feat: propagate 503/429 errors with retry information from OpenID configuration and token endpoints

- Return ServiceUnavailableError for 503 responses from both OpenID config and token endpoints
- Return ThrottledError for 429 responses from both endpoints
- Extract and include Retry-After header values in error responses to enable proper retry backoff
- Add comprehensive test coverage for error scenarios in both provider and introspector components

Author: vasayxtx

idptoken/introspector.go

@@ -674,6 +674,16 @@ func (i *Introspector) getWellKnownIntrospectionEndpointURL(ctx context.Context,
 	openIDCfg, err := idputil.GetOpenIDConfiguration(
 		ctx, i.HTTPClient, openIDCfgURL, nil, logger, i.promMetrics)
 	if err != nil {
+		var unexpectedRespErr *idputil.UnexpectedResponseError
+		if errors.As(err, &unexpectedRespErr) {
+			retryAfter := unexpectedRespErr.Header.Get("Retry-After")
+			switch unexpectedRespErr.StatusCode {
+			case http.StatusServiceUnavailable:
+				return "", &ServiceUnavailableError{RetryAfter: retryAfter, Err: err}
+			case http.StatusTooManyRequests:
+				return "", &ThrottledError{RetryAfter: retryAfter, Err: err}
+			}
+		}
 		return "", fmt.Errorf("get OpenID configuration: %w", err)
 	}
 	if openIDCfg.IntrospectionEndpoint == "" {

idptoken/introspector_test.go

@@ -9,6 +9,7 @@ package idptoken_test
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sync"
@@ -1454,3 +1455,88 @@ func TestIntrospector_IntrospectToken_ConcurrentCloning(t *gotesting.T) {
 		}
 	})
 }
+
+func TestIntrospector_OpenIDConfigurationErrors(t *gotesting.T) {
+	const validAccessToken = "access-token-with-introspection-permission"
+	const retryAfterValue = "120"
+
+	t.Run("error, dynamic introspection endpoint, openid config returns 503", func(t *gotesting.T) {
+		// Create a test server that returns 503 for OpenID configuration endpoint
+		testServer := http.NewServeMux()
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusServiceUnavailable)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		// Create a JWT token with this issuer
+		tokenToIntrospect := idptest.MustMakeTokenStringSignedWithTestKey(&jwt.DefaultClaims{
+			RegisteredClaims: jwtgo.RegisteredClaims{
+				Issuer:    serverURL,
+				Subject:   uuid.NewString(),
+				ID:        uuid.NewString(),
+				ExpiresAt: jwtgo.NewNumericDate(time.Now().Add(time.Hour)),
+			},
+		})
+
+		introspector, err := idptoken.NewIntrospectorWithOpts(
+			idptest.NewSimpleTokenProvider(validAccessToken),
+			idptoken.IntrospectorOpts{},
+		)
+		require.NoError(t, err)
+		require.NoError(t, introspector.AddTrustedIssuerURL(serverURL))
+
+		_, err = introspector.IntrospectToken(context.Background(), tokenToIntrospect)
+		var svcUnavailableErr *idptoken.ServiceUnavailableError
+		require.ErrorAs(t, err, &svcUnavailableErr)
+		require.Equal(t, retryAfterValue, svcUnavailableErr.RetryAfter)
+	})
+
+	t.Run("error, dynamic introspection endpoint, openid config returns 429", func(t *gotesting.T) {
+		// Create a test server that returns 429 for OpenID configuration endpoint
+		testServer := http.NewServeMux()
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusTooManyRequests)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		// Create a JWT token with this issuer
+		tokenToIntrospect := idptest.MustMakeTokenStringSignedWithTestKey(&jwt.DefaultClaims{
+			RegisteredClaims: jwtgo.RegisteredClaims{
+				Issuer:    serverURL,
+				Subject:   uuid.NewString(),
+				ID:        uuid.NewString(),
+				ExpiresAt: jwtgo.NewNumericDate(time.Now().Add(time.Hour)),
+			},
+		})
+
+		introspector, err := idptoken.NewIntrospectorWithOpts(
+			idptest.NewSimpleTokenProvider(validAccessToken),
+			idptoken.IntrospectorOpts{},
+		)
+		require.NoError(t, err)
+		require.NoError(t, introspector.AddTrustedIssuerURL(serverURL))
+
+		_, err = introspector.IntrospectToken(context.Background(), tokenToIntrospect)
+		var throttledErr *idptoken.ThrottledError
+		require.ErrorAs(t, err, &throttledErr)
+		require.Equal(t, retryAfterValue, throttledErr.RetryAfter)
+	})
+}

idptoken/provider.go

@@ -611,6 +611,16 @@ func (ti *oauth2Issuer) fetchTokenURL(ctx context.Context, customHeaders map[str
 	openIDCfg, err := idputil.GetOpenIDConfiguration(
 		ctx, ti.httpClient, openIDCfgURL, customHeaders, ti.logger, ti.promMetrics)
 	if err != nil {
+		var unexpectedRespErr *idputil.UnexpectedResponseError
+		if errors.As(err, &unexpectedRespErr) {
+			retryAfter := unexpectedRespErr.Header.Get("Retry-After")
+			switch unexpectedRespErr.StatusCode {
+			case http.StatusServiceUnavailable:
+				return "", &ServiceUnavailableError{RetryAfter: retryAfter, Err: err}
+			case http.StatusTooManyRequests:
+				return "", &ThrottledError{RetryAfter: retryAfter, Err: err}
+			}
+		}
 		return "", fmt.Errorf("(%s, %s): get OpenID configuration: %w", ti.baseURL, ti.clientID, err)
 	}
 	if _, err = url.ParseRequestURI(openIDCfg.TokenURL); err != nil {
@@ -660,6 +670,20 @@ func (ti *oauth2Issuer) issueToken(
 		}
 	}()
 
+	if resp.StatusCode != http.StatusOK {
+		ti.promMetrics.ObserveHTTPClientRequest(
+			http.MethodPost, tokenURL, resp.StatusCode, elapsed, metrics.HTTPRequestErrorUnexpectedStatusCode)
+		retryAfter := resp.Header.Get("Retry-After")
+		err := &UnexpectedIDPResponseError{HTTPCode: resp.StatusCode, IssueURL: ti.loadTokenURL()}
+		switch resp.StatusCode {
+		case http.StatusServiceUnavailable:
+			return tokenData{}, &ServiceUnavailableError{RetryAfter: retryAfter, Err: err}
+		case http.StatusTooManyRequests:
+			return tokenData{}, &ThrottledError{RetryAfter: retryAfter, Err: err}
+		}
+		return tokenData{}, err
+	}
+
 	tokenResponse := tokenResponseBody{}
 	if err = json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {
 		ti.promMetrics.ObserveHTTPClientRequest(
@@ -669,12 +693,6 @@ func (ti *oauth2Issuer) issueToken(
 		)
 	}
 
-	if resp.StatusCode != http.StatusOK {
-		ti.promMetrics.ObserveHTTPClientRequest(
-			http.MethodPost, tokenURL, resp.StatusCode, elapsed, metrics.HTTPRequestErrorUnexpectedStatusCode)
-		return tokenData{}, &UnexpectedIDPResponseError{HTTPCode: resp.StatusCode, IssueURL: ti.loadTokenURL()}
-	}
-
 	ti.promMetrics.ObserveHTTPClientRequest(http.MethodPost, tokenURL, resp.StatusCode, elapsed, "")
 	expires := time.Now().Add(time.Second * time.Duration(tokenResponse.ExpiresIn))
 	ti.logger.Infof("(%s, %s): issued token, expires on %s", ti.loadTokenURL(), ti.clientID, expires.UTC())

idptoken/provider_test.go

@@ -10,6 +10,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"sync"
 	"sync/atomic"
@@ -784,6 +785,178 @@ func TestProviderConcurrency(t *testing.T) {
 	})
 }
 
+func TestProvider_OpenIDConfigurationErrors(t *testing.T) {
+	const retryAfterValue = "120"
+
+	t.Run("error, openid config returns 503", func(t *testing.T) {
+		// Create a test server that returns 503 for OpenID configuration endpoint
+		testServer := http.NewServeMux()
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusServiceUnavailable)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		credentials := []idptoken.Source{
+			{
+				ClientID:     testClientID,
+				ClientSecret: "test-secret",
+				URL:          serverURL,
+			},
+		}
+		// Use a custom HTTP client with minimal timeout and no retries
+		httpClient := &http.Client{Timeout: 2 * time.Second}
+		opts := idptoken.ProviderOpts{
+			HTTPClient: httpClient,
+		}
+		provider := idptoken.NewMultiSourceProviderWithOpts(credentials, opts)
+
+		_, err = provider.GetToken(context.Background(), testClientID, serverURL)
+		var svcUnavailableErr *idptoken.ServiceUnavailableError
+		require.ErrorAs(t, err, &svcUnavailableErr)
+		require.Equal(t, retryAfterValue, svcUnavailableErr.RetryAfter)
+	})
+
+	t.Run("error, openid config returns 429", func(t *testing.T) {
+		// Create a test server that returns 429 for OpenID configuration endpoint
+		testServer := http.NewServeMux()
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusTooManyRequests)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		credentials := []idptoken.Source{
+			{
+				ClientID:     testClientID,
+				ClientSecret: "test-secret",
+				URL:          serverURL,
+			},
+		}
+		// Use a custom HTTP client with minimal timeout and no retries
+		httpClient := &http.Client{Timeout: 2 * time.Second}
+		opts := idptoken.ProviderOpts{
+			HTTPClient: httpClient,
+		}
+		provider := idptoken.NewMultiSourceProviderWithOpts(credentials, opts)
+
+		_, err = provider.GetToken(context.Background(), testClientID, serverURL)
+		var throttledErr *idptoken.ThrottledError
+		require.ErrorAs(t, err, &throttledErr)
+		require.Equal(t, retryAfterValue, throttledErr.RetryAfter)
+	})
+}
+
+func TestProvider_TokenEndpointErrors(t *testing.T) {
+	const retryAfterValue = "120"
+
+	t.Run("error, token endpoint returns 503", func(t *testing.T) {
+		// Create a test server that returns 503 for token endpoint
+		testServer := http.NewServeMux()
+		// OpenID configuration needs to be served to get the token URL
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			resp := map[string]string{
+				"token_endpoint": fmt.Sprintf("http://%s%s", r.Host, idptest.TokenEndpointPath),
+			}
+			_ = json.NewEncoder(w).Encode(resp)
+		})
+		testServer.HandleFunc(idptest.TokenEndpointPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusServiceUnavailable)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		credentials := []idptoken.Source{
+			{
+				ClientID:     testClientID,
+				ClientSecret: "test-secret",
+				URL:          serverURL,
+			},
+		}
+		// Use a custom HTTP client with minimal timeout and no retries
+		httpClient := &http.Client{Timeout: 2 * time.Second}
+		opts := idptoken.ProviderOpts{
+			HTTPClient: httpClient,
+		}
+		provider := idptoken.NewMultiSourceProviderWithOpts(credentials, opts)
+
+		_, err = provider.GetToken(context.Background(), testClientID, serverURL)
+		var svcUnavailableErr *idptoken.ServiceUnavailableError
+		require.ErrorAs(t, err, &svcUnavailableErr)
+		require.Equal(t, retryAfterValue, svcUnavailableErr.RetryAfter)
+	})
+
+	t.Run("error, token endpoint returns 429", func(t *testing.T) {
+		// Create a test server that returns 429 for token endpoint
+		testServer := http.NewServeMux()
+		// OpenID configuration needs to be served to get the token URL
+		testServer.HandleFunc(idptest.OpenIDConfigurationPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			resp := map[string]string{
+				"token_endpoint": fmt.Sprintf("http://%s%s", r.Host, idptest.TokenEndpointPath),
+			}
+			_ = json.NewEncoder(w).Encode(resp)
+		})
+		testServer.HandleFunc(idptest.TokenEndpointPath, func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Retry-After", retryAfterValue)
+			w.WriteHeader(http.StatusTooManyRequests)
+		})
+		server := &http.Server{Addr: "127.0.0.1:0", Handler: testServer}
+		listener, err := net.Listen("tcp", server.Addr)
+		require.NoError(t, err)
+		defer func() { _ = listener.Close() }()
+
+		go func() { _ = server.Serve(listener) }()
+		defer func() { _ = server.Shutdown(context.Background()) }()
+
+		serverURL := fmt.Sprintf("http://%s", listener.Addr().String())
+
+		credentials := []idptoken.Source{
+			{
+				ClientID:     testClientID,
+				ClientSecret: "test-secret",
+				URL:          serverURL,
+			},
+		}
+		// Use a custom HTTP client with minimal timeout and no retries
+		httpClient := &http.Client{Timeout: 2 * time.Second}
+		opts := idptoken.ProviderOpts{
+			HTTPClient: httpClient,
+		}
+		provider := idptoken.NewMultiSourceProviderWithOpts(credentials, opts)
+
+		_, err = provider.GetToken(context.Background(), testClientID, serverURL)
+		var throttledErr *idptoken.ThrottledError
+		require.ErrorAs(t, err, &throttledErr)
+		require.Equal(t, retryAfterValue, throttledErr.RetryAfter)
+	})
+}
+
 type claimsProviderWithExpiration struct {
 	ExpTime time.Duration
 }

internal/idputil/errors.go

@@ -0,0 +1,23 @@
+/*
+Copyright © 2025 Acronis International GmbH.
+
+Released under MIT license.
+*/
+
+package idputil
+
+import (
+	"fmt"
+	"net/http"
+)
+
+// UnexpectedResponseError represents an error that occurs when an unexpected HTTP response is received.
+// It captures the HTTP status code and response headers for further analysis.
+type UnexpectedResponseError struct {
+	StatusCode int
+	Header     http.Header
+}
+
+func (e *UnexpectedResponseError) Error() string {
+	return fmt.Sprintf("unexpected HTTP status code %d", e.StatusCode)
+}

internal/idputil/openid_configuration.go

@@ -58,7 +58,10 @@ func GetOpenIDConfiguration(
 	if resp.StatusCode != http.StatusOK {
 		promMetrics.ObserveHTTPClientRequest(
 			http.MethodGet, targetURL, resp.StatusCode, elapsed, metrics.HTTPRequestErrorUnexpectedStatusCode)
-		return OpenIDConfiguration{}, fmt.Errorf("unexpected HTTP code %d", resp.StatusCode)
+		return OpenIDConfiguration{}, &UnexpectedResponseError{
+			StatusCode: resp.StatusCode,
+			Header:     resp.Header.Clone(),
+		}
 	}
 
 	var openIDCfg OpenIDConfiguration

jwks/client_test.go

@@ -65,7 +65,7 @@ func TestClient_GetRSAPublicKey(t *testing.T) {
 		var openIDCfgErr *jwks.GetOpenIDConfigurationError
 		require.True(t, errors.As(err, &openIDCfgErr))
 		require.Equal(t, issuerConfigServer.URL+idputil.OpenIDConfigurationPath, openIDCfgErr.URL)
-		require.EqualError(t, openIDCfgErr.Inner, "unexpected HTTP code 500")
+		require.EqualError(t, openIDCfgErr.Inner, "unexpected HTTP status code 500")
 		require.Nil(t, pubKey)
 	})