2 files changed, 4 insertions, 51 deletions

diff --git a/app/app.go b/app/app.go
index f76f4a7..51979a4 100644
--- a/app/app.go
+++ b/app/app.go
@@ -10,6 +10,7 @@ import (
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/health"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/sessions"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/sparkles"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/middleware"
 )
@@ -30,5 +31,6 @@ func New() http.Handler {
 	mux.Handle("GET /", http.FileServer(http.Dir("public")))
 
 	logger := ioc.MustResolve[*zerolog.Logger](ioc.Default)
-	return log.HTTP(logger)(middleware.UnpackToken()(mux))
+	oidc := ioc.MustResolve[*oidc.OpenID](ioc.Default)
+	return log.HTTP(logger)(middleware.UnpackToken(oidc)(mux))
 }
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 71f9311..1b829bf 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -4,68 +4,19 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
-	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/xlgmokha/x/pkg/serde"
 	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
 )
 
 func TestSessions(t *testing.T) {
-	srv := httptest.NewServer(nil)
-	srv.Config = &http.Server{
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			switch r.URL.Path {
-			case "/.well-known/openid-configuration":
-				require.NoError(t, serde.ToJSON(w, &oidc.Metadata{
-					AuthorizationEndpoint:             srv.URL + "/oauth/authorize",
-					ClaimsSupported:                   []string{"aud"},
-					CodeChallengeMethodsSupported:     []string{"plain"},
-					DeviceAuthorizationEndpoint:       srv.URL + "/device/authorize",
-					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-					Issuer:                            srv.URL,
-					JWKSURI:                           srv.URL + "/jwks",
-					MFAChallengeEndpoint:              srv.URL + "/mfa",
-					RegistrationEndpoint:              srv.URL + "/users/new",
-					RequestURIParameterSupported:      false,
-					ResponseModesSupported:            []string{"query"},
-					ResponseTypeSupported:             []string{"code"},
-					RevocationEndpoint:                srv.URL + "/revoke",
-					ScopesSupported:                   []string{"oidc"},
-					SubjectTypesSupported:             []string{"public"},
-					TokenEndpoint:                     srv.URL + "/token",
-					TokenEndpointAuthMethodsSupported: []string{"client_secret_post"},
-					UserInfoEndpoint:                  srv.URL + "/users/me",
-				}))
-			case "/token":
-				if err := r.ParseForm(); err != nil {
-					w.WriteHeader(http.StatusBadRequest)
-					return
-				}
-				if r.Form["grant_type"][0] == "authorization_code" && r.Form["code"][0] == "code" {
-					w.Header().Add("Content-Type", "application/json")
-					require.NoError(t, serde.ToJSON(w, map[string]string{
-						"access_token":  "14fa6e71afaabbe5e31ef2b47ccab7ca7a3c26f8dfdb74acce3eca30099af028",
-						"token_type":    "Bearer",
-						"refresh_token": "365b261d4b25ba37e7c1e14e6501902aeecfb7fffc4602c44d6ac22b4c715b0f",
-						// "expiry":        "2025-04-15T19:16:38.78960504-06:00"
-						"expiry":   time.Now().Add(1 * time.Hour).Format(time.RFC3339),
-						"id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ0NzM3NDI3LCJpYXQiOjE3NDQ3MzczMDcsImF1dGhfdGltZSI6MTc0NDczNDY0OSwic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJ0b29sYm94IiwiZ2l0bGFiLW9yZyIsImdudXdnZXQiLCJDb21taXQ0NTEiLCJqYXNoa2VuYXMiLCJmbGlnaHRqcyIsInR3aXR0ZXIiLCJnaXRsYWItZXhhbXBsZXMiLCJnaXRsYWItZXhhbXBsZXMvc2VjdXJpdHkiLCI0MTI3MDgiLCJnaXRsYWItZXhhbXBsZXMvZGVtby1ncm91cCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwIiwiNDM0MDQ0LWdyb3VwLTEiLCI0MzQwNDQtZ3JvdXAtMiIsImdpdGxhYi1vcmcxIiwiZ2l0bGFiLW9yZy9zZWN1cmUiLCJnaXRsYWItb3JnL3NlY3VyZS9tYW5hZ2VycyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMiLCJnaXRsYWItb3JnL3NlY3VyaXR5LXByb2R1Y3RzL2FuYWx5emVycyIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwibWFzc19pbnNlcnRfZ3JvdXBfXzBfMTAwIl19.SZu_l7tQ2Kkeogq0z8cRaDWPfv52JTo-RkiExbnud_lrfrXXneS77BIzaGKX_bzq4SM_oO_Q63AzK66B1r6Gp7ACo4DjOUEIWETg7ZBKcDzEZnresB7kmI_MJ5rfIJTmnH75GOfc_pl5l8T896TbaShN6zSpaXXIVEfhyUrflSWb4hhA7Hbwy2b6laXiaDv0qpcn1udPVYMTsll8I5ni_2yzuEPSVRgrcQoQ46OwVDZIi9tlfdT2qNVjH6FxJ3mkBcxtIVjf3_JYAawFEscg2uvQYwFWj9T6LleMknAh3QFJJMrS6mPqlXJGPUE5pTQgsBInfEikfm9PXxezA-IY6g",
-					}))
-				}
-			default:
-				t.Logf("404: %v", r.URL.Path)
-				w.WriteHeader(http.StatusNotFound)
-			}
-		}),
-	}
+	srv := test.OIDCServer()
 	defer srv.Close()
 
 	cfg, err := oidc.New(t.Context(), srv.URL, "client_id", "client_secret", "callback_url")