuer"`
	AllowedClientIDs []string `json:"allowed_client_ids"`
	ScopesSupported  []string `json:"scopes_supported"`

	// effectiveIssuer is a calculated field and will be either Issuer (if
	// that's set) or the Vault instance's api_addr.
	effectiveIssuer string
}

type providerDiscovery struct {
	Issuer                string   `json:"issuer"`
	Keys                  string   `json:"jwks_uri"`
	AuthorizationEndpoint string   `json:"authorization_endpoint"`
	TokenEndpoint         string   `json:"token_endpoint"`
	UserinfoEndpoint      string   `json:"userinfo_endpoint"`
	RequestURIParameter   bool     `json:"request_uri_parameter_supported"`
	IDTokenAlgs           []string `json:"id_token_signing_alg_values_supported"`
	ResponseTypes         []string `json:"response_types_supported"`
	Scopes                []string `json:"scopes_supported"`
	Subjects              []string `json:"subject_types_supported"`
	GrantTypes            []string `json:"grant_types_supported"`
	AuthMethods           []string `json:"token_endpoint_auth_methods_supported"`
}

type authCodeCacheEntry struct {
	clientID    string
	entityID    string
	redirectURI string
	nonce       string
	scopes      []string
	authTime    time.Time
}

func oidcProviderPaths(i *IdentityStore) []*framework.Path {
	return []*framework.Path{
		{
			Pattern: "oidc/assignment/" + framework.GenericNameRegex("name"),
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the assignment",
				},
				"entity_ids": {
					Type:        framework.TypeCommaStringSlice,
					Description: "Comma separated string or array of identity entity IDs",
				},
				"group_ids": {
					Type:        framework.TypeCommaStringSlice,
					Description: "Comma separated string or array of identity group IDs",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.UpdateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateAssignment,
				},
				logical.CreateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateAssignment,
				},
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCReadAssignment,
				},
				logical.DeleteOperation: &framework.PathOperation{
					Callback: i.pathOIDCDeleteAssignment,
				},
			},
			ExistenceCheck:  i.pathOIDCAssignmentExistenceCheck,
			HelpSynopsis:    "CRUD operations for OIDC assignments.",
			HelpDescription: "Create, Read, Update, and Delete OIDC assignments.",
		},
		{
			Pattern: "oidc/assignment/?$",
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ListOperation: &framework.PathOperation{
					Callback: i.pathOIDCListAssignment,
				},
			},
			HelpSynopsis:    "List OIDC assignments",
			HelpDescription: "List all configured OIDC assignments in the identity backend.",
		},
		{
			Pattern: "oidc/scope/" + framework.GenericNameRegex("name"),
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the scope",
				},
				"template": {
					Type:        framework.TypeString,
					Description: "The template string to use for the scope. This may be in string-ified JSON or base64 format.",
				},
				"description": {
					Type:        framework.TypeString,
					Description: "The description of the scope",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.UpdateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateScope,
				},
				logical.CreateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateScope,
				},
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCReadScope,
				},
				logical.DeleteOperation: &framework.PathOperation{
					Callback: i.pathOIDCDeleteScope,
				},
			},
			ExistenceCheck:  i.pathOIDCScopeExistenceCheck,
			HelpSynopsis:    "CRUD operations for OIDC scopes.",
			HelpDescription: "Create, Read, Update, and Delete OIDC scopes.",
		},
		{
			Pattern: "oidc/scope/?$",
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ListOperation: &framework.PathOperation{
					Callback: i.pathOIDCListScope,
				},
			},
			HelpSynopsis:    "List OIDC scopes",
			HelpDescription: "List all configured OIDC scopes in the identity backend.",
		},
		{
			Pattern: "oidc/client/" + framework.GenericNameRegex("name"),
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the client.",
				},
				"redirect_uris": {
					Type:        framework.TypeCommaStringSlice,
					Description: "Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.",
				},
				"assignments": {
					Type:        framework.TypeCommaStringSlice,
					Description: "Comma separated string or array of assignment resources.",
				},
				"key": {
					Type:        framework.TypeString,
					Description: "A reference to a named key resource. Cannot be modified after creation.",
					Required:    true,
				},
				"id_token_ttl": {
					Type:        framework.TypeDurationSecond,
					Description: "The time-to-live for ID tokens obtained by the client.",
					Default:     "24h",
				},
				"access_token_ttl": {
					Type:        framework.TypeDurationSecond,
					Description: "The time-to-live for access tokens obtained by the client.",
					Default:     "24h",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.UpdateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateClient,
				},
				logical.CreateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateClient,
				},
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCReadClient,
				},
				logical.DeleteOperation: &framework.PathOperation{
					Callback: i.pathOIDCDeleteClient,
				},
			},
			ExistenceCheck:  i.pathOIDCClientExistenceCheck,
			HelpSynopsis:    "CRUD operations for OIDC clients.",
			HelpDescription: "Create, Read, Update, and Delete OIDC clients.",
		},
		{
			Pattern: "oidc/client/?$",
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ListOperation: &framework.PathOperation{
					Callback: i.pathOIDCListClient,
				},
			},
			HelpSynopsis:    "List OIDC clients",
			HelpDescription: "List all configured OIDC clients in the identity backend.",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name"),
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
				"issuer": {
					Type:        framework.TypeString,
					Description: "Specifies what will be used for the iss claim of ID tokens.",
				},
				"allowed_client_ids": {
					Type:        framework.TypeCommaStringSlice,
					Description: "The client IDs that are permitted to use the provider",
				},
				"scopes_supported": {
					Type:        framework.TypeCommaStringSlice,
					Description: "The scopes supported for requesting on the provider",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.UpdateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateProvider,
				},
				logical.CreateOperation: &framework.PathOperation{
					Callback: i.pathOIDCCreateUpdateProvider,
				},
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCReadProvider,
				},
				logical.DeleteOperation: &framework.PathOperation{
					Callback: i.pathOIDCDeleteProvider,
				},
			},
			ExistenceCheck:  i.pathOIDCProviderExistenceCheck,
			HelpSynopsis:    "CRUD operations for OIDC providers.",
			HelpDescription: "Create, Read, Update, and Delete OIDC named providers.",
		},
		{
			Pattern: "oidc/provider/?$",
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ListOperation: &framework.PathOperation{
					Callback: i.pathOIDCListProvider,
				},
			},
			HelpSynopsis:    "List OIDC providers",
			HelpDescription: "List all configured OIDC providers in the identity backend.",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name") + "/.well-known/openid-configuration",
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCProviderDiscovery,
				},
			},
			HelpSynopsis:    "Query OIDC configurations",
			HelpDescription: "Query this path to retrieve the configured OIDC Issuer and Keys endpoints, response types, subject types, and signing algorithms used by the OIDC backend.",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name") + "/.well-known/keys",
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCReadProviderPublicKeys,
				},
			},
			HelpSynopsis:    "Retrieve public keys",
			HelpDescription: "Returns the public portion of keys for a named OIDC provider. Clients can use them to validate the authenticity of an ID token.",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name") + "/authorize",
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
				"client_id": {
					Type:        framework.TypeString,
					Description: "The ID of the requesting client.",
					Required:    true,
				},
				"scope": {
					Type:        framework.TypeString,
					Description: "A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.",
					Required:    true,
				},
				"redirect_uri": {
					Type:        framework.TypeString,
					Description: "The redirection URI to which the response will be sent.",
					Required:    true,
				},
				"response_type": {
					Type:        framework.TypeString,
					Description: "The OIDC authentication flow to be used. The following response types are supported: 'code'",
					Required:    true,
				},
				"state": {
					Type:        framework.TypeString,
					Description: "The value used to maintain state between the authentication request and client.",
					Required:    true,
				},
				"nonce": {
					Type:        framework.TypeString,
					Description: "The value that will be returned in the ID token nonce claim after a token exchange.",
					Required:    true,
				},
				"max_age": {
					Type:        framework.TypeInt,
					Description: "The allowable elapsed time in seconds since the last time the end-user was actively authenticated.",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ReadOperation: &framework.PathOperation{
					Callback:                    i.pathOIDCAuthorize,
					ForwardPerformanceStandby:   true,
					ForwardPerformanceSecondary: false,
				},
				logical.UpdateOperation: &framework.PathOperation{
					Callback:                    i.pathOIDCAuthorize,
					ForwardPerformanceStandby:   true,
					ForwardPerformanceSecondary: false,
				},
			},
			HelpSynopsis:    "Provides the OIDC Authorization Endpoint.",
			HelpDescription: "The OIDC Authorization Endpoint performs authentication and authorization by using request parameters defined by OpenID Connect (OIDC).",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name") + "/token",
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
				"code": {
					Type:        framework.TypeString,
					Description: "The authorization code received from the provider's authorization endpoint.",
					Required:    true,
				},
				"grant_type": {
					Type:        framework.TypeString,
					Description: "The authorization grant type. The following grant types are supported: 'authorization_code'.",
					Required:    true,
				},
				"redirect_uri": {
					Type:        framework.TypeString,
					Description: "The callback location where the authentication response was sent.",
					Required:    true,
				},
				// The client_id and client_secret are provided to the token endpoint via
				// the client_secret_basic authentication method, which uses the HTTP Basic
				// authentication scheme. See the OIDC spec for details at:
				// https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.UpdateOperation: &framework.PathOperation{
					Callback:                    i.pathOIDCToken,
					ForwardPerformanceStandby:   true,
					ForwardPerformanceSecondary: false,
				},
			},
			HelpSynopsis:    "Provides the OIDC Token Endpoint.",
			HelpDescription: "The OIDC Token Endpoint allows a client to exchange its Authorization Grant for an Access Token and ID Token.",
		},
		{
			Pattern: "oidc/provider/" + framework.GenericNameRegex("name") + "/userinfo",
			Fields: map[string]*framework.FieldSchema{
				"name": {
					Type:        framework.TypeString,
					Description: "Name of the provider",
				},
			},
			Operations: map[logical.Operation]framework.OperationHandler{
				logical.ReadOperation: &framework.PathOperation{
					Callback: i.pathOIDCUserInfo,
				},
				logical.UpdateOperation: &framework.PathOperation{
					Callback: i.pathOIDCUserInfo,
				},
			},
			HelpSynopsis:    "Provides the OIDC UserInfo Endpoint.",
			HelpDescription: "The OIDC UserInfo Endpoint returns claims about the authenticated end-user.",
		},
	}
}

// clientsReferencingTargetAssignmentName returns a map of client names to
// clients referencing targetAssignmentName.
func (i *IdentityStore) clientsReferencingTargetAssignmentName(ctx context.Context, req *logical.Request, targetAssignmentName string) (map[string]client, error) {
	clientNames, err := req.Storage.List(ctx, clientPath)
	if err != nil {
		return nil, err
	}

	var tempClient client
	clients := make(map[string]client)
	for _, clientName := range clientNames {
		entry, err := req.Storage.Get(ctx, clientPath+clientName)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&tempClient); err != nil {
				return nil, err
			}
			for _, a := range tempClient.Assignments {
				if a == targetAssignmentName {
					clients[clientName] = tempClient
				}
			}
		}
	}

	return clients, nil
}

// clientNamesReferencingTargetAssignmentName returns a slice of strings of client
// names referencing targetAssignmentName.
func (i *IdentityStore) clientNamesReferencingTargetAssignmentName(ctx context.Context, req *logical.Request, targetAssignmentName string) ([]string, error) {
	clients, err := i.clientsReferencingTargetAssignmentName(ctx, req, targetAssignmentName)
	if err != nil {
		return nil, err
	}

	var names []string
	for client := range clients {
		names = append(names, client)
	}
	sort.Strings(names)
	return names, nil
}

// clientsReferencingTargetKeyName returns a map of client names to
// clients referencing targetKeyName.
func (i *IdentityStore) clientsReferencingTargetKeyName(ctx context.Context, req *logical.Request, targetKeyName string) (map[string]client, error) {
	clientNames, err := req.Storage.List(ctx, clientPath)
	if err != nil {
		return nil, err
	}

	var tempClient client
	clients := make(map[string]client)
	for _, clientName := range clientNames {
		entry, err := req.Storage.Get(ctx, clientPath+clientName)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&tempClient); err != nil {
				return nil, err
			}
			if tempClient.Key == targetKeyName {
				clients[clientName] = tempClient
			}
		}
	}

	return clients, nil
}

// clientNamesReferencingTargetKeyName returns a slice of strings of client
// names referencing targetKeyName.
func (i *IdentityStore) clientNamesReferencingTargetKeyName(ctx context.Context, req *logical.Request, targetKeyName string) ([]string, error) {
	clients, err := i.clientsReferencingTargetKeyName(ctx, req, targetKeyName)
	if err != nil {
		return nil, err
	}

	var names []string
	for client := range clients {
		names = append(names, client)
	}
	sort.Strings(names)
	return names, nil
}

// providersReferencingTargetScopeName returns a list of provider names referencing targetScopeName.
// Not threadsafe. To be called with lock already held.
func (i *IdentityStore) providersReferencingTargetScopeName(ctx context.Context, req *logical.Request, targetScopeName string) ([]string, error) {
	providerNames, err := req.Storage.List(ctx, providerPath)
	if err != nil {
		return nil, err
	}

	var tempProvider provider
	var providers []string
	for _, providerName := range providerNames {
		entry, err := req.Storage.Get(ctx, providerPath+providerName)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&tempProvider); err != nil {
				return nil, err
			}
			for _, a := range tempProvider.ScopesSupported {
				if a == targetScopeName {
					providers = append(providers, providerName)
				}
			}
		}
	}

	return providers, nil
}

// pathOIDCCreateUpdateAssignment is used to create a new assignment or update an existing one
func (i *IdentityStore) pathOIDCCreateUpdateAssignment(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	var assignment assignment
	if req.Operation == logical.UpdateOperation {
		entry, err := req.Storage.Get(ctx, assignmentPath+name)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&assignment); err != nil {
				return nil, err
			}
		}
	}

	if entitiesRaw, ok := d.GetOk("entity_ids"); ok {
		assignment.EntityIDs = entitiesRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		assignment.EntityIDs = d.Get("entity_ids").([]string)
	}

	if groupsRaw, ok := d.GetOk("group_ids"); ok {
		assignment.GroupIDs = groupsRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		assignment.GroupIDs = d.Get("group_ids").([]string)
	}

	// remove duplicates and lowercase entities and groups
	assignment.EntityIDs = strutil.RemoveDuplicates(assignment.EntityIDs, true)
	assignment.GroupIDs = strutil.RemoveDuplicates(assignment.GroupIDs, true)

	// store assignment
	entry, err := logical.StorageEntryJSON(assignmentPath+name, assignment)
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

// pathOIDCListAssignment is used to list assignments
func (i *IdentityStore) pathOIDCListAssignment(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	assignments, err := req.Storage.List(ctx, assignmentPath)
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(assignments), nil
}

// pathOIDCReadAssignment is used to read an existing assignment
func (i *IdentityStore) pathOIDCReadAssignment(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	assignment, err := i.getOIDCAssignment(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if assignment == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"group_ids":  assignment.GroupIDs,
			"entity_ids": assignment.EntityIDs,
		},
	}, nil
}

func (i *IdentityStore) getOIDCAssignment(ctx context.Context, s logical.Storage, name string) (*assignment, error) {
	entry, err := s.Get(ctx, assignmentPath+name)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var assignment assignment
	if err := entry.DecodeJSON(&assignment); err != nil {
		return nil, err
	}

	return &assignment, nil
}

// pathOIDCDeleteAssignment is used to delete an assignment
func (i *IdentityStore) pathOIDCDeleteAssignment(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	clientNames, err := i.clientNamesReferencingTargetAssignmentName(ctx, req, name)
	if err != nil {
		return nil, err
	}

	if len(clientNames) > 0 {
		errorMessage := fmt.Sprintf("unable to delete assignment %q because it is currently referenced by these clients: %s",
			name, strings.Join(clientNames, ", "))
		return logical.ErrorResponse(errorMessage), logical.ErrInvalidRequest
	}

	err = req.Storage.Delete(ctx, assignmentPath+name)
	if err != nil {
		return nil, err
	}
	return nil, nil
}

func (i *IdentityStore) pathOIDCAssignmentExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
	name := d.Get("name").(string)

	entry, err := req.Storage.Get(ctx, assignmentPath+name)
	if err != nil {
		return false, err
	}

	return entry != nil, nil
}

// pathOIDCCreateUpdateScope is used to create a new scope or update an existing one
func (i *IdentityStore) pathOIDCCreateUpdateScope(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if name == openIDScope {
		return logical.ErrorResponse("the %q scope name is reserved", openIDScope), nil
	}

	var scope scope
	if req.Operation == logical.UpdateOperation {
		entry, err := req.Storage.Get(ctx, scopePath+name)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&scope); err != nil {
				return nil, err
			}
		}
	}

	if descriptionRaw, ok := d.GetOk("description"); ok {
		scope.Description = descriptionRaw.(string)
	} else if req.Operation == logical.CreateOperation {
		scope.Description = d.Get("description").(string)
	}

	if templateRaw, ok := d.GetOk("template"); ok {
		scope.Template = templateRaw.(string)
	} else if req.Operation == logical.CreateOperation {
		scope.Template = d.Get("template").(string)
	}

	// Attempt to decode as base64 and use that if it works
	if decoded, err := base64.StdEncoding.DecodeString(scope.Template); err == nil {
		scope.Template = string(decoded)
	}

	// Validate that template can be parsed and results in valid JSON
	if scope.Template != "" {
		_, populatedTemplate, err := identitytpl.PopulateString(identitytpl.PopulateStringInput{
			Mode:   identitytpl.JSONTemplating,
			String: scope.Template,
			Entity: new(logical.Entity),
			Groups: make([]*logical.Group, 0),
		})
		if err != nil {
			return logical.ErrorResponse("error parsing template: %s", err.Error()), nil
		}

		var tmp map[string]interface{}
		if err := json.Unmarshal([]byte(populatedTemplate), &tmp); err != nil {
			return logical.ErrorResponse("error parsing template JSON: %s", err.Error()), nil
		}

		for key := range tmp {
			if strutil.StrListContains(requiredClaims, key) {
				return logical.ErrorResponse(`top level key %q not allowed. Restricted keys: %s`,
					key, strings.Join(requiredClaims, ", ")), nil
			}
		}
	}
	// store scope
	entry, err := logical.StorageEntryJSON(scopePath+name, scope)
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

// pathOIDCListScope is used to list scopes
func (i *IdentityStore) pathOIDCListScope(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	scopes, err := req.Storage.List(ctx, scopePath)
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(scopes), nil
}

// pathOIDCReadScope is used to read an existing scope
func (i *IdentityStore) pathOIDCReadScope(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	scope, err := i.getOIDCScope(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if scope == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"template":    scope.Template,
			"description": scope.Description,
		},
	}, nil
}

func (i *IdentityStore) getOIDCScope(ctx context.Context, s logical.Storage, name string) (*scope, error) {
	entry, err := s.Get(ctx, scopePath+name)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var scope scope
	if err := entry.DecodeJSON(&scope); err != nil {
		return nil, err
	}

	return &scope, nil
}

// pathOIDCDeleteScope is used to delete an scope
func (i *IdentityStore) pathOIDCDeleteScope(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	targetScopeName := d.Get("name").(string)

	providerNames, err := i.providersReferencingTargetScopeName(ctx, req, targetScopeName)
	if err != nil {
		return nil, err
	}

	if len(providerNames) > 0 {
		errorMessage := fmt.Sprintf("unable to delete scope %q because it is currently referenced by these providers: %s",
			targetScopeName, strings.Join(providerNames, ", "))
		return logical.ErrorResponse(errorMessage), logical.ErrInvalidRequest
	}
	err = req.Storage.Delete(ctx, scopePath+name)
	if err != nil {
		return nil, err
	}

	return nil, nil
}

func (i *IdentityStore) pathOIDCScopeExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
	name := d.Get("name").(string)

	entry, err := req.Storage.Get(ctx, scopePath+name)
	if err != nil {
		return false, err
	}

	return entry != nil, nil
}

// pathOIDCCreateUpdateClient is used to create a new client or update an existing one
func (i *IdentityStore) pathOIDCCreateUpdateClient(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return nil, err
	}

	client := client{
		Name:        name,
		NamespaceID: ns.ID,
	}
	if req.Operation == logical.UpdateOperation {
		entry, err := req.Storage.Get(ctx, clientPath+name)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&client); err != nil {
				return nil, err
			}
		}
	}

	if redirectURIsRaw, ok := d.GetOk("redirect_uris"); ok {
		client.RedirectURIs = redirectURIsRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		client.RedirectURIs = d.Get("redirect_uris").([]string)
	}

	if assignmentsRaw, ok := d.GetOk("assignments"); ok {
		client.Assignments = assignmentsRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		client.Assignments = d.Get("assignments").([]string)
	}

	// remove duplicate assignments and redirect URIs
	client.Assignments = strutil.RemoveDuplicates(client.Assignments, false)
	client.RedirectURIs = strutil.RemoveDuplicates(client.RedirectURIs, false)

	// enforce assignment existence
	for _, assignment := range client.Assignments {
		entry, err := req.Storage.Get(ctx, assignmentPath+assignment)
		if err != nil {
			return nil, err
		}
		if entry == nil {
			return logical.ErrorResponse("assignment %q does not exist", assignment), nil
		}
	}

	if keyRaw, ok := d.GetOk("key"); ok {
		key := keyRaw.(string)
		if req.Operation == logical.UpdateOperation && client.Key != key {
			return logical.ErrorResponse("key modification is not allowed"), nil
		}
		client.Key = key
	} else if req.Operation == logical.CreateOperation {
		client.Key = d.Get("key").(string)
	}

	if client.Key == "" {
		return logical.ErrorResponse("the key parameter is required"), nil
	}

	var key namedKey
	// enforce key existence on client creation
	entry, err := req.Storage.Get(ctx, namedKeyConfigPath+client.Key)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return logical.ErrorResponse("key %q does not exist", client.Key), nil
	}
	if err := entry.DecodeJSON(&key); err != nil {
		return nil, err
	}

	if idTokenTTLRaw, ok := d.GetOk("id_token_ttl"); ok {
		client.IDTokenTTL = time.Duration(idTokenTTLRaw.(int)) * time.Second
	} else if req.Operation == logical.CreateOperation {
		client.IDTokenTTL = time.Duration(d.Get("id_token_ttl").(int)) * time.Second
	}

	if client.IDTokenTTL > key.VerificationTTL {
		return logical.ErrorResponse("a client's id_token_ttl cannot be greater than the verification_ttl of the key it references"), nil
	}

	if accessTokenTTLRaw, ok := d.GetOk("access_token_ttl"); ok {
		client.AccessTokenTTL = time.Duration(accessTokenTTLRaw.(int)) * time.Second
	} else if req.Operation == logical.CreateOperation {
		client.AccessTokenTTL = time.Duration(d.Get("access_token_ttl").(int)) * time.Second
	}

	if client.ClientID == "" {
		// generate client_id
		clientID, err := base62.Random(clientIDLength)
		if err != nil {
			return nil, err
		}
		client.ClientID = clientID
	}

	if client.ClientSecret == "" {
		// generate client_secret
		clientSecret, err := base62.Random(clientSecretLength)
		if err != nil {
			return nil, err
		}
		client.ClientSecret = clientSecretPrefix + clientSecret
	}

	// invalidate the cached client in memdb
	if err := i.memDBDeleteClientByName(ctx, name); err != nil {
		return nil, err
	}

	// store client
	entry, err = logical.StorageEntryJSON(clientPath+name, client)
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

// pathOIDCListClient is used to list clients
func (i *IdentityStore) pathOIDCListClient(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	clients, err := req.Storage.List(ctx, clientPath)
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(clients), nil
}

// pathOIDCReadClient is used to read an existing client
func (i *IdentityStore) pathOIDCReadClient(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	client, err := i.clientByName(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if client == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"redirect_uris":    client.RedirectURIs,
			"assignments":      client.Assignments,
			"key":              client.Key,
			"id_token_ttl":     int64(client.IDTokenTTL.Seconds()),
			"access_token_ttl": int64(client.AccessTokenTTL.Seconds()),
			"client_id":        client.ClientID,
			"client_secret":    client.ClientSecret,
		},
	}, nil
}

// pathOIDCDeleteClient is used to delete an client
func (i *IdentityStore) pathOIDCDeleteClient(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	// Delete the client from memdb
	if err := i.memDBDeleteClientByName(ctx, name); err != nil {
		return nil, err
	}

	// Delete the client from storage
	if err := req.Storage.Delete(ctx, clientPath+name); err != nil {
		return nil, err
	}

	return nil, nil
}

func (i *IdentityStore) pathOIDCClientExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
	name := d.Get("name").(string)

	entry, err := req.Storage.Get(ctx, clientPath+name)
	if err != nil {
		return false, err
	}

	return entry != nil, nil
}

// pathOIDCCreateUpdateProvider is used to create a new named provider or update an existing one
func (i *IdentityStore) pathOIDCCreateUpdateProvider(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	var resp logical.Response
	name := d.Get("name").(string)

	var provider provider
	if req.Operation == logical.UpdateOperation {
		entry, err := req.Storage.Get(ctx, providerPath+name)
		if err != nil {
			return nil, err
		}
		if entry != nil {
			if err := entry.DecodeJSON(&provider); err != nil {
				return nil, err
			}
		}
	}

	if issuerRaw, ok := d.GetOk("issuer"); ok {
		provider.Issuer = issuerRaw.(string)
	} else if req.Operation == logical.CreateOperation {
		provider.Issuer = d.Get("issuer").(string)
	}

	if allowedClientIDsRaw, ok := d.GetOk("allowed_client_ids"); ok {
		provider.AllowedClientIDs = allowedClientIDsRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		provider.AllowedClientIDs = d.Get("allowed_client_ids").([]string)
	}

	if scopesRaw, ok := d.GetOk("scopes_supported"); ok {
		provider.ScopesSupported = scopesRaw.([]string)
	} else if req.Operation == logical.CreateOperation {
		provider.ScopesSupported = d.Get("scopes_supported").([]string)
	}

	// remove duplicate allowed client IDs and scopes
	provider.AllowedClientIDs = strutil.RemoveDuplicates(provider.AllowedClientIDs, false)
	provider.ScopesSupported = strutil.RemoveDuplicates(provider.ScopesSupported, false)

	if provider.Issuer != "" {
		// verify that issuer is the correct format:
		//   - http or https
		//   - host name
		//   - optional port
		//   - nothing more
		valid := false
		if u, err := url.Parse(provider.Issuer); err == nil {
			u2 := url.URL{
				Scheme: u.Scheme,
				Host:   u.Host,
			}
			valid = (*u == u2) &&
				(u.Scheme == "http" || u.Scheme == "https") &&
				u.Host != ""
		}

		if !valid {
			return logical.ErrorResponse(
				"invalid issuer, which must include only a scheme, host, " +
					"and optional port (e.g. https://example.com:8200)"), nil
		}

		resp.AddWarning(`If "issuer" is set explicitly, all tokens must be ` +
			`validated against that address, including those issued by secondary ` +
			`clusters. Setting issuer to "" will restore the default behavior of ` +
			`using the cluster's api_addr as the issuer.`)

	}

	scopeTemplateKeyNames := make(map[string]string)
	for _, scopeName := range provider.ScopesSupported {
		scope, err := i.getOIDCScope(ctx, req.Storage, scopeName)
		if err != nil {
			return nil, err
		}
		// enforce scope existence on provider create and update
		if scope == nil {
			return logical.ErrorResponse("scope %q does not exist", scopeName), nil
		}

		// ensure no two templates have the same top-level keys
		_, populatedTemplate, err := identitytpl.PopulateString(identitytpl.PopulateStringInput{
			Mode:   identitytpl.JSONTemplating,
			String: scope.Template,
			Entity: new(logical.Entity),
			Groups: make([]*logical.Group, 0),
		})
		if err != nil {
			return nil, fmt.Errorf("error parsing template for scope %q: %s", scopeName, err.Error())
		}

		jsonTemplate := make(map[string]interface{})
		if err = json.Unmarshal([]byte(populatedTemplate), &jsonTemplate); err != nil {
			return nil, err
		}

		for keyName := range jsonTemplate {
			val, ok := scopeTemplateKeyNames[keyName]
			if ok && val != scopeName {
				resp.AddWarning(fmt.Sprintf("Found scope templates with conflicting top-level keys: "+
					"conflict %q in scopes %q, %q. This may result in an error if the scopes are "+
					"requested in an OIDC Authentication Request.", keyName, scopeName, val))
			}

			scopeTemplateKeyNames[keyName] = scopeName
		}
	}

	// store named provider
	entry, err := logical.StorageEntryJSON(providerPath+name, provider)
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	if len(resp.Warnings) == 0 {
		return nil, nil
	}

	return &resp, nil
}

// pathOIDCListProvider is used to list named providers
func (i *IdentityStore) pathOIDCListProvider(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	providers, err := req.Storage.List(ctx, providerPath)
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(providers), nil
}

// pathOIDCReadProvider is used to read an existing provider
func (i *IdentityStore) pathOIDCReadProvider(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	provider, err := i.getOIDCProvider(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if provider == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"issuer":             provider.Issuer,
			"allowed_client_ids": provider.AllowedClientIDs,
			"scopes_supported":   provider.ScopesSupported,
		},
	}, nil
}

func (i *IdentityStore) getOIDCProvider(ctx context.Context, s logical.Storage, name string) (*provider, error) {
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return nil, err
	}

	entry, err := s.Get(ctx, providerPath+name)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var provider provider
	if err := entry.DecodeJSON(&provider); err != nil {
		return nil, err
	}

	provider.effectiveIssuer = provider.Issuer
	if provider.effectiveIssuer == "" {
		provider.effectiveIssuer = i.redirectAddr
	}

	provider.effectiveIssuer += "/v1/" + ns.Path + "identity/oidc/provider/" + name

	return &provider, nil
}

// pathOIDCDeleteProvider is used to delete an assignment
func (i *IdentityStore) pathOIDCDeleteProvider(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	return nil, req.Storage.Delete(ctx, providerPath+name)
}

func (i *IdentityStore) pathOIDCProviderExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
	name := d.Get("name").(string)

	entry, err := req.Storage.Get(ctx, providerPath+name)
	if err != nil {
		return false, err
	}

	return entry != nil, nil
}

func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	p, err := i.getOIDCProvider(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, nil
	}

	// the "openid" scope is reserved and is included for every provider
	scopes := append(p.ScopesSupported, openIDScope)

	disc := providerDiscovery{
		Issuer:                p.effectiveIssuer,
		Keys:                  p.effectiveIssuer + "/.well-known/keys",
		AuthorizationEndpoint: strings.Replace(p.effectiveIssuer, "/v1/", "/ui/vault/", 1) + "/authorize",
		TokenEndpoint:         p.effectiveIssuer + "/token",
		UserinfoEndpoint:      p.effectiveIssuer + "/userinfo",
		IDTokenAlgs:           supportedAlgs,
		Scopes:                scopes,
		RequestURIParameter:   false,
		ResponseTypes:         []string{"code"},
		Subjects:              []string{"public"},
		GrantTypes:            []string{"authorization_code"},
		AuthMethods:           []string{"client_secret_basic"},
	}

	data, err := json.Marshal(disc)
	if err != nil {
		return nil, err
	}

	resp := &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPStatusCode:         200,
			logical.HTTPRawBody:            data,
			logical.HTTPContentType:        "application/json",
			logical.HTTPCacheControlHeader: "max-age=3600",
		},
	}

	return resp, nil
}

// pathOIDCReadProviderPublicKeys is used to retrieve all public keys for a
// named provider so that clients can verify the validity of a signed OIDC token.
func (i *IdentityStore) pathOIDCReadProviderPublicKeys(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	providerName := d.Get("name").(string)

	var provider provider

	providerEntry, err := req.Storage.Get(ctx, providerPath+providerName)
	if err != nil {
		return nil, err
	}
	if providerEntry == nil {
		return nil, nil
	}
	if err := providerEntry.DecodeJSON(&provider); err != nil {
		return nil, err
	}

	keyIDs, err := i.keyIDsReferencedByTargetClientIDs(ctx, req.Storage, provider.AllowedClientIDs)
	if err != nil {
		return nil, err
	}

	jwks := &jose.JSONWebKeySet{
		Keys: make([]jose.JSONWebKey, 0, len(keyIDs)),
	}

	for _, keyID := range keyIDs {
		key, err := loadOIDCPublicKey(ctx, req.Storage, keyID)
		if err != nil {
			return nil, err
		}
		jwks.Keys = append(jwks.Keys, *key)
	}

	data, err := json.Marshal(jwks)
	if err != nil {
		return nil, err
	}

	resp := &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPStatusCode:  200,
			logical.HTTPRawBody:     data,
			logical.HTTPContentType: "application/json",
		},
	}

	return resp, nil
}

// keyIDsReferencedByTargetClientIDs returns a slice of key IDs that are
// referenced by the clients' targetIDs.
// If targetIDs contains "*" then the IDs for all public keys are returned.
func (i *IdentityStore) keyIDsReferencedByTargetClientIDs(ctx context.Context, s logical.Storage, targetIDs []string) ([]string, error) {
	keyNames := make(map[string]bool)

	// Get all key names referenced by clients if wildcard "*" in target client IDs
	if strutil.StrListContains(targetIDs, "*") {
		clients, err := i.listClients(ctx, s)
		if err != nil {
			return nil, err
		}

		for _, client := range clients {
			keyNames[client.Key] = true
		}
	}

	// Otherwise, get the key names referenced by each target client ID
	if len(keyNames) == 0 {
		for _, clientID := range targetIDs {
			client, err := i.clientByID(ctx, s, clientID)
			if err != nil {
				return nil, err
			}

			if client != nil {
				keyNames[client.Key] = true
			}
		}
	}

	// Collect the key IDs
	var keyIDs []string
	for name, _ := range keyNames {
		entry, err := s.Get(ctx, namedKeyConfigPath+name)
		if err != nil {
			return nil, err
		}

		var key namedKey
		if err := entry.DecodeJSON(&key); err != nil {
			return nil, err
		}
		for _, expirableKey := range key.KeyRing {
			keyIDs = append(keyIDs, expirableKey.KeyID)
		}
	}
	return keyIDs, nil
}

func (i *IdentityStore) pathOIDCAuthorize(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Validate the state
	state := d.Get("state").(string)
	if state == "" {
		return authResponse("", "", ErrAuthInvalidRequest, "state parameter is required")
	}

	// Get the namespace
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}

	// Get the OIDC provider
	name := d.Get("name").(string)
	provider, err := i.getOIDCProvider(ctx, req.Storage, name)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}
	if provider == nil {
		return authResponse("", state, ErrAuthInvalidRequest, "provider not found")
	}

	// Validate that a scope parameter is present and contains the openid scope value
	requestedScopes := strutil.ParseDedupAndSortStrings(d.Get("scope").(string), scopesDelimiter)
	if len(requestedScopes) == 0 || !strutil.StrListContains(requestedScopes, openIDScope) {
		return authResponse("", state, ErrAuthInvalidRequest,
			fmt.Sprintf("scope parameter must contain the %q value", openIDScope))
	}

	// Scope values that are not supported by the provider should be ignored
	scopes := make([]string, 0)
	for _, scope := range requestedScopes {
		if strutil.StrListContains(provider.ScopesSupported, scope) && scope != openIDScope {
			scopes = append(scopes, scope)
		}
	}

	// Validate the response type
	responseType := d.Get("response_type").(string)
	if responseType == "" {
		return authResponse("", state, ErrAuthInvalidRequest, "response_type parameter is required")
	}
	if responseType != "code" {
		return authResponse("", state, ErrAuthUnsupportedResponseType, "unsupported response_type value")
	}

	// Validate the client ID
	clientID := d.Get("client_id").(string)
	if clientID == "" {
		return authResponse("", state, ErrAuthInvalidClientID, "client_id parameter is required")
	}
	client, err := i.clientByID(ctx, req.Storage, clientID)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}
	if client == nil {
		return authResponse("", state, ErrAuthInvalidClientID, "client with client_id not found")
	}
	if !strutil.StrListContains(provider.AllowedClientIDs, "*") &&
		!strutil.StrListContains(provider.AllowedClientIDs, clientID) {
		return authResponse("", state, ErrAuthUnauthorizedClient, "client is not authorized to use the provider")
	}

	// Validate the redirect URI
	redirectURI := d.Get("redirect_uri").(string)
	if redirectURI == "" {
		return authResponse("", state, ErrAuthInvalidRequest, "redirect_uri parameter is required")
	}
	if !strutil.StrListContains(client.RedirectURIs, redirectURI) {
		return authResponse("", state, ErrAuthInvalidRedirectURI, "redirect_uri is not allowed for the client")
	}

	// Validate the nonce
	nonce := d.Get("nonce").(string)
	if nonce == "" {
		return authResponse("", state, ErrAuthInvalidRequest, "nonce parameter is required")
	}

	// We don't support the request or request_uri parameters. If they're provided,
	// the appropriate errors must be returned. For details, see the spec at:
	// https://openid.net/specs/openid-connect-core-1_0.html#RequestObject
	// https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter
	if _, ok := d.Raw["request"]; ok {
		return authResponse("", state, ErrAuthRequestNotSupported, "request parameter is not supported")
	}
	if _, ok := d.Raw["request_uri"]; ok {
		return authResponse("", state, ErrAuthRequestURINotSupported, "request_uri parameter is not supported")
	}

	// Validate that there is an identity entity associated with the request
	if req.EntityID == "" {
		return authResponse("", state, ErrAuthAccessDenied, "identity entity must be associated with the request")
	}
	entity, err := i.MemDBEntityByID(req.EntityID, false)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}
	if entity == nil {
		return authResponse("", state, ErrAuthAccessDenied, "identity entity associated with the request not found")
	}

	// Validate that the entity is a member of the client's assignments
	isMember, err := i.entityHasAssignment(ctx, req.Storage, entity, client.Assignments)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}
	if !isMember {
		return authResponse("", state, ErrAuthAccessDenied, "identity entity not authorized by client assignment")
	}

	// Create the auth code cache entry
	authCodeEntry := &authCodeCacheEntry{
		clientID:    clientID,
		entityID:    entity.GetID(),
		redirectURI: redirectURI,
		nonce:       nonce,
		scopes:      scopes,
	}

	// Validate the optional max_age parameter to check if an active re-authentication
	// of the user should occur. Re-authentication will be requested if max_age=0 or the
	// last time the token actively authenticated exceeds the given max_age requirement.
	// Returning ErrAuthMaxAgeReAuthenticate will enforce the user to re-authenticate via
	// the user agent.
	if maxAgeRaw, ok := d.GetOk("max_age"); ok {
		maxAge := maxAgeRaw.(int)
		if maxAge < 1 {
			return authResponse("", state, ErrAuthInvalidRequest, "max_age must be greater than zero")
		}

		// Look up the token associated with the request
		te, err := i.tokenStorer.LookupToken(ctx, req.ClientToken)
		if err != nil {
			return authResponse("", state, ErrAuthServerError, err.Error())
		}
		if te == nil {
			return authResponse("", state, ErrAuthAccessDenied, "token associated with request not found")
		}

		// Check if the token creation time violates the max age requirement
		now := time.Now().UTC()
		lastAuthTime := time.Unix(te.CreationTime, 0).UTC()
		secondsSince := int(now.Sub(lastAuthTime).Seconds())
		if secondsSince > maxAge {
			return authResponse("", state, ErrAuthMaxAgeReAuthenticate, "active re-authentication is required by max_age")
		}

		// Set the auth time to use for the auth_time claim in the token exchange
		authCodeEntry.authTime = lastAuthTime
	}

	// Generate the authorization code
	code, err := base62.Random(32)
	if err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}

	// Cache the authorization code for a subsequent token exchange
	if err := i.oidcAuthCodeCache.SetDefault(ns, code, authCodeEntry); err != nil {
		return authResponse("", state, ErrAuthServerError, err.Error())
	}

	return authResponse(code, state, "", "")
}

// authResponse returns the OIDC Authentication Response. An error response is
// returned if the given error code is non-empty. For details, see spec at
//   - https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
//   - https://openid.net/specs/openid-connect-core-1_0.html#AuthError
func authResponse(code, state, errorCode, errorDescription string) (*logical.Response, error) {
	statusCode := http.StatusOK
	response := map[string]interface{}{
		"code":  code,
		"state": state,
	}

	// Set the error response and status code if error code isn't empty
	if errorCode != "" {
		statusCode = http.StatusBadRequest
		if errorCode == ErrAuthServerError {
			statusCode = http.StatusInternalServerError
		}

		response = map[string]interface{}{
			"error":             errorCode,
			"error_description": errorDescription,
			"state":             state,
		}
	}

	body, err := json.Marshal(response)
	if err != nil {
		return nil, err
	}

	return &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPStatusCode:  statusCode,
			logical.HTTPRawBody:     body,
			logical.HTTPContentType: "application/json",
		},
	}, nil
}

func (i *IdentityStore) pathOIDCToken(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Get the namespace
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	// Get the OIDC provider
	name := d.Get("name").(string)
	provider, err := i.getOIDCProvider(ctx, req.Storage, name)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if provider == nil {
		return tokenResponse(nil, ErrTokenInvalidRequest, "provider not found")
	}

	// Authenticate the client using the client_secret_basic authentication method.
	// The authentication method uses the HTTP Basic authentication scheme. Details at
	// https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
	headerReq := &http.Request{Header: req.Headers}
	clientID, clientSecret, ok := headerReq.BasicAuth()
	if !ok {
		return tokenResponse(nil, ErrTokenInvalidRequest, "client failed to authenticate")
	}
	client, err := i.clientByID(ctx, req.Storage, clientID)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if client == nil {
		i.Logger().Debug("client failed to authenticate with client not found", "client_id", clientID)
		return tokenResponse(nil, ErrTokenInvalidClient, "client failed to authenticate")
	}
	if subtle.ConstantTimeCompare([]byte(client.ClientSecret), []byte(clientSecret)) == 0 {
		i.Logger().Debug("client failed to authenticate with invalid client secret", "client_id", clientID)
		return tokenResponse(nil, ErrTokenInvalidClient, "client failed to authenticate")
	}

	// Validate that the client is authorized to use the provider
	if !strutil.StrListContains(provider.AllowedClientIDs, "*") &&
		!strutil.StrListContains(provider.AllowedClientIDs, clientID) {
		return tokenResponse(nil, ErrTokenInvalidClient, "client is not authorized to use the provider")
	}

	// Get the key that the client uses to sign ID tokens
	key, err := i.getNamedKey(ctx, req.Storage, client.Key)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if key == nil {
		return tokenResponse(nil, ErrTokenServerError, fmt.Sprintf("client key %q not found", client.Key))
	}

	// Validate that the client is authorized to use the key
	if !strutil.StrListContains(key.AllowedClientIDs, "*") &&
		!strutil.StrListContains(key.AllowedClientIDs, clientID) {
		return tokenResponse(nil, ErrTokenInvalidClient, "client is not authorized to use the key")
	}

	// Validate the grant type
	grantType := d.Get("grant_type").(string)
	if grantType == "" {
		return tokenResponse(nil, ErrTokenInvalidRequest, "grant_type parameter is required")
	}
	if grantType != "authorization_code" {
		return tokenResponse(nil, ErrTokenUnsupportedGrantType, "unsupported grant_type value")
	}

	// Validate the authorization code
	code := d.Get("code").(string)
	if code == "" {
		return tokenResponse(nil, ErrTokenInvalidRequest, "code parameter is required")
	}

	// Get the authorization code entry and defer its deletion (single use)
	authCodeEntryRaw, ok, err := i.oidcAuthCodeCache.Get(ns, code)
	defer i.oidcAuthCodeCache.Delete(ns, code)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if !ok {
		return tokenResponse(nil, ErrTokenInvalidGrant, "authorization grant is invalid or expired")
	}
	authCodeEntry, ok := authCodeEntryRaw.(*authCodeCacheEntry)
	if !ok {
		return tokenResponse(nil, ErrTokenServerError, "authorization grant is invalid or expired")
	}

	// Ensure the authorization code was issued to the authenticated client
	if authCodeEntry.clientID != clientID {
		return tokenResponse(nil, ErrTokenInvalidGrant, "authorization grant is invalid or expired")
	}

	// Ensure that the redirect_uri parameter value is identical to the redirect_uri
	// parameter value that was included in the initial authorization request.
	redirectURI := d.Get("redirect_uri").(string)
	if redirectURI == "" {
		return tokenResponse(nil, ErrTokenInvalidRequest, "redirect_uri parameter is required")
	}
	if authCodeEntry.redirectURI != redirectURI {
		return tokenResponse(nil, ErrTokenInvalidGrant, "redirect_uri does not match the redirect_uri used in the authorization request")
	}

	// Get the entity associated with the initial authorization request
	entity, err := i.MemDBEntityByID(authCodeEntry.entityID, true)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if entity == nil {
		return tokenResponse(nil, ErrTokenInvalidRequest, "identity entity associated with the request not found")
	}

	// Validate that the entity is a member of the client's assignments
	isMember, err := i.entityHasAssignment(ctx, req.Storage, entity, client.Assignments)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if !isMember {
		return tokenResponse(nil, ErrTokenInvalidRequest, "identity entity not authorized by client assignment")
	}

	// The access token is a Vault batch token with a policy that only
	// provides access to the issuing provider's userinfo endpoint.
	accessTokenIssuedAt := time.Now()
	accessTokenExpiry := accessTokenIssuedAt.Add(client.AccessTokenTTL)
	accessToken := &logical.TokenEntry{
		Type:               logical.TokenTypeBatch,
		NamespaceID:        ns.ID,
		Path:               req.Path,
		TTL:                client.AccessTokenTTL,
		CreationTime:       accessTokenIssuedAt.Unix(),
		EntityID:           entity.ID,
		NoIdentityPolicies: true,
		Meta: map[string]string{
			"oidc_token_type": "access token",
		},
		InternalMeta: map[string]string{
			accessTokenClientIDMeta: client.ClientID,
			accessTokenScopesMeta:   strings.Join(authCodeEntry.scopes, scopesDelimiter),
		},
		InlinePolicy: fmt.Sprintf(`
			path "identity/oidc/provider/%s/userinfo" {
				capabilities = ["read", "update"]
			}
		`, name),
	}
	err = i.tokenStorer.CreateToken(ctx, accessToken)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	// Compute the access token hash claim (at_hash)
	atHash, err := computeHashClaim(key.Algorithm, accessToken.ID)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	// Compute the authorization code hash claim (c_hash)
	cHash, err := computeHashClaim(key.Algorithm, code)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	// Set the ID token claims
	idTokenIssuedAt := time.Now()
	idTokenExpiry := idTokenIssuedAt.Add(client.IDTokenTTL)
	idToken := idToken{
		Namespace:       ns.ID,
		Issuer:          provider.effectiveIssuer,
		Subject:         authCodeEntry.entityID,
		Audience:        authCodeEntry.clientID,
		Nonce:           authCodeEntry.nonce,
		Expiry:          idTokenExpiry.Unix(),
		IssuedAt:        idTokenIssuedAt.Unix(),
		AccessTokenHash: atHash,
		CodeHash:        cHash,
	}

	// Add the auth_time claim if it's not the zero time instant
	if !authCodeEntry.authTime.IsZero() {
		idToken.AuthTime = authCodeEntry.authTime.Unix()
	}

	// Populate each of the requested scope templates
	templates, conflict, err := i.populateScopeTemplates(ctx, req.Storage, ns, entity, authCodeEntry.scopes...)
	if !conflict && err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}
	if conflict && err != nil {
		return tokenResponse(nil, ErrTokenInvalidRequest, err.Error())
	}

	// Generate the ID token payload
	payload, err := idToken.generatePayload(i.Logger(), templates...)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	// Sign the ID token using the client's key
	signedIDToken, err := key.signPayload(payload)
	if err != nil {
		return tokenResponse(nil, ErrTokenServerError, err.Error())
	}

	return tokenResponse(map[string]interface{}{
		"token_type":   "Bearer",
		"access_token": accessToken.ID,
		"id_token":     signedIDToken,
		"expires_in":   int64(accessTokenExpiry.Sub(accessTokenIssuedAt).Seconds()),
	}, "", "")
}

// tokenResponse returns the OIDC Token Response. An error response is
// returned if the given error code is non-empty. For details, see spec at
//   - https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
//   - https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse
func tokenResponse(response map[string]interface{}, errorCode, errorDescription string) (*logical.Response, error) {
	statusCode := http.StatusOK

	// Set the error response and status code if error code isn't empty
	if errorCode != "" {
		switch errorCode {
		case ErrTokenInvalidClient:
			statusCode = http.StatusUnauthorized
		case ErrTokenServerError:
			statusCode = http.StatusInternalServerError
		default:
			statusCode = http.StatusBadRequest
		}

		response = map[string]interface{}{
			"error":             errorCode,
			"error_description": errorDescription,
		}
	}

	body, err := json.Marshal(response)
	if err != nil {
		return nil, err
	}

	data := map[string]interface{}{
		logical.HTTPStatusCode:  statusCode,
		logical.HTTPRawBody:     body,
		logical.HTTPContentType: "application/json",

		// Token responses must include the following HTTP response headers
		// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
		logical.HTTPCacheControlHeader: "no-store",
		logical.HTTPPragmaHeader:       "no-cache",
	}

	// Set the WWW-Authenticate response header when returning the
	// invalid_client error code per the OAuth 2.0 spec at
	// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
	if errorCode == ErrTokenInvalidClient {
		data[logical.HTTPWWWAuthenticateHeader] = "Basic"
	}

	return &logical.Response{
		Data: data,
	}, nil
}

func (i *IdentityStore) pathOIDCUserInfo(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Get the namespace
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}

	// Get the OIDC provider
	name := d.Get("name").(string)
	provider, err := i.getOIDCProvider(ctx, req.Storage, name)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if provider == nil {
		return userInfoResponse(nil, ErrUserInfoInvalidRequest, "provider not found")
	}

	// Validate that the access token was sent as a Bearer token
	if req.ClientTokenSource != logical.ClientTokenFromAuthzHeader {
		return userInfoResponse(nil, ErrUserInfoInvalidToken, "access token must be sent as a Bearer token")
	}

	// Look up the access token
	te, err := i.tokenStorer.LookupToken(ctx, req.ClientToken)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if te == nil {
		return userInfoResponse(nil, ErrUserInfoInvalidToken, "access token is expired")
	}
	if te.Type != logical.TokenTypeBatch {
		return userInfoResponse(nil, ErrUserInfoInvalidToken, "access token is malformed or invalid")
	}

	// Get the client ID that originated the request from the token metadata
	clientID, ok := te.InternalMeta[accessTokenClientIDMeta]
	if !ok {
		return userInfoResponse(nil, ErrUserInfoServerError, "expected client ID in token metadata")
	}
	client, err := i.clientByID(ctx, req.Storage, clientID)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if client == nil {
		return userInfoResponse(nil, ErrUserInfoAccessDenied, "client not found")
	}

	// Validate that there is an identity entity associated with the request
	if req.EntityID == "" {
		return userInfoResponse(nil, ErrUserInfoAccessDenied, "identity entity must be associated with the request")
	}
	entity, err := i.MemDBEntityByID(req.EntityID, false)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if entity == nil {
		return userInfoResponse(nil, ErrUserInfoAccessDenied, "identity entity associated with the request not found")
	}

	// Validate that the entity is a member of the client's assignments
	isMember, err := i.entityHasAssignment(ctx, req.Storage, entity, client.Assignments)
	if err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if !isMember {
		return userInfoResponse(nil, ErrUserInfoAccessDenied, "identity entity not authorized by client assignment")
	}

	claims := map[string]interface{}{
		// The subject claim must always be in the response
		"sub": entity.ID,
	}

	// Get the scopes for the access token
	tokenScopes, ok := te.InternalMeta[accessTokenScopesMeta]
	if !ok || len(tokenScopes) == 0 {
		return userInfoResponse(claims, "", "")
	}
	parsedScopes := strutil.ParseStringSlice(tokenScopes, scopesDelimiter)

	// Scope values that are not supported by the provider should be ignored
	scopes := make([]string, 0)
	for _, scope := range parsedScopes {
		if strutil.StrListContains(provider.ScopesSupported, scope) {
			scopes = append(scopes, scope)
		}
	}

	// Populate each of the token's scope templates
	templates, conflict, err := i.populateScopeTemplates(ctx, req.Storage, ns, entity, scopes...)
	if !conflict && err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}
	if conflict && err != nil {
		return userInfoResponse(nil, ErrUserInfoInvalidRequest, err.Error())
	}

	// Merge all of the populated JSON scope templates into claims
	if err := mergeJSONTemplates(i.Logger(), claims, templates...); err != nil {
		return userInfoResponse(nil, ErrUserInfoServerError, err.Error())
	}

	return userInfoResponse(claims, "", "")
}

// userInfoResponse returns the OIDC UserInfo Response. An error response is
// returned if the given error code is non-empty. For details, see spec at
//   - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
//   - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
func userInfoResponse(response map[string]interface{}, errorCode, errorDescription string) (*logical.Response, error) {
	statusCode := http.StatusOK

	// Set the error response and status code if error code isn't empty
	if errorCode != "" {
		switch errorCode {
		case ErrUserInfoInvalidRequest:
			statusCode = http.StatusBadRequest
		case ErrUserInfoInvalidToken:
			statusCode = http.StatusUnauthorized
		case ErrUserInfoAccessDenied:
			statusCode = http.StatusForbidden
		case ErrUserInfoServerError:
			statusCode = http.StatusInternalServerError
		}

		response = map[string]interface{}{
			"error":             errorCode,
			"error_description": errorDescription,
		}
	}

	body, err := json.Marshal(response)
	if err != nil {
		return nil, err
	}

	data := map[string]interface{}{
		logical.HTTPStatusCode:  statusCode,
		logical.HTTPRawBody:     body,
		logical.HTTPContentType: "application/json",
	}

	// Set the WWW-Authenticate response header when returning error codes
	// defined in https://datatracker.ietf.org/doc/html/rfc6750#section-3
	if errorCode == ErrUserInfoInvalidRequest || errorCode == ErrUserInfoInvalidToken {
		data[logical.HTTPWWWAuthenticateHeader] = fmt.Sprintf("Bearer error=%q,error_description=%q",
			errorCode, errorDescription)
	}

	return &logical.Response{
		Data: data,
	}, nil
}

// getScopeTemplates returns a mapping from scope names to
// their templates for each of the given scopes.
func (i *IdentityStore) getScopeTemplates(ctx context.Context, s logical.Storage, scopes ...string) (map[string]string, error) {
	templates := make(map[string]string)
	for _, name := range scopes {
		if name == openIDScope {
			// No template for the openid scope
			continue
		}

		// Get the scope template
		scope, err := i.getOIDCScope(ctx, s, name)
		if err != nil {
			return nil, err
		}
		if scope == nil {
			// Scope values used that are not understood by an implementation should be ignored.
			// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
			continue
		}
		templates[name] = scope.Template
	}

	return templates, nil
}

// populateScopeTemplates populates the templates for each of the passed scopes.
// Returns a slice of the populated JSON template strings and a bool to indicate
// if a conflict in scope template claims occurred.
func (i *IdentityStore) populateScopeTemplates(ctx context.Context, s logical.Storage, ns *namespace.Namespace, entity *identity.Entity, scopes ...string) ([]string, bool, error) {
	// Gather the templates for each scope
	templates, err := i.getScopeTemplates(ctx, s, scopes...)
	if err != nil {
		return nil, false, err
	}

	// Get the groups for the entity
	groups, inheritedGroups, err := i.groupsByEntityID(entity.ID)
	if err != nil {
		return nil, false, err
	}
	groups = append(groups, inheritedGroups...)

	claimsToScopes := make(map[string]string)
	populatedTemplates := make([]string, 0)
	for scope, template := range templates {
		// Parse and integrate the populated template. Structural errors with the template
		// should be caught during configuration. Errors found during runtime will be logged.
		_, populatedTemplate, err := identitytpl.PopulateString(identitytpl.PopulateStringInput{
			Mode:        identitytpl.JSONTemplating,
			String:      template,
			Entity:      identity.ToSDKEntity(entity),
			Groups:      identity.ToSDKGroups(groups),
			NamespaceID: ns.ID,
		})
		if err != nil {
			i.Logger().Warn("error populating OIDC token template", "scope", scope,
				"template", template, "error", err)
		}

		if populatedTemplate != "" {
			claimsMap := make(map[string]interface{})
			if err := json.Unmarshal([]byte(populatedTemplate), &claimsMap); err != nil {
				i.Logger().Warn("error parsing OIDC template", "template", template, "err", err)
			}

			// Check top-level claim keys for conflicts with other scopes
			for claimKey := range claimsMap {
				if conflictScope, ok := claimsToScopes[claimKey]; ok {
					return nil, true, fmt.Errorf("found scopes with conflicting top-level claim: claim %q in scopes %q, %q",
						claimKey, scope, conflictScope)
				}
				claimsToScopes[claimKey] = scope
			}

			populatedTemplates = append(populatedTemplates, populatedTemplate)
		}
	}

	return populatedTemplates, false, nil
}

// computeHashClaim computes the hash value to be used for the at_hash
// and c_hash claims. For details on how this value is computed and the
// class of attacks it's used to prevent, see the spec at
// - https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
// - https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
// - https://openid.net/specs/openid-connect-core-1_0.html#TokenSubstitution
func computeHashClaim(alg string, input string) (string, error) {
	signatureAlgToHash := map[jose.SignatureAlgorithm]func() hash.Hash{
		jose.RS256: sha256.New,
		jose.RS384: sha512.New384,
		jose.RS512: sha512.New,
		jose.ES256: sha256.New,
		jose.ES384: sha512.New384,
		jose.ES512: sha512.New,

		// We use the Ed25519 curve key for EdDSA, which uses
		// SHA-512 for its digest algorithm. See details at
		// https://bitbucket.org/openid/connect/issues/1125.
		jose.EdDSA: sha512.New,
	}

	newHash, ok := signatureAlgToHash[jose.SignatureAlgorithm(alg)]
	if !ok {
		return "", fmt.Errorf("unsupported signature algorithm: %q", alg)
	}
	h := newHash()

	// Writing to the hash will never return an error
	_, _ = h.Write([]byte(input))
	sum := h.Sum(nil)
	return base64.RawURLEncoding.EncodeToString(sum[:len(sum)/2]), nil
}

// entityHasAssignment returns true if the entity is enabled and a member of any
// of the assignments' groups or entities. Otherwise, returns false or an error.
func (i *IdentityStore) entityHasAssignment(ctx context.Context, s logical.Storage, entity *identity.Entity, assignments []string) (bool, error) {
	if entity.GetDisabled() {
		return false, nil
	}

	// Get the group IDs that the entity is a member of
	entityGroups, err := i.MemDBGroupsByMemberEntityID(entity.GetID(), true, false)
	if err != nil {
		return false, err
	}
	entityGroupIDs := make(map[string]bool)
	for _, group := range entityGroups {
		entityGroupIDs[group.GetID()] = true
	}

	for _, a := range assignments {
		assignment, err := i.getOIDCAssignment(ctx, s, a)
		if err != nil {
			return false, err
		}
		if assignment == nil {
			return false, fmt.Errorf("client assignment %q not found", a)
		}

		// Check if the entity is a member of any groups in the assignment
		for _, id := range assignment.GroupIDs {
			if entityGroupIDs[id] {
				return true, nil
			}
		}

		// Check if the entity is a member of the assignment's entities
		if strutil.StrListContains(assignment.EntityIDs, entity.GetID()) {
			return true, nil
		}
	}

	return false, nil
}

// clientByID returns the client with the given ID.
func (i *IdentityStore) clientByID(ctx context.Context, s logical.Storage, id string) (*client, error) {
	// Read the client from memdb
	client, err := i.memDBClientByID(id)
	if err != nil {
		return nil, err
	}
	if client != nil {
		return client, nil
	}

	// Fall back to reading the client from storage
	client, err = i.storageClientByID(ctx, s, id)
	if err != nil {
		return nil, err
	}
	if client == nil {
		return nil, nil
	}

	// Upsert the client in memdb
	txn := i.db.Txn(true)
	defer txn.Abort()
	if err := i.memDBUpsertClientInTxn(txn, client); err != nil {
		i.logger.Debug("failed to upsert client in memdb", "error", err)
		return client, nil
	}
	txn.Commit()

	return client, nil
}

// clientByName returns the client with the given name.
func (i *IdentityStore) clientByName(ctx context.Context, s logical.Storage, name string) (*client, error) {
	// Read the client from memdb
	client, err := i.memDBClientByName(ctx, name)
	if err != nil {
		return nil, err
	}
	if client != nil {
		return client, nil
	}

	// Fall back to reading the client from storage
	client, err = i.storageClientByName(ctx, s, name)
	if err != nil {
		return nil, err
	}
	if client == nil {
		return nil, nil
	}

	// Upsert the client in memdb
	txn := i.db.Txn(true)
	defer txn.Abort()
	if err := i.memDBUpsertClientInTxn(txn, client); err != nil {
		i.logger.Debug("failed to upsert client in memdb", "error", err)
		return client, nil
	}
	txn.Commit()

	return client, nil
}

// memDBClientByID returns the client with the given ID from memdb.
func (i *IdentityStore) memDBClientByID(id string) (*client, error) {
	if id == "" {
		return nil, errors.New("missing client ID")
	}

	txn := i.db.Txn(false)

	return i.memDBClientByIDInTxn(txn, id)
}

// memDBClientByIDInTxn returns the client with the given ID from memdb using the given txn.
func (i *IdentityStore) memDBClientByIDInTxn(txn *memdb.Txn, id string) (*client, error) {
	if id == "" {
		return nil, errors.New("missing client ID")
	}

	if txn == nil {
		return nil, errors.New("txn is nil")
	}

	clientRaw, err := txn.First(oidcClientsTable, "id", id)
	if err != nil {
		return nil, fmt.Errorf("failed to fetch client from memdb using ID: %w", err)
	}
	if clientRaw == nil {
		return nil, nil
	}

	client, ok := clientRaw.(*client)
	if !ok {
		return nil, errors.New("unexpected client type")
	}

	return client, nil
}

// memDBClientByName returns the client with the given name from memdb.
func (i *IdentityStore) memDBClientByName(ctx context.Context, name string) (*client, error) {
	if name == "" {
		return nil, errors.New("missing client name")
	}

	txn := i.db.Txn(false)

	return i.memDBClientByNameInTxn(ctx, txn, name)
}

// memDBClientByNameInTxn returns the client with the given ID from memdb using the given txn.
func (i *IdentityStore) memDBClientByNameInTxn(ctx context.Context, txn *memdb.Txn, name string) (*client, error) {
	if name == "" {
		return nil, errors.New("missing client name")
	}

	if txn == nil {
		return nil, errors.New("txn is nil")
	}

	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return nil, err
	}

	clientRaw, err := txn.First(oidcClientsTable, "name", ns.ID, name)
	if err != nil {
		return nil, fmt.Errorf("failed to fetch client from memdb using name: %w", err)
	}
	if clientRaw == nil {
		return nil, nil
	}

	client, ok := clientRaw.(*client)
	if !ok {
		return nil, errors.New("unexpected client type")
	}

	return client, nil
}

// memDBDeleteClientByName deletes the client with the given name from memdb.
func (i *IdentityStore) memDBDeleteClientByName(ctx context.Context, name string) error {
	if name == "" {
		return errors.New("missing client name")
	}

	txn := i.db.Txn(true)
	defer txn.Abort()

	if err := i.memDBDeleteClientByNameInTxn(ctx, txn, name); err != nil {
		return err
	}

	txn.Commit()

	return nil
}

// memDBDeleteClientByNameInTxn deletes the client with name from memdb using the given txn.
func (i *IdentityStore) memDBDeleteClientByNameInTxn(ctx context.Context, txn *memdb.Txn, name string) error {
	if name == "" {
		return errors.New("missing client name")
	}

	if txn == nil {
		return errors.New("txn is nil")
	}

	client, err := i.memDBClientByNameInTxn(ctx, txn, name)
	if err != nil {
		return err
	}
	if client == nil {
		return nil
	}

	if err := txn.Delete(oidcClientsTable, client); err != nil {
		return fmt.Errorf("failed to delete client from memdb: %w", err)
	}

	return nil
}

// memDBUpsertClientInTxn creates or updates the given client in memdb using the given txn.
func (i *IdentityStore) memDBUpsertClientInTxn(txn *memdb.Txn, client *client) error {
	if client == nil {
		return errors.New("client is nil")
	}

	if txn == nil {
		return errors.New("nil txn")
	}

	clientRaw, err := txn.First(oidcClientsTable, "id", client.ClientID)
	if err != nil {
		return fmt.Errorf("failed to lookup client from memdb using ID: %w", err)
	}

	if clientRaw != nil {
		err = txn.Delete(oidcClientsTable, clientRaw)
		if err != nil {
			return fmt.Errorf("failed to delete client from memdb: %w", err)
		}
	}

	if err := txn.Insert(oidcClientsTable, client); err != nil {
		return fmt.Errorf("failed to update client in memdb: %w", err)
	}

	return nil
}

// storageClientByName returns the client with name from the given logical storage.
func (i *IdentityStore) storageClientByName(ctx context.Context, s logical.Storage, name string) (*client, error) {
	entry, err := s.Get(ctx, clientPath+name)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var client client
	if err := entry.DecodeJSON(&client); err != nil {
		return nil, err
	}

	return &client, nil
}

// storageClientByID returns the client with ID from the given logical storage.
func (i *IdentityStore) storageClientByID(ctx context.Context, s logical.Storage, id string) (*client, error) {
	clients, err := s.List(ctx, clientPath)
	if err != nil {
		return nil, err
	}

	for _, name := range clients {
		client, err := i.storageClientByName(ctx, s, name)
		if err != nil {
			return nil, err
		}
		if client == nil {
			continue
		}

		if client.ClientID == id {
			return client, nil
		}
	}

	return nil, nil
}

func (i *IdentityStore) listClients(ctx context.Context, s logical.Storage) ([]*client, error) {
	clientNames, err := s.List(ctx, clientPath)
	if err != nil {
		return nil, err
	}

	var clients []*client
	for _, name := range clientNames {
		entry, err := s.Get(ctx, clientPath+name)
		if err != nil {
			return nil, err
		}
		if entry == nil {
			continue
		}

		var client client
		if err := entry.DecodeJSON(&client); err != nil {
			return nil, err
		}
		clients = append(clients, &client)
	}

	return clients, nil
}