// Package oidc provides OIDC token verification for SPIRE workload attestation.
package oidc

import (
	"context"
	"fmt"
)

// Config holds OIDC verifier configuration.
type Config struct {
	// Issuer is the expected OIDC issuer URL.
	Issuer string

	// Audience is the expected token audience.
	Audience string

	// JWKSURL overrides automatic OIDC discovery for the JWKS endpoint.
	JWKSURL string
}

// Claims represents the verified claims from an OIDC token.
type Claims struct {
	Subject  string
	Issuer   string
	Audience []string
	Email    string
	Groups   []string
}

// Verifier validates OIDC tokens and extracts claims.
type Verifier interface {
	// Verify validates the token and returns the claims.
	Verify(ctx context.Context, rawToken string) (*Claims, error)
}

// NewVerifier creates an OIDC token verifier from the given configuration.
func NewVerifier(cfg Config) (Verifier, error) {
	if cfg.Issuer == "" {
		return nil, fmt.Errorf("oidc: issuer is required")
	}
	// TODO: implement — fetch OIDC discovery document, configure JWKS validation
	return nil, fmt.Errorf("oidc: not yet implemented")
}