Add typed/sentinel errors for issuer mismatch and related validation failures #471
Description
Problem
oidc.NewProvider and other code paths use fmt.Errorf to return plain formatted errors for critical validation failures, e.g.:
oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)
Downstream code and tests can only detect this via brittle string matching. Minor wording changes break consumers.
Request
- Introduce exported typed/sentinel errors for key validation failures, starting with issuer mismatch during discovery. Example options:
var ErrIssuerMismatch = errors.New("...")- or a typed error
type IssuerMismatchError struct { Provided, Discovered string }
- Consider similar treatment for other validation/verification errors that are currently plain strings (audience mismatch, unsupported alg, malformed JWT, etc.), but issuer mismatch alone would already resolve the immediate pain.
Benefits
- Consumers can use
errors.Is/errors.Asfor deterministic handling. - Tests become stable across error wording changes.
- Aligns with Go best practices for programmatic error inspection.
Notes
- No behavior change requested beyond adding typed errors; existing error messages can stay the same.