feat(go-oidc): add example using coreos/go-oidc/v3 library

- Add browser-based authorization code example with provider discovery
- Support PKCE (S256) and optional client secret for public clients
- Verify ID token nonce, signature, and at_hash against the JWKS
- Query UserInfo endpoint and render claims as JSON response
- Register new module under dependabot weekly updates
- Link new example from top-level README quick reference

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: appleboy

.github/dependabot.yml

@@ -16,6 +16,10 @@ updates:
     directory: /go-webservice
     schedule:
       interval: weekly
+  - package-ecosystem: gomod
+    directory: /go-oidc
+    schedule:
+      interval: weekly
   - package-ecosystem: pip
     directory: /python-cli
     schedule:

README.md

@@ -12,6 +12,7 @@ Multi-language usage examples for AuthGate authentication (Go, Python, Bash).
 | [go-m2m](go-m2m/)               | Service-to-service   | Client Credentials           | Go       | Go 1.25+         |
 | [python-m2m](python-m2m/)       | Service-to-service   | Client Credentials           | Python   | Python 3.10+, uv |
 | [go-webservice](go-webservice/) | API protection       | Bearer validation            | Go       | Go 1.25+         |
+| [go-oidc](go-oidc/)             | Web login (no SDK)   | Auth Code (coreos/go-oidc)   | Go       | Go 1.25+         |
 
 ## Environment Setup
 
@@ -103,6 +104,16 @@ curl -H "Authorization: Bearer <token>" http://localhost:8080/api/profile
 curl -H "Authorization: Bearer <token>" http://localhost:8080/api/data
 ```
 
+## OIDC Web Login (no SDK)
+
+Browser-based Authorization Code flow against any OpenID Connect provider using the standard [`github.com/coreos/go-oidc/v3`](https://github.com/coreos/go-oidc) library and `golang.org/x/oauth2`. Demonstrates discovery, state + nonce CSRF protection, ID token verification, and the UserInfo endpoint — handy when integrating AuthGate into an existing Go web app without the SDK.
+
+```bash
+cd go-oidc
+go run main.go
+# then open http://localhost:8080/
+```
+
 ## OAuth 2.0 Flows
 
 - **Authorization Code + PKCE** — Browser-based login, most secure for CLI tools on machines with a browser. The client opens a browser, the user authenticates, and a code is exchanged for tokens.

go-oidc/README.md

@@ -0,0 +1,105 @@
+# Go OIDC — `github.com/coreos/go-oidc/v3`
+
+Browser-based OpenID Connect sign-in using the standard [go-oidc](https://github.com/coreos/go-oidc) library and `golang.org/x/oauth2`, without the AuthGate SDK. This is useful when you want to integrate AuthGate (or any OIDC provider) into an existing Go web app that already uses the upstream OAuth2 toolchain.
+
+## OAuth Flow
+
+**Authorization Code** with:
+
+- **State** cookie — CSRF protection on the redirect back to `/callback`.
+- **Nonce** — CSRF / replay protection tied to the ID token. Generated on `/login`, verified against `id_token.nonce` on callback.
+- **PKCE (S256)** — required by most modern providers (AuthGate rejects public clients without it: `invalid_request: pkce required for public clients`). Verifier generated on `/login`, challenge sent via `oauth2.S256ChallengeOption`, verifier sent back on code exchange via `oauth2.VerifierOption`.
+- **ID token verification** — signature checked against the provider's JWKS; `iss`, `aud`, `exp` validated automatically by `verifier.Verify`.
+- **`at_hash`** — when present, access token is bound to the ID token via `idToken.VerifyAccessToken`.
+
+## Prerequisites
+
+- Go 1.25+
+- An OIDC provider (e.g., AuthGate) with a confidential client that allows `http://localhost:8088/callback` as a redirect URI
+
+## Environment Variables
+
+| Variable        | Required | Description                                                                 |
+| --------------- | -------- | --------------------------------------------------------------------------- |
+| `ISSUER_URL`    | Yes      | OIDC issuer URL (discovery: `$ISSUER_URL/.well-known/openid-configuration`) |
+| `CLIENT_ID`     | Yes      | OAuth 2.0 client identifier                                                 |
+| `CLIENT_SECRET` | No       | OAuth 2.0 client secret. Omit for **public** clients (PKCE-only)            |
+| `REDIRECT_URL`  | No       | Defaults to `http://localhost:8088/callback`                                |
+
+## Usage
+
+```bash
+export ISSUER_URL=https://auth.example.com
+export CLIENT_ID=your-client-id
+export CLIENT_SECRET=your-client-secret
+go run main.go
+```
+
+Or create a `.env` file in the `go-oidc/` directory:
+
+```bash
+ISSUER_URL=https://auth.example.com
+CLIENT_ID=your-client-id
+CLIENT_SECRET=your-client-secret
+REDIRECT_URL=http://localhost:8088/callback
+```
+
+Then open <http://localhost:8088/> in a browser and click **Sign in**.
+
+## Routes
+
+| Route       | Description                                                                                |
+| ----------- | ------------------------------------------------------------------------------------------ |
+| `/`         | Landing page with a sign-in link                                                           |
+| `/login`    | Generates state + nonce, sets cookies, redirects to the provider's authorize endpoint      |
+| `/callback` | Validates state, exchanges code, verifies ID token + nonce, fetches userinfo, renders JSON |
+
+## How It Works
+
+1. `oidc.NewProvider(ctx, issuerURL)` fetches the discovery document and extracts the authorize/token/userinfo/JWKS endpoints.
+2. `provider.Verifier(&oidc.Config{ClientID: ...})` builds an `*oidc.IDTokenVerifier` that caches JWKS keys and validates `iss`, `aud`, `exp`, and signature.
+3. `oauth2.Config` is wired to `provider.Endpoint()` so the upstream OAuth2 helpers do the heavy lifting of the code exchange.
+4. On `/login`, fresh random state, nonce, and PKCE verifier are stored in short-lived HttpOnly cookies. The nonce is passed via `oidc.Nonce(nonce)` so the provider echoes it into the ID token, and the PKCE challenge is added via `oauth2.S256ChallengeOption(verifier)`.
+5. On `/callback`, the handler:
+   - Rejects the response if `state` does not match the cookie.
+   - Exchanges the code via `oauth2Config.Exchange(ctx, code, oauth2.VerifierOption(pkceVerifier))`.
+   - Extracts the raw ID token from `oauth2Token.Extra("id_token")`.
+   - Calls `verifier.Verify` to cryptographically validate it.
+   - Rejects the response if `idToken.Nonce` does not match the cookie.
+   - Calls `idToken.VerifyAccessToken` when an `at_hash` claim is present.
+   - Queries the UserInfo endpoint via `provider.UserInfo` and returns both ID token claims and UserInfo claims as JSON.
+
+## Example Response
+
+`GET /callback` (successful flow) returns something like:
+
+```json
+{
+  "subject": "user-uuid-1234",
+  "issuer": "https://auth.example.com",
+  "audience": ["your-client-id"],
+  "expiry": "2026-04-23T14:23:45Z",
+  "id_token_claims": {
+    "sub": "user-uuid-1234",
+    "email": "alice@example.com",
+    "email_verified": true,
+    "nonce": "..."
+  },
+  "access_token": "eyJhbGci...",
+  "refresh_token": "abcdef12...",
+  "token_type": "Bearer",
+  "token_expiry": "2026-04-23T15:23:45Z",
+  "userinfo": {
+    "sub": "user-uuid-1234",
+    "email": "alice@example.com",
+    "name": "Alice"
+  },
+  "userinfo_fetch_ok": true
+}
+```
+
+## Notes
+
+- For production, store `id_token`, `access_token`, and `refresh_token` in a session (e.g., encrypted cookie, server-side store) rather than echoing them to the browser — this example prints them to make the flow transparent.
+- The `Secure` cookie flag is set automatically when the server is reached over TLS (`r.TLS != nil`). Behind a reverse proxy that terminates TLS, configure the proxy to pass the correct scheme or set the flag explicitly.
+- `go-oidc` handles JWKS key rotation transparently — you do not need to refresh the verifier manually.

go-oidc/go.mod

@@ -0,0 +1,11 @@
+module github.com/go-authgate/examples/go-oidc
+
+go 1.25.8
+
+require (
+	github.com/coreos/go-oidc/v3 v3.18.0
+	github.com/joho/godotenv v1.5.1
+	golang.org/x/oauth2 v0.36.0
+)
+
+require github.com/go-jose/go-jose/v4 v4.1.4 // indirect

go-oidc/go.sum

@@ -0,0 +1,8 @@
+github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
+github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=