hupe1980
diff --git a/‎.golangci.yml‎
Lines changed: 42 additions & 32 deletions b/‎.golangci.yml‎
Lines changed: 42 additions & 32 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 4 deletions b/‎README.md‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎_example/main.go‎
Lines changed: 0 additions & 149 deletions b/‎_example/main.go‎
Lines changed: 0 additions & 149 deletions
diff --git a/‎go.mod‎
Lines changed: 3 additions & 3 deletions b/‎go.mod‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎go.sum‎
Lines changed: 6 additions & 6 deletions b/‎go.sum‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎issuer.go‎
Lines changed: 22 additions & 15 deletions b/‎issuer.go‎
Lines changed: 22 additions & 15 deletions
@@ -1,55 +1,65 @@
-linters-settings:
-  errcheck:
-    check-type-assertions: true
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-  gocritic:
-    enabled-tags:
-      - diagnostic
-      - experimental
-      - opinionated
-      - performance
-      - style
-  nolintlint:
-    require-explanation: true
-    require-specific: true
-
+version: "2"
+run:
+  issues-exit-code: 1
 linters:
-  disable-all: true
+  default: none
   enable:
     - bodyclose
-    #- depguard
+    - copyloopvar
     - dogsled
-    #- dupl
     - errcheck
-    - copyloopvar
     - exhaustive
-    #- goconst TODO
-    - gofmt
-    - goimports
-    #- gomnd
     - gocyclo
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - misspell
-    #- nolintlint
     - nakedret
     - prealloc
     - predeclared
     - revive
     - staticcheck
-    - stylecheck
     - thelper
     - tparallel
-    - typecheck
     - unconvert
     - unparam
     - unused
     - whitespace
     - wsl
-
-run:
-  issues-exit-code: 1
+  settings:
+    errcheck:
+      check-type-assertions: true
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - experimental
+        - opinionated
+        - performance
+        - style
+    nolintlint:
+      require-explanation: true
+      require-specific: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
@@ -19,9 +19,6 @@
 - 🔑 **JWKS Generation**  
   Serve JSON Web Key Sets to allow downstream systems to verify your tokens.
 
-- 🌐 **Flexible Routing**  
-  Route token exchanges based on ID token claims using regex-based matching.
-
 ---
 
 ## 🧭 Architecture
@@ -44,8 +41,8 @@ Here's how TokenBridge works in a typical token exchange flow:
           |   3. Returns Access Token |                           |
           +<--------------------------+                           |
           |                           |                           |
-
 ```    
+
 ## 🧩 Components
 
 ### 👤 Client
 
@@ -19,8 +19,8 @@ require (
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.36.3
-	github.com/aws/aws-sdk-go-v2/service/kms v1.38.2
+	github.com/aws/aws-sdk-go-v2/service/kms v1.38.3
 	github.com/coreos/go-oidc/v3 v3.14.1
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/oauth2 v0.29.0
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/oauth2 v0.30.0
 )
@@ -4,8 +4,8 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
-github.com/aws/aws-sdk-go-v2/service/kms v1.38.2 h1:945yEU8s1zYwy9s/2JzEJoHKvbAaZEkPqt8TOuO6r/g=
-github.com/aws/aws-sdk-go-v2/service/kms v1.38.2/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 h1:RivOtUH3eEu6SWnUMFHKAW4MqDOzWn1vGQ3S38Y5QMg=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.3/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
 github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
 github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
@@ -22,10 +22,10 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 
@@ -3,7 +3,6 @@ package tokenbridge
 import (
 	"context"
 	"fmt"
-	"slices"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -101,29 +100,25 @@ func checkMandatoryClaims(claims jwt.MapClaims, mandatoryClaims []string) error
 // Returns:
 //   - The signed JWT access token as a string if successful.
 //   - An error if there is a problem generating or signing the token.
-func (ti *TokenIssuerWithJWKS) IssueAccessToken(ctx context.Context, idToken *oidc.IDToken) (string, error) {
+func (ti *TokenIssuerWithJWKS) IssueAccessToken(ctx context.Context, idToken *oidc.IDToken) (string, int64, error) {
 	claims, err := ti.opts.OnTokenCreate(ctx, ti.iss, idToken)
 	if err != nil {
-		return "", fmt.Errorf("failed to create token claims: %w", err)
+		return "", 0, fmt.Errorf("failed to create token claims: %w", err)
 	}
 
 	// Ensure the "exp" claim is set to the token expiration time
 	if _, exists := claims["exp"]; !exists {
-		if slices.Contains(ti.opts.MandatoryClaims, "exp") {
-			claims["exp"] = time.Now().Add(ti.opts.TokenExpiration).Unix()
-		}
+		claims["exp"] = time.Now().Add(ti.opts.TokenExpiration).Unix()
 	}
 
 	// Ensure the "iat" claim is set to the current time
 	if _, exists := claims["iat"]; !exists {
-		if slices.Contains(ti.opts.MandatoryClaims, "iat") {
-			claims["iat"] = time.Now().Unix()
-		}
+		claims["iat"] = time.Now().Unix()
 	}
 
 	// Check for mandatory claims
 	if err := checkMandatoryClaims(claims, ti.opts.MandatoryClaims); err != nil {
-		return "", err
+		return "", 0, err
 	}
 
 	// Create a new JWT token with the required claims
@@ -135,10 +130,22 @@ func (ti *TokenIssuerWithJWKS) IssueAccessToken(ctx context.Context, idToken *oi
 	// Sign the token using the provided signer
 	tokenString, err := ti.signer.SignToken(ctx, token)
 	if err != nil {
-		return "", fmt.Errorf("failed to sign token: %w", err)
+		return "", 0, fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	expiresVal, ok := claims["exp"]
+	if !ok {
+		return "", 0, fmt.Errorf("missing 'exp' claim after setting mandatory claims")
 	}
 
-	return tokenString, nil
+	expInt, ok := expiresVal.(int64)
+	if !ok {
+		return "", 0, fmt.Errorf("'exp' claim is not an int64 or float64")
+	}
+
+	expiresIn := expInt - time.Now().Unix()
+
+	return tokenString, expiresIn, nil
 }
 
 // GetJWKS retrieves the JSON Web Key Set (JWKS) containing the public keys used to verify the signed tokens.
@@ -177,12 +184,12 @@ func NewClientCredentialIssuer(config *clientcredentials.Config) *ClientCredenti
 // Returns:
 //   - The access token as a string if successful.
 //   - An error if there is a problem generating the access token.
-func (cci *ClientCredentialIssuer) IssueAccessToken(ctx context.Context, _ *oidc.IDToken) (string, error) {
+func (cci *ClientCredentialIssuer) IssueAccessToken(ctx context.Context, _ *oidc.IDToken) (string, int64, error) {
 	// Use the client credentials config to retrieve a token
 	token, err := cci.config.Token(ctx)
 	if err != nil {
-		return "", fmt.Errorf("failed to retrieve access token: %w", err)
+		return "", 0, fmt.Errorf("failed to retrieve access token: %w", err)
 	}
 
-	return token.AccessToken, nil
+	return token.AccessToken, token.ExpiresIn, nil
 }