ConsumeAuthCode checks that the provided auth code has not expired, consumes it (making it unusable again), and returning the identity it is associated with.

NewAuthCode generates a new auth code for the identity using the configured or default expiry time.

NewRefreshToken generates a new refresh token for the identity using the configured or default expiry time.

RevokeRefreshToken will delete (revoke) the provided refresh token, which will prevent it from being used again.

RotateRefreshToken validates that the provided refresh token has not expired, and then rotates it for a new refresh token with the exact same expiry time and identity.

ValidateRefreshToken validates that the provided refresh token has no expired, and also returns the identity it is associated with.

VerifyIdToken will verify the ID token from an OpenID Connect provider.

https://pkg.go.dev/github.com/golang-jwt/jwt/v4#RegisteredClaims.

https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims.