use oauth lib for oidc

let the lib do the work instead of building requests and urls
uses the well-known endpoint
fixes the urls only working on fief

Author: prmths128

carbonserver/carbonserver/api/services/auth_providers/oidc_auth_provider.py

@@ -8,12 +8,18 @@
 from typing import Any, Dict, Optional, Tuple
 
 from authlib.integrations.starlette_client import OAuth
+from authlib.jose import JsonWebKey
+from authlib.jose import jwt as jose_jwt
+from fief_client import FiefAsync
 
 from carbonserver.config import settings
 
 DEFAULT_SIGNATURE_CACHE_TTL = 3600  # seconds
 OAUTH_SCOPES = ["openid", "email", "profile"]
 
+fief = FiefAsync(
+    settings.fief_url, settings.fief_client_id, settings.fief_client_secret
+)
 
 oauth = OAuth()
 oauth.register(
@@ -44,3 +50,20 @@ async def get_authorize_url(self, request, login_url):
 
     def get_client_credentials(self) -> Tuple[str, str]:
         return (self.client.client_id, self.client.client_secret)
+
+    async def _decode_token(self, token: str) -> Dict[str, Any]:
+        try:
+            access_token_info = await fief.validate_access_token(token)
+            return access_token_info
+        except Exception:
+            ...
+
+        jwks_data = await self.client.fetch_jwk_set()
+        keyset = JsonWebKey.import_key_set(jwks_data)
+        claims = jose_jwt.decode(token, keyset)
+        claims.validate()
+        return dict(claims)
+
+    async def validate_access_token(self, token: str) -> bool:
+        await self._decode_token(token)
+        return True