You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement internal/jwk (JWK construction + RFC 7638 thumbprint as kid) and internal/oidc (discovery doc rendering). Add two read-only stdout commands — jotsmith discovery show and jotsmith jwks show — that compute and print exactly the JSON setup would upload, so users can diff computed-vs-published.
No uploads happen in this slice; it's pure rendering on top of the read-only Azure adapters from #4.
Acceptance criteria
internal/jwk exposes a constructor that builds a JWK from a Key Vault JSONWebKey with kty=RSA, use=sig, alg=RS256, plus n, e, and a computed kid
kid computation is RFC 7638 §3-compliant: required fields only (e, kty, n), sorted lexicographically by Unicode code point, no whitespace, no line breaks, UTF-8 encoded, SHA-256 hashed, base64url-encoded (no padding)
Unit test verifies the thumbprint matches the RFC 7638 §3.1 worked example byte-for-byte
internal/oidc renders the discovery JSON per PRD §7 given an issuer URL — issuer, jwks_uri, response_types_supported, subject_types_supported, id_token_signing_alg_values_supported, scopes_supported, claims_supported
jwks_uri is computed as <issuer>/<jwks_path> with deterministic slash handling
jotsmith discovery show prints the rendered discovery doc to stdout (pretty-printed)
jotsmith jwks show fetches the current KV public key, builds the JWK, and prints the JWKS ({"keys":[<jwk>]}) to stdout (pretty-printed). The keys field is always an array, length 1 in v1 (per ADR-0003)
Both commands surface KV access errors to stderr with the role-hint message format used by doctor
What to build
Implement
internal/jwk(JWK construction + RFC 7638 thumbprint askid) andinternal/oidc(discovery doc rendering). Add two read-only stdout commands —jotsmith discovery showandjotsmith jwks show— that compute and print exactly the JSONsetupwould upload, so users can diff computed-vs-published.No uploads happen in this slice; it's pure rendering on top of the read-only Azure adapters from #4.
Acceptance criteria
internal/jwkexposes a constructor that builds a JWK from a Key VaultJSONWebKeywithkty=RSA,use=sig,alg=RS256, plusn,e, and a computedkidkidcomputation is RFC 7638 §3-compliant: required fields only (e,kty,n), sorted lexicographically by Unicode code point, no whitespace, no line breaks, UTF-8 encoded, SHA-256 hashed, base64url-encoded (no padding)internal/oidcrenders the discovery JSON per PRD §7 given an issuer URL —issuer,jwks_uri,response_types_supported,subject_types_supported,id_token_signing_alg_values_supported,scopes_supported,claims_supportedjwks_uriis computed as<issuer>/<jwks_path>with deterministic slash handlingjotsmith discovery showprints the rendered discovery doc to stdout (pretty-printed)jotsmith jwks showfetches the current KV public key, builds the JWK, and prints the JWKS ({"keys":[<jwk>]}) to stdout (pretty-printed). Thekeysfield is always an array, length 1 in v1 (per ADR-0003)doctorBlocked by
azurexadapters anddoctor(read-only)Originally created in OpenCode session ID: ses_17ca8efd8ffexLcFSysAMDVNBQ