jwt-verify 0.1.3

use std::collections::HashMap;
use std::sync::{Arc, RwLock};
use std::time::{Duration, Instant};

use reqwest::Client;
use serde::{Deserialize, Serialize};
use tracing::{debug, info, warn};

use crate::common::error::JwtError;

/// OIDC discovery document.
///
/// This struct represents the OIDC discovery document returned by the well-known
/// endpoint of an OIDC provider. It contains information about the provider's
/// endpoints, supported features, and other metadata.
///
/// # Examples
///
/// ```
/// use jwt_verify::oidc::discovery::DiscoveryDocument;
///
/// // Parse a discovery document from JSON
/// let json = r#"{
///     "issuer": "https://accounts.example.com",
///     "jwks_uri": "https://accounts.example.com/.well-known/jwks.json",
///     "authorization_endpoint": "https://accounts.example.com/oauth2/authorize",
///     "token_endpoint": "https://accounts.example.com/oauth2/token"
/// }"#;
///
/// let document: DiscoveryDocument = serde_json::from_str(json).unwrap();
/// assert_eq!(document.issuer, "https://accounts.example.com");
/// assert_eq!(document.jwks_uri, "https://accounts.example.com/.well-known/jwks.json");
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DiscoveryDocument {
    /// The issuer identifier for the OIDC provider
    pub issuer: String,
    /// URL of the OIDC provider's JSON Web Key Set document
    pub jwks_uri: String,
    /// URL of the OIDC provider's OAuth 2.0 Authorization Endpoint
    #[serde(default)]
    pub authorization_endpoint: Option<String>,
    /// URL of the OIDC provider's OAuth 2.0 Token Endpoint
    #[serde(default)]
    pub token_endpoint: Option<String>,
    /// URL of the OIDC provider's UserInfo Endpoint
    #[serde(default)]
    pub userinfo_endpoint: Option<String>,
    /// URL of the OIDC provider's End Session Endpoint
    #[serde(default)]
    pub end_session_endpoint: Option<String>,
    /// List of the OAuth 2.0 response_type values that this OIDC provider supports
    #[serde(default)]
    pub response_types_supported: Option<Vec<String>>,
    /// List of the Subject Identifier types that this OIDC provider supports
    #[serde(default)]
    pub subject_types_supported: Option<Vec<String>>,
    /// List of the JWS signing algorithms supported by the OIDC provider for the ID Token
    #[serde(default)]
    pub id_token_signing_alg_values_supported: Option<Vec<String>>,
    /// Additional fields from the discovery document
    #[serde(flatten)]
    pub additional_fields: HashMap<String, serde_json::Value>,
}

impl DiscoveryDocument {
    /// Create a new discovery document with manual configuration.
    ///
    /// This method allows creating a discovery document without fetching it from
    /// a well-known endpoint, which is useful for testing or when the provider
    /// doesn't support discovery.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer identifier for the OIDC provider
    /// * `jwks_uri` - URL of the OIDC provider's JSON Web Key Set document
    ///
    /// # Returns
    ///
    /// Returns a new `DiscoveryDocument` instance.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::DiscoveryDocument;
    ///
    /// let document = DiscoveryDocument::new(
    ///     "https://accounts.example.com",
    ///     "https://accounts.example.com/.well-known/jwks.json",
    /// );
    /// ```
    pub fn new(issuer: &str, jwks_uri: &str) -> Self {
        Self {
            issuer: issuer.to_string(),
            jwks_uri: jwks_uri.to_string(),
            authorization_endpoint: None,
            token_endpoint: None,
            userinfo_endpoint: None,
            end_session_endpoint: None,
            response_types_supported: None,
            subject_types_supported: None,
            id_token_signing_alg_values_supported: None,
            additional_fields: HashMap::new(),
        }
    }

    /// Create a new discovery document with manual configuration and additional endpoints.
    ///
    /// This method allows creating a more complete discovery document without fetching it from
    /// a well-known endpoint.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer identifier for the OIDC provider
    /// * `jwks_uri` - URL of the OIDC provider's JSON Web Key Set document
    /// * `authorization_endpoint` - Optional URL of the OIDC provider's OAuth 2.0 Authorization Endpoint
    /// * `token_endpoint` - Optional URL of the OIDC provider's OAuth 2.0 Token Endpoint
    /// * `userinfo_endpoint` - Optional URL of the OIDC provider's UserInfo Endpoint
    ///
    /// # Returns
    ///
    /// Returns a new `DiscoveryDocument` instance.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::DiscoveryDocument;
    ///
    /// let document = DiscoveryDocument::with_endpoints(
    ///     "https://accounts.example.com",
    ///     "https://accounts.example.com/.well-known/jwks.json",
    ///     Some("https://accounts.example.com/oauth2/authorize"),
    ///     Some("https://accounts.example.com/oauth2/token"),
    ///     Some("https://accounts.example.com/userinfo"),
    /// );
    /// ```
    pub fn with_endpoints(
        issuer: &str,
        jwks_uri: &str,
        authorization_endpoint: Option<&str>,
        token_endpoint: Option<&str>,
        userinfo_endpoint: Option<&str>,
    ) -> Self {
        Self {
            issuer: issuer.to_string(),
            jwks_uri: jwks_uri.to_string(),
            authorization_endpoint: authorization_endpoint.map(|s| s.to_string()),
            token_endpoint: token_endpoint.map(|s| s.to_string()),
            userinfo_endpoint: userinfo_endpoint.map(|s| s.to_string()),
            end_session_endpoint: None,
            response_types_supported: None,
            subject_types_supported: None,
            id_token_signing_alg_values_supported: None,
            additional_fields: HashMap::new(),
        }
    }

    /// Validate the discovery document.
    ///
    /// This method checks that the discovery document contains all required fields
    /// and that the issuer matches the expected value.
    ///
    /// # Parameters
    ///
    /// * `expected_issuer` - The expected issuer identifier
    ///
    /// # Returns
    ///
    /// Returns `Ok(())` if the document is valid, or a `JwtError` if validation fails.
    pub fn validate(&self, expected_issuer: &str) -> Result<(), JwtError> {
        // Check that the issuer matches the expected value
        if self.issuer != expected_issuer {
            return Err(JwtError::ConfigurationError {
                parameter: Some("issuer".to_string()),
                error: format!(
                    "Issuer mismatch: expected {}, got {}",
                    expected_issuer, self.issuer
                ),
            });
        }

        // Check that the jwks_uri is present and valid
        if self.jwks_uri.is_empty() {
            return Err(JwtError::ConfigurationError {
                parameter: Some("jwks_uri".to_string()),
                error: "JWKS URI is empty".to_string(),
            });
        }

        if !self.jwks_uri.starts_with("http://") && !self.jwks_uri.starts_with("https://") {
            return Err(JwtError::ConfigurationError {
                parameter: Some("jwks_uri".to_string()),
                error: "JWKS URI must start with http:// or https://".to_string(),
            });
        }

        Ok(())
    }
}

/// Cached discovery document with expiration.
#[derive(Debug)]
struct CachedDiscoveryDocument {
    /// The discovery document
    document: DiscoveryDocument,
    /// When the document was cached
    inserted_at: Instant,
}

/// OIDC discovery service.
///
/// This struct provides functionality for discovering OIDC provider configuration
/// from well-known endpoints. It caches discovery documents to avoid frequent HTTP
/// requests and provides methods for fetching and refreshing discovery documents.
///
/// # Examples
///
/// ```
/// use jwt_verify::oidc::discovery::OidcDiscovery;
/// use std::time::Duration;
///
/// // Create a discovery service with a 1-hour cache duration
/// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
///
/// // Discover the configuration for an OIDC provider
/// // let document = discovery.discover("https://accounts.example.com").await.unwrap();
/// ```
#[derive(Clone, Debug)]
pub struct OidcDiscovery {
    /// HTTP client for fetching discovery documents
    #[allow(dead_code)]
    client: Client,
    /// Cache of discovery documents
    cache: Arc<RwLock<HashMap<String, CachedDiscoveryDocument>>>,
    /// Duration for which discovery documents are cached
    cache_duration: Duration,
}

impl OidcDiscovery {
    /// Create a new OIDC discovery service.
    ///
    /// # Parameters
    ///
    /// * `cache_duration` - Duration for which discovery documents are cached
    ///
    /// # Returns
    ///
    /// Returns a new `OidcDiscovery` instance.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service with a 1-hour cache duration
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    /// ```
    pub fn new(cache_duration: Duration) -> Self {
        Self {
            client: Client::new(),
            cache: Arc::new(RwLock::new(HashMap::new())),
            cache_duration,
        }
    }

    /// Create a new OIDC discovery service with a custom HTTP client.
    ///
    /// This is useful for testing or when you need to customize the HTTP client.
    ///
    /// # Parameters
    ///
    /// * `client` - HTTP client to use for fetching discovery documents
    /// * `cache_duration` - Duration for which discovery documents are cached
    ///
    /// # Returns
    ///
    /// Returns a new `OidcDiscovery` instance.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    /// use reqwest::Client;
    ///
    /// // Create a custom HTTP client
    /// let client = Client::builder()
    ///     .timeout(Duration::from_secs(10))
    ///     .build()
    ///     .unwrap();
    ///
    /// // Create a discovery service with the custom client
    /// let discovery = OidcDiscovery::with_client(client, Duration::from_secs(3600));
    /// ```
    pub fn with_client(client: Client, cache_duration: Duration) -> Self {
        Self {
            client,
            cache: Arc::new(RwLock::new(HashMap::new())),
            cache_duration,
        }
    }

    /// Discover the configuration for an OIDC provider.
    ///
    /// This method fetches the discovery document from the well-known endpoint
    /// of the specified OIDC provider. It caches the document to avoid frequent
    /// HTTP requests and refreshes it when it expires.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    ///
    /// # Returns
    ///
    /// Returns a `Result` containing the discovery document if successful, or a `JwtError`
    /// if the discovery fails.
    ///
    /// # Errors
    ///
    /// Returns a `JwtError::JwksFetchError` if:
    /// - The HTTP request fails
    /// - The response is not valid JSON
    /// - The response does not contain required fields
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Discover the configuration for an OIDC provider
    /// // let document = discovery.discover("https://accounts.example.com").await.unwrap();
    /// ```
    pub async fn discover(&self, issuer: &str) -> Result<DiscoveryDocument, JwtError> {
        // Check if we have a cached document
        {
            let cache = self.cache.read().unwrap();
            if let Some(cached) = cache.get(issuer) {
                if cached.inserted_at.elapsed() < self.cache_duration {
                    debug!("Using cached discovery document for issuer: {}", issuer);
                    return Ok(cached.document.clone());
                }
                debug!(
                    "Cached discovery document for issuer {} has expired",
                    issuer
                );
            }
        }

        // Fetch the discovery document
        debug!("Fetching discovery document for issuer: {}", issuer);
        let document = self.fetch_discovery_document(issuer).await?;

        // Cache the document
        {
            let mut cache = self.cache.write().unwrap();
            cache.insert(
                issuer.to_string(),
                CachedDiscoveryDocument {
                    document: document.clone(),
                    inserted_at: Instant::now(),
                },
            );
            debug!("Cached discovery document for issuer: {}", issuer);
        }

        Ok(document)
    }

    /// Discover the configuration for an OIDC provider with manual fallback.
    ///
    /// This method attempts to fetch the discovery document from the well-known endpoint.
    /// If that fails, it falls back to the provided manual configuration.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    /// * `jwks_url` - Optional JWKS URL to use if discovery fails
    ///
    /// # Returns
    ///
    /// Returns a `Result` containing the discovery document if successful, or a `JwtError`
    /// if both discovery and fallback fail.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Discover with fallback
    /// // let document = discovery.discover_with_fallback(
    /// //     "https://accounts.example.com",
    /// //     Some("https://accounts.example.com/.well-known/jwks.json"),
    /// // ).await.unwrap();
    /// ```
    pub async fn discover_with_fallback(
        &self,
        issuer: &str,
        jwks_url: Option<&str>,
    ) -> Result<DiscoveryDocument, JwtError> {
        // Try to discover from well-known endpoint
        match self.discover(issuer).await {
            Ok(document) => {
                debug!(
                    "Successfully discovered OIDC configuration for issuer: {}",
                    issuer
                );
                Ok(document)
            }
            Err(err) => {
                // If we have a fallback JWKS URL, use it
                if let Some(jwks_url) = jwks_url {
                    warn!(
                        "Discovery failed for issuer {}, using fallback JWKS URL: {}",
                        issuer, jwks_url
                    );
                    let document = DiscoveryDocument::new(issuer, jwks_url);

                    // Cache the manual document
                    {
                        let mut cache = self.cache.write().unwrap();
                        cache.insert(
                            issuer.to_string(),
                            CachedDiscoveryDocument {
                                document: document.clone(),
                                inserted_at: Instant::now(),
                            },
                        );
                        debug!("Cached manual discovery document for issuer: {}", issuer);
                    }

                    Ok(document)
                } else {
                    // No fallback, return the error
                    Err(err)
                }
            }
        }
    }

    /// Fetch the discovery document from the well-known endpoint.
    ///
    /// This method constructs the well-known URL for the specified issuer and
    /// fetches the discovery document from that URL.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    ///
    /// # Returns
    ///
    /// Returns a `Result` containing the discovery document if successful, or a `JwtError`
    /// if the fetch fails.
    async fn fetch_discovery_document(&self, issuer: &str) -> Result<DiscoveryDocument, JwtError> {
        // Construct the well-known URL
        let well_known_url = format!(
            "{}/.well-known/openid-configuration",
            issuer.trim_end_matches('/')
        );

        debug!("Fetching discovery document from URL: {}", well_known_url);

        // Fetch the discovery document
        let response = self.client.get(&well_known_url).send().await.map_err(|e| {
            JwtError::JwksFetchError {
                url: Some(well_known_url.clone()),
                error: format!("Failed to fetch discovery document: {}", e),
            }
        })?;

        // Check if the response is successful
        if !response.status().is_success() {
            return Err(JwtError::JwksFetchError {
                url: Some(well_known_url),
                error: format!("HTTP {}", response.status()),
            });
        }

        // Parse the response as JSON
        let document: DiscoveryDocument =
            response
                .json()
                .await
                .map_err(|e| JwtError::JwksFetchError {
                    url: Some(well_known_url.clone()),
                    error: format!("Failed to parse discovery document: {}", e),
                })?;

        // Validate the document
        document
            .validate(issuer)
            .map_err(|e| JwtError::JwksFetchError {
                url: Some(well_known_url),
                error: format!("Invalid discovery document: {}", e),
            })?;

        debug!(
            "Successfully fetched discovery document for issuer: {}",
            issuer
        );
        info!("JWKS URI for issuer {}: {}", issuer, document.jwks_uri);

        Ok(document)
    }

    /// Clear the cache for a specific issuer.
    ///
    /// This method removes the cached discovery document for the specified issuer,
    /// forcing the next call to `discover` to fetch a fresh document.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Clear the cache for an issuer
    /// discovery.clear_cache("https://accounts.example.com");
    /// ```
    pub fn clear_cache(&self, issuer: &str) {
        let mut cache = self.cache.write().unwrap();
        if cache.remove(issuer).is_some() {
            debug!("Cleared cache for issuer: {}", issuer);
        }
    }

    /// Clear the entire cache.
    ///
    /// This method removes all cached discovery documents, forcing the next call
    /// to `discover` for any issuer to fetch a fresh document.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Clear the entire cache
    /// discovery.clear_all_cache();
    /// ```
    pub fn clear_all_cache(&self) {
        let mut cache = self.cache.write().unwrap();
        let count = cache.len();
        cache.clear();
        debug!("Cleared cache for {} issuers", count);
    }

    /// Get the list of cached issuers.
    ///
    /// This method returns a list of all issuer URLs that have cached discovery documents.
    ///
    /// # Returns
    ///
    /// Returns a vector of issuer URLs.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Get the list of cached issuers
    /// let issuers = discovery.get_cached_issuers();
    /// ```
    pub fn get_cached_issuers(&self) -> Vec<String> {
        let cache = self.cache.read().unwrap();
        cache.keys().cloned().collect()
    }

    /// Check if a discovery document is cached for the specified issuer.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    ///
    /// # Returns
    ///
    /// Returns `true` if a discovery document is cached for the issuer, `false` otherwise.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Check if a discovery document is cached
    /// let is_cached = discovery.is_cached("https://accounts.example.com");
    /// ```
    pub fn is_cached(&self, issuer: &str) -> bool {
        let cache = self.cache.read().unwrap();
        cache.contains_key(issuer)
    }

    /// Get the cache duration.
    ///
    /// # Returns
    ///
    /// Returns the duration for which discovery documents are cached.
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Get the cache duration
    /// let duration = discovery.get_cache_duration();
    /// assert_eq!(duration, Duration::from_secs(3600));
    /// ```
    pub fn get_cache_duration(&self) -> Duration {
        self.cache_duration
    }

    /// Set the cache duration.
    ///
    /// # Parameters
    ///
    /// * `duration` - The new cache duration
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::OidcDiscovery;
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let mut discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Set a new cache duration
    /// discovery.set_cache_duration(Duration::from_secs(7200));
    /// ```
    pub fn set_cache_duration(&mut self, duration: Duration) {
        self.cache_duration = duration;
    }

    /// Manually add a discovery document to the cache.
    ///
    /// This method allows adding a discovery document to the cache without fetching
    /// it from a well-known endpoint, which is useful for testing or when the provider
    /// doesn't support discovery.
    ///
    /// # Parameters
    ///
    /// * `issuer` - The issuer URL of the OIDC provider
    /// * `document` - The discovery document to cache
    ///
    /// # Examples
    ///
    /// ```
    /// use jwt_verify::oidc::discovery::{OidcDiscovery, DiscoveryDocument};
    /// use std::time::Duration;
    ///
    /// // Create a discovery service
    /// let discovery = OidcDiscovery::new(Duration::from_secs(3600));
    ///
    /// // Create a discovery document
    /// let document = DiscoveryDocument::new(
    ///     "https://accounts.example.com",
    ///     "https://accounts.example.com/.well-known/jwks.json",
    /// );
    ///
    /// // Add the document to the cache
    /// discovery.add_to_cache("https://accounts.example.com", document);
    /// ```
    pub fn add_to_cache(&self, issuer: &str, document: DiscoveryDocument) {
        let mut cache = self.cache.write().unwrap();
        cache.insert(
            issuer.to_string(),
            CachedDiscoveryDocument {
                document,
                inserted_at: Instant::now(),
            },
        );
        debug!(
            "Manually added discovery document to cache for issuer: {}",
            issuer
        );
    }
}
#[cfg(test)]
mod tests {
    use super::*;
    use mockito::Server;

    #[tokio::test]
    async fn test_fetch_discovery_document_success() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body(format!(
                r#"{{
                "issuer": "{}",
                "jwks_uri": "{}/.well-known/jwks.json",
                "authorization_endpoint": "{}/oauth2/authorize",
                "token_endpoint": "{}/oauth2/token"
            }}"#,
                server.url(),
                server.url(),
                server.url(),
                server.url()
            ))
            .create();

        // Create a discovery service
        let discovery = OidcDiscovery::new(Duration::from_secs(3600));

        // Fetch the discovery document
        let document = discovery
            .fetch_discovery_document(&server.url())
            .await
            .unwrap();

        // Verify the document
        assert_eq!(document.issuer, server.url());
        assert_eq!(
            document.jwks_uri,
            format!("{}/.well-known/jwks.json", server.url())
        );
        assert_eq!(
            document.authorization_endpoint,
            Some(format!("{}/oauth2/authorize", server.url()))
        );
        assert_eq!(
            document.token_endpoint,
            Some(format!("{}/oauth2/token", server.url()))
        );

        // Verify that the mock was called
        mock_server.assert();
    }

    #[tokio::test]
    async fn test_fetch_discovery_document_http_error() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(404)
            .create();

        // Create a discovery service
        let discovery = OidcDiscovery::new(Duration::from_secs(3600));

        // Fetch the discovery document
        let result = discovery.fetch_discovery_document(&server.url()).await;

        // Verify that the fetch failed
        assert!(result.is_err());
        match result.unwrap_err() {
            JwtError::JwksFetchError { url, .. } => {
                assert_eq!(
                    url,
                    Some(format!("{}/.well-known/openid-configuration", server.url()))
                );
            }
            _ => panic!("Expected JwksFetchError"),
        }

        // Verify that the mock was called
        mock_server.assert();
    }

    #[tokio::test]
    async fn test_fetch_discovery_document_invalid_json() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body("invalid json")
            .create();

        // Create a discovery service
        let discovery = OidcDiscovery::new(Duration::from_secs(3600));

        // Fetch the discovery document
        let result = discovery.fetch_discovery_document(&server.url()).await;

        // Verify that the fetch failed
        assert!(result.is_err());
        match result.unwrap_err() {
            JwtError::JwksFetchError { url, .. } => {
                assert_eq!(
                    url,
                    Some(format!("{}/.well-known/openid-configuration", server.url()))
                );
            }
            _ => panic!("Expected JwksFetchError"),
        }

        // Verify that the mock was called
        mock_server.assert();
    }

    #[tokio::test]
    async fn test_fetch_discovery_document_issuer_mismatch() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body(format!(
                r#"{{
                "issuer": "https://wrong-issuer.com",
                "jwks_uri": "{}/.well-known/jwks.json"
            }}"#,
                server.url()
            ))
            .create();

        // Create a discovery service
        let discovery = OidcDiscovery::new(Duration::from_secs(3600));

        // Fetch the discovery document
        let result = discovery.fetch_discovery_document(&server.url()).await;

        // Verify that the fetch failed
        assert!(result.is_err());
        match result.unwrap_err() {
            JwtError::JwksFetchError { url, error } => {
                assert_eq!(
                    url,
                    Some(format!("{}/.well-known/openid-configuration", server.url()))
                );
                assert!(error.contains("Issuer mismatch"));
            }
            _ => panic!("Expected JwksFetchError"),
        }

        // Verify that the mock was called
        mock_server.assert();
    }

    #[tokio::test]
    async fn test_discover_caching() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body(format!(
                r#"{{
                "issuer": "{}",
                "jwks_uri": "{}/.well-known/jwks.json"
            }}"#,
                server.url(),
                server.url()
            ))
            .expect(1) // Expect only one call
            .create();

        // Create a discovery service
        let discovery = OidcDiscovery::new(Duration::from_secs(3600));

        // Discover the configuration twice
        let document1 = discovery.discover(&server.url()).await.unwrap();
        let document2 = discovery.discover(&server.url()).await.unwrap();

        // Verify that both documents are the same
        assert_eq!(document1.issuer, document2.issuer);
        assert_eq!(document1.jwks_uri, document2.jwks_uri);

        // Verify that the mock was called only once
        mock_server.assert();
    }

    #[tokio::test]
    async fn test_discover_cache_expiration() {
        // Set up a mock server
        let mut server = Server::new_async().await;
        let mock_server = server
            .mock("GET", "/.well-known/openid-configuration")
            .with_status(200)
            .with_header("content-type", "application/json")
            .with_body(format!(
                r#"{{
                "issuer": "{}",
                "jwks_uri": "{}/.well-known/jwks.json"
            }}"#,
                server.url(),
                server.url()
            ))
            .expect(2) // Expect two calls
            .create();

        // Create a discovery service with a very short cache duration
        let discovery = OidcDiscovery::new(Duration::from_millis(1));

        // Discover the configuration
        let _ = discovery.discover(&server.url()).await.unwrap();

        // Wait for the cache to expire
        tokio::time::sleep(Duration::from_millis(10)).await;

        // Discover the configuration again
        let _ = discovery.discover(&server.url()).await.unwrap();

        // Verify that the mock was called twice
        mock_server.assert();
    }
}