From 86c791b8a68016d7eebd9fb2126d5bfc6219ee42 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Thu, 22 Jun 2023 15:12:33 -0700
Subject: [PATCH] reorganize federation domain packages to be more intuitive

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
---
 .../active_directory_upstream_watcher.go      |  2 +-
 .../active_directory_upstream_watcher_test.go |  6 +-
 .../federation_domain_watcher.go              |  2 +-
 .../federation_domain_watcher_test.go         |  2 +-
 .../ldap_upstream_watcher.go                  |  2 +-
 .../ldap_upstream_watcher_test.go             |  6 +-
 .../oidcclientwatcher/oidc_client_watcher.go  |  2 +-
 .../oidc_upstream_watcher.go                  |  4 +-
 .../oidc_upstream_watcher_test.go             |  8 +-
 .../upstreamwatchers/upstream_watchers.go     |  2 +-
 .../supervisorstorage/garbage_collector.go    |  6 +-
 .../garbage_collector_test.go                 | 10 +-
 .../clientregistry/clientregistry.go          |  4 +-
 .../clientregistry/clientregistry_test.go     |  4 +-
 .../provider => federationdomain}/csp/csp.go  |  2 +-
 .../csp/csp_test.go                           |  2 +-
 .../csrftoken/csrftoken.go                    |  2 +-
 .../csrftoken/csrftoken_test.go               |  2 +-
 .../downstreamsession/downstream_session.go   |  4 +-
 .../downstream_session_test.go                |  0
 .../dynamiccodec/codec.go                     |  4 +-
 .../dynamiccodec/codec_test.go                |  2 +-
 .../dynamic_tls_cert_provider.go              |  4 +-
 .../dynamic_upstream_idp_provider.go          |  4 +-
 .../endpoints}/auth/auth_handler.go           | 16 ++--
 .../endpoints}/auth/auth_handler_test.go      | 19 ++--
 .../endpoints}/callback/callback_handler.go   |  8 +-
 .../callback/callback_handler_test.go         |  9 +-
 .../endpoints}/discovery/discovery_handler.go |  2 +-
 .../discovery/discovery_handler_test.go       |  2 +-
 .../idpdiscovery/idp_discovery_handler.go     |  2 +-
 .../idp_discovery_handler_test.go             |  2 +-
 .../endpoints}/jwks/dynamic_jwks_provider.go  |  2 +-
 .../endpoints}/jwks/jwks_handler.go           |  2 +-
 .../endpoints}/jwks/jwks_handler_test.go      |  2 +-
 .../endpoints}/login/get_login_handler.go     |  6 +-
 .../login/get_login_handler_test.go           |  6 +-
 .../endpoints}/login/login_handler.go         |  8 +-
 .../endpoints}/login/login_handler_test.go    |  4 +-
 .../endpoints}/login/loginhtml/login_form.css |  2 +-
 .../login/loginhtml/login_form.gohtml         |  2 +-
 .../endpoints}/login/loginhtml/loginhtml.go   |  4 +-
 .../login/loginhtml/loginhtml_test.go         |  6 +-
 .../endpoints}/login/post_login_handler.go    |  6 +-
 .../login/post_login_handler_test.go          |  9 +-
 .../endpoints}/token/token_handler.go         | 10 +-
 .../endpoints}/token/token_handler_test.go    | 47 +++++-----
 .../tokenexchange}/token_exchange.go          | 28 +++---
 .../endpointsmanager}/manager.go              | 35 +++----
 .../endpointsmanager}/manager_test.go         | 10 +-
 ...domain_identity_providers_lister_finder.go |  4 +-
 .../federation_domain_issuer.go               |  0
 .../federation_domain_issuer_test.go          |  0
 .../formposthtml/form_post.css                |  2 +-
 .../formposthtml/form_post.gohtml             |  2 +-
 .../formposthtml/form_post.js                 |  2 +-
 .../formposthtml/formposthtml.go              |  4 +-
 .../formposthtml/formposthtml_test.go         |  2 +-
 .../idplister/upstream_idp_lister.go          |  2 +-
 internal/{ => federationdomain}/oidc/oidc.go  | 92 +++----------------
 .../oidcclientvalidator.go                    |  0
 .../resolvedprovider/resolved_provider.go     |  5 +-
 .../storage}/dynamic_global_secret_config.go  |  4 +-
 .../storage}/kube_storage.go                  |  9 +-
 .../storage/null_storage.go}                  |  6 +-
 .../strategy}/dynamic_oauth2_hmac_strategy.go | 40 ++++----
 .../dynamic_oauth2_hmac_strategy_test.go      | 12 +--
 .../dynamic_open_id_connect_ecdsa_strategy.go | 20 ++--
 ...mic_open_id_connect_ecdsa_strategy_test.go |  8 +-
 .../timeouts/timeouts_configuration.go        | 74 +++++++++++++++
 .../upstreamprovider/upsteam_provider.go      |  0
 .../fositestorage/accesstoken/accesstoken.go  |  2 +-
 .../accesstoken/accesstoken_test.go           |  2 +-
 .../authorizationcode/authorizationcode.go    |  2 +-
 .../authorizationcode_test.go                 |  2 +-
 internal/fositestorage/fositestorage.go       |  4 +-
 .../openidconnect/openidconnect.go            |  2 +-
 .../openidconnect/openidconnect_test.go       |  2 +-
 internal/fositestorage/pkce/pkce.go           |  2 +-
 internal/fositestorage/pkce/pkce_test.go      |  2 +-
 .../refreshtoken/refreshtoken.go              |  2 +-
 .../refreshtoken/refreshtoken_test.go         |  2 +-
 internal/mocks/issuermocks/generate.go        |  4 +-
 internal/mocks/issuermocks/issuermocks.go     |  2 +-
 .../generate.go                               |  2 +-
 .../mockupstreamoidcidentityprovider.go       |  4 +-
 internal/supervisor/server/server.go          | 19 ++--
 internal/testutil/oidcclient_test.go          |  6 +-
 .../testutil/oidctestutil/oidctestutil.go     | 24 ++---
 internal/upstreamldap/upstreamldap.go         |  4 +-
 internal/upstreamldap/upstreamldap_test.go    |  2 +-
 internal/upstreamoidc/upstreamoidc.go         |  8 +-
 internal/upstreamoidc/upstreamoidc_test.go    |  8 +-
 pkg/oidcclient/login.go                       |  2 +-
 pkg/oidcclient/login_test.go                  |  2 +-
 proposals/1113_ldap-ad-web-ui/README.md       |  2 +-
 .../docs/reference/code-walkthrough.md        | 18 ++--
 test/integration/formposthtml_test.go         |  2 +-
 test/integration/supervisor_login_test.go     |  9 +-
 test/integration/supervisor_storage_test.go   |  4 +-
 test/integration/supervisor_warnings_test.go  |  9 +-
 101 files changed, 401 insertions(+), 377 deletions(-)
 rename internal/{oidc => federationdomain}/clientregistry/clientregistry.go (98%)
 rename internal/{oidc => federationdomain}/clientregistry/clientregistry_test.go (99%)
 rename internal/{oidc/provider => federationdomain}/csp/csp.go (81%)
 rename internal/{oidc/provider => federationdomain}/csp/csp_test.go (81%)
 rename internal/{oidc => federationdomain}/csrftoken/csrftoken.go (87%)
 rename internal/{oidc => federationdomain}/csrftoken/csrftoken_test.go (84%)
 rename internal/{oidc => federationdomain}/downstreamsession/downstream_session.go (99%)
 rename internal/{oidc => federationdomain}/downstreamsession/downstream_session_test.go (100%)
 rename internal/{oidc => federationdomain}/dynamiccodec/codec.go (93%)
 rename internal/{oidc => federationdomain}/dynamiccodec/codec_test.go (98%)
 rename internal/{oidc/provider => federationdomain/dynamictlscertprovider}/dynamic_tls_cert_provider.go (93%)
 rename internal/{oidc/provider => federationdomain/dynamicupstreamprovider}/dynamic_upstream_idp_provider.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/auth/auth_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/auth/auth_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/callback/callback_handler.go (95%)
 rename internal/{oidc => federationdomain/endpoints}/callback/callback_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/discovery/discovery_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/discovery/discovery_handler_test.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/idpdiscovery/idp_discovery_handler.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/idpdiscovery/idp_discovery_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/dynamic_jwks_provider.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/jwks_handler.go (92%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/jwks_handler_test.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/login/get_login_handler.go (84%)
 rename internal/{oidc => federationdomain/endpoints}/login/get_login_handler_test.go (95%)
 rename internal/{oidc => federationdomain/endpoints}/login/login_handler.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/login/login_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/login_form.css (96%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/login_form.gohtml (99%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/loginhtml.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/loginhtml_test.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/login/post_login_handler.go (96%)
 rename internal/{oidc => federationdomain/endpoints}/login/post_login_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/token/token_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/token/token_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints/tokenexchange}/token_exchange.go (91%)
 rename internal/{oidc/provider/manager => federationdomain/endpointsmanager}/manager.go (86%)
 rename internal/{oidc/provider/manager => federationdomain/endpointsmanager}/manager_test.go (98%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_identity_providers_lister_finder.go (98%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_issuer.go (100%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_issuer_test.go (100%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.css (97%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.gohtml (94%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.js (98%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/formposthtml.go (94%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/formposthtml_test.go (99%)
 rename internal/{oidc => federationdomain}/idplister/upstream_idp_lister.go (92%)
 rename internal/{ => federationdomain}/oidc/oidc.go (70%)
 rename internal/{oidc => federationdomain}/oidcclientvalidator/oidcclientvalidator.go (100%)
 rename internal/{oidc/provider => federationdomain}/resolvedprovider/resolved_provider.go (87%)
 rename internal/{oidc => federationdomain/storage}/dynamic_global_secret_config.go (96%)
 rename internal/{oidc => federationdomain/storage}/kube_storage.go (97%)
 rename internal/{oidc/nullstorage.go => federationdomain/storage/null_storage.go} (96%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_oauth2_hmac_strategy.go (81%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_oauth2_hmac_strategy_test.go (97%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_open_id_connect_ecdsa_strategy.go (79%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_open_id_connect_ecdsa_strategy_test.go (95%)
 create mode 100644 internal/federationdomain/timeouts/timeouts_configuration.go
 rename internal/{oidc/provider => federationdomain}/upstreamprovider/upsteam_provider.go (100%)

diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
index b1f21496..139592f0 100644
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -26,7 +26,7 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
index c223441d..f88287a0 100644
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@@ -29,9 +29,9 @@ import (
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/upstreamldap"
 )
@@ -2010,7 +2010,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
 				upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
 			})
diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go
index 0d68339e..3923b498 100644
--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@@ -25,8 +25,8 @@ import (
 	"go.pinniped.dev/internal/celtransformer"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/controller/supervisorconfig/federation_domain_watcher_test.go b/internal/controller/supervisorconfig/federation_domain_watcher_test.go
index 67b89394..0e75cdd3 100644
--- a/internal/controller/supervisorconfig/federation_domain_watcher_test.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher_test.go
@@ -27,8 +27,8 @@ import (
 	pinnipedfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/testutil"
 )
 
diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
index fcf3a7e3..fe129588 100644
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
@@ -20,7 +20,7 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
index 46b0b1a8..4da28673 100644
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
@@ -28,9 +28,9 @@ import (
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/upstreamldap"
 )
@@ -1139,7 +1139,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
 				upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
 			})
diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
index fbd54d41..3209a7f2 100644
--- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
+++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
@@ -21,7 +21,7 @@ import (
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/plog"
 )
diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
index f56e4fc9..0f91d0d6 100644
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
@@ -34,8 +34,8 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamoidc"
 )
@@ -94,7 +94,7 @@ type UpstreamOIDCIdentityProviderICache interface {
 	SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI)
 }
 
-// lruValidatorCache caches the *oidc.Provider associated with a particular issuer/TLS configuration.
+// lruValidatorCache caches the *coreosoidc.Provider associated with a particular issuer/TLS configuration.
 type lruValidatorCache struct{ cache *cache.Expiring }
 
 type lruValidatorCacheEntry struct {
diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
index c8e392ae..c6a63698 100644
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
@@ -28,8 +28,8 @@ import (
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -81,7 +81,7 @@ func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset()
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
 				&upstreamoidc.ProviderConfig{Name: "initial-entry"},
 			})
@@ -1416,7 +1416,7 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
 			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
 				&upstreamoidc.ProviderConfig{Name: "initial-entry"},
 			})
diff --git a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
index 114a66b5..0417463f 100644
--- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
+++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
@@ -16,7 +16,7 @@ import (
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorstorage/garbage_collector.go b/internal/controller/supervisorstorage/garbage_collector.go
index 0006f687..4a736463 100644
--- a/internal/controller/supervisorstorage/garbage_collector.go
+++ b/internal/controller/supervisorstorage/garbage_collector.go
@@ -21,13 +21,13 @@ import (
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
 	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 )
@@ -144,7 +144,7 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
 				// cleaning them out of etcd storage.
 				fourHoursAgo := frozenClock.Now().Add(-4 * time.Hour)
 				nowIsLessThanFourHoursBeyondSecretGCTime := garbageCollectAfterTime.After(fourHoursAgo)
-				if errors.As(revokeErr, &provider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
+				if errors.As(revokeErr, &dynamicupstreamprovider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
 					// Hasn't been very long since secret expired, so skip deletion to try revocation again later.
 					plog.Trace("garbage collector keeping Secret to retry upstream OIDC token revocation later", logKV(secret)...)
 					continue
diff --git a/internal/controller/supervisorstorage/garbage_collector_test.go b/internal/controller/supervisorstorage/garbage_collector_test.go
index 1e23b143..79e1c8c0 100644
--- a/internal/controller/supervisorstorage/garbage_collector_test.go
+++ b/internal/controller/supervisorstorage/garbage_collector_test.go
@@ -25,12 +25,12 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
-	"go.pinniped.dev/internal/oidc/clientregistry"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -138,7 +138,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
 
 		// Defer starting the informers until the last possible moment so that the
 		// nested Before's can keep adding things to the informer caches.
-		var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) {
+		var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) {
 			// Set this at the last second to allow for injection of server override.
 			subject = GarbageCollectorController(
 				idpCache,
@@ -774,7 +774,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
 					WithName("upstream-oidc-provider-name").
 					WithResourceUID("upstream-oidc-provider-uid").
 					// make the upstream revocation fail in a retryable way
-					WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
+					WithRevokeTokenError(dynamicupstreamprovider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
 				idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
 
 				startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/federationdomain/clientregistry/clientregistry.go
similarity index 98%
rename from internal/oidc/clientregistry/clientregistry.go
rename to internal/federationdomain/clientregistry/clientregistry.go
index e1d87abb..7dfa7d9f 100644
--- a/internal/oidc/clientregistry/clientregistry.go
+++ b/internal/federationdomain/clientregistry/clientregistry.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package clientregistry defines Pinniped's OAuth2/OIDC clients.
@@ -18,7 +18,7 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/plog"
 )
diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/federationdomain/clientregistry/clientregistry_test.go
similarity index 99%
rename from internal/oidc/clientregistry/clientregistry_test.go
rename to internal/federationdomain/clientregistry/clientregistry_test.go
index 03651421..4c33dfcc 100644
--- a/internal/oidc/clientregistry/clientregistry_test.go
+++ b/internal/federationdomain/clientregistry/clientregistry_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package clientregistry
@@ -21,7 +21,7 @@ import (
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/oidc/provider/csp/csp.go b/internal/federationdomain/csp/csp.go
similarity index 81%
rename from internal/oidc/provider/csp/csp.go
rename to internal/federationdomain/csp/csp.go
index d3f97e50..8487ca0d 100644
--- a/internal/oidc/provider/csp/csp.go
+++ b/internal/federationdomain/csp/csp.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package csp defines helpers related to HTML Content Security Policies.
diff --git a/internal/oidc/provider/csp/csp_test.go b/internal/federationdomain/csp/csp_test.go
similarity index 81%
rename from internal/oidc/provider/csp/csp_test.go
rename to internal/federationdomain/csp/csp_test.go
index 746d5822..5fa50697 100644
--- a/internal/oidc/provider/csp/csp_test.go
+++ b/internal/federationdomain/csp/csp_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csp
diff --git a/internal/oidc/csrftoken/csrftoken.go b/internal/federationdomain/csrftoken/csrftoken.go
similarity index 87%
rename from internal/oidc/csrftoken/csrftoken.go
rename to internal/federationdomain/csrftoken/csrftoken.go
index bc7b713c..c1d79fe8 100644
--- a/internal/oidc/csrftoken/csrftoken.go
+++ b/internal/federationdomain/csrftoken/csrftoken.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csrftoken
diff --git a/internal/oidc/csrftoken/csrftoken_test.go b/internal/federationdomain/csrftoken/csrftoken_test.go
similarity index 84%
rename from internal/oidc/csrftoken/csrftoken_test.go
rename to internal/federationdomain/csrftoken/csrftoken_test.go
index 61030731..3c8f6e1e 100644
--- a/internal/oidc/csrftoken/csrftoken_test.go
+++ b/internal/federationdomain/csrftoken/csrftoken_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csrftoken
diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/federationdomain/downstreamsession/downstream_session.go
similarity index 99%
rename from internal/oidc/downstreamsession/downstream_session.go
rename to internal/federationdomain/downstreamsession/downstream_session.go
index f40bdff8..6a5f70fe 100644
--- a/internal/oidc/downstreamsession/downstream_session.go
+++ b/internal/federationdomain/downstreamsession/downstream_session.go
@@ -20,9 +20,9 @@ import (
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/constable"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
diff --git a/internal/oidc/downstreamsession/downstream_session_test.go b/internal/federationdomain/downstreamsession/downstream_session_test.go
similarity index 100%
rename from internal/oidc/downstreamsession/downstream_session_test.go
rename to internal/federationdomain/downstreamsession/downstream_session_test.go
diff --git a/internal/oidc/dynamiccodec/codec.go b/internal/federationdomain/dynamiccodec/codec.go
similarity index 93%
rename from internal/oidc/dynamiccodec/codec.go
rename to internal/federationdomain/dynamiccodec/codec.go
index 5168b2b7..36e9a8e9 100644
--- a/internal/oidc/dynamiccodec/codec.go
+++ b/internal/federationdomain/dynamiccodec/codec.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package dynamiccodec provides a type that can encode information using a just-in-time signing and
@@ -10,7 +10,7 @@ import (
 
 	"github.com/gorilla/securecookie"
 
-	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 var _ oidc.Codec = &Codec{}
diff --git a/internal/oidc/dynamiccodec/codec_test.go b/internal/federationdomain/dynamiccodec/codec_test.go
similarity index 98%
rename from internal/oidc/dynamiccodec/codec_test.go
rename to internal/federationdomain/dynamiccodec/codec_test.go
index bcff2d03..d6c85357 100644
--- a/internal/oidc/dynamiccodec/codec_test.go
+++ b/internal/federationdomain/dynamiccodec/codec_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package dynamiccodec
diff --git a/internal/oidc/provider/dynamic_tls_cert_provider.go b/internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
similarity index 93%
rename from internal/oidc/provider/dynamic_tls_cert_provider.go
rename to internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
index 7c48ad9c..a27f2ef4 100644
--- a/internal/oidc/provider/dynamic_tls_cert_provider.go
+++ b/internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
@@ -1,7 +1,7 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package provider
+package dynamictlscertprovider
 
 import (
 	"crypto/tls"
diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
similarity index 97%
rename from internal/oidc/provider/dynamic_upstream_idp_provider.go
rename to internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
index e9a4333a..bb92e610 100644
--- a/internal/oidc/provider/dynamic_upstream_idp_provider.go
+++ b/internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
@@ -1,13 +1,13 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package provider
+package dynamicupstreamprovider
 
 import (
 	"fmt"
 	"sync"
 
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 )
 
 type DynamicUpstreamIDPProvider interface {
diff --git a/internal/oidc/auth/auth_handler.go b/internal/federationdomain/endpoints/auth/auth_handler.go
similarity index 98%
rename from internal/oidc/auth/auth_handler.go
rename to internal/federationdomain/endpoints/auth/auth_handler.go
index 3ea3e7ca..e091a465 100644
--- a/internal/oidc/auth/auth_handler.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler.go
@@ -16,17 +16,17 @@ import (
 	"golang.org/x/oauth2"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/login"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/federationdomain/endpoints/auth/auth_handler_test.go
similarity index 99%
rename from internal/oidc/auth/auth_handler_test.go
rename to internal/federationdomain/endpoints/auth/auth_handler_test.go
index 5a6a1087..cb475087 100644
--- a/internal/oidc/auth/auth_handler_test.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler_test.go
@@ -30,11 +30,12 @@ import (
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/authenticators"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -232,18 +233,18 @@ func TestAuthorizationEndpoint(t *testing.T) {
 	jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
 	timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 
-	createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.KubeStorage) {
+	createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *storage.KubeStorage) {
 		// Configure fosite the same way that the production code would when using Kube storage.
 		// Inject this into our test subject at the last second so we get a fresh storage for every test.
 		// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-		kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+		kubeOauthStore := storage.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 		return oidc.FositeOauth2Helper(kubeOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), kubeOauthStore
 	}
 
-	createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.NullStorage) {
+	createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *storage.NullStorage) {
 		// Configure fosite the same way that the production code would, using NullStorage to turn off storage.
 		// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-		nullOauthStore := oidc.NewNullStorage(secretsClient, oidcClientsClient, bcrypt.MinCost)
+		nullOauthStore := storage.NewNullStorage(secretsClient, oidcClientsClient, bcrypt.MinCost)
 		return oidc.FositeOauth2Helper(nullOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), nullOauthStore
 	}
 
@@ -3175,7 +3176,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 		},
 	}
 
-	runOneTestCase := func(t *testing.T, test testCase, subject http.Handler, kubeOauthStore *oidc.KubeStorage, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset, secretsClient v1.SecretInterface) {
+	runOneTestCase := func(t *testing.T, test testCase, subject http.Handler, kubeOauthStore *storage.KubeStorage, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset, secretsClient v1.SecretInterface) {
 		if test.kubeResources != nil {
 			test.kubeResources(t, supervisorClient, kubeClient)
 		}
diff --git a/internal/oidc/callback/callback_handler.go b/internal/federationdomain/endpoints/callback/callback_handler.go
similarity index 95%
rename from internal/oidc/callback/callback_handler.go
rename to internal/federationdomain/endpoints/callback/callback_handler.go
index 5613108c..8ddb4b2a 100644
--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler.go
@@ -10,12 +10,12 @@ import (
 
 	"github.com/ory/fosite"
 
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/federationdomain/endpoints/callback/callback_handler_test.go
similarity index 99%
rename from internal/oidc/callback/callback_handler_test.go
rename to internal/federationdomain/endpoints/callback/callback_handler_test.go
index 5670ef3f..15ec387b 100644
--- a/internal/oidc/callback/callback_handler_test.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler_test.go
@@ -21,9 +21,10 @@ import (
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -1451,7 +1452,7 @@ func TestCallbackEndpoint(t *testing.T) {
 			// Inject this into our test subject at the last second so we get a fresh storage for every test.
 			timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 			// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-			oauthStore := oidc.NewKubeStorage(secrets, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+			oauthStore := storage.NewKubeStorage(secrets, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 			hmacSecretFunc := func() []byte { return []byte("some secret - must have at least 32 bytes") }
 			require.GreaterOrEqual(t, len(hmacSecretFunc()), 32, "fosite requires that hmac secrets have at least 32 bytes")
 			jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/federationdomain/endpoints/discovery/discovery_handler.go
similarity index 98%
rename from internal/oidc/discovery/discovery_handler.go
rename to internal/federationdomain/endpoints/discovery/discovery_handler.go
index 60609c3d..b7389a84 100644
--- a/internal/oidc/discovery/discovery_handler.go
+++ b/internal/federationdomain/endpoints/discovery/discovery_handler.go
@@ -11,7 +11,7 @@ import (
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
-	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 // Metadata holds all fields (that we care about) from the OpenID Provider Metadata section in the
diff --git a/internal/oidc/discovery/discovery_handler_test.go b/internal/federationdomain/endpoints/discovery/discovery_handler_test.go
similarity index 98%
rename from internal/oidc/discovery/discovery_handler_test.go
rename to internal/federationdomain/endpoints/discovery/discovery_handler_test.go
index 6896b564..cd205974 100644
--- a/internal/oidc/discovery/discovery_handler_test.go
+++ b/internal/federationdomain/endpoints/discovery/discovery_handler_test.go
@@ -10,8 +10,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
 )
 
 func TestDiscovery(t *testing.T) {
diff --git a/internal/oidc/idpdiscovery/idp_discovery_handler.go b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
similarity index 97%
rename from internal/oidc/idpdiscovery/idp_discovery_handler.go
rename to internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
index d9034828..5efb9a57 100644
--- a/internal/oidc/idpdiscovery/idp_discovery_handler.go
+++ b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
@@ -11,7 +11,7 @@ import (
 	"sort"
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 )
 
 // NewHandler returns an http.Handler that serves the upstream IDP discovery endpoint.
diff --git a/internal/oidc/idpdiscovery/idp_discovery_handler_test.go b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
similarity index 99%
rename from internal/oidc/idpdiscovery/idp_discovery_handler_test.go
rename to internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
index 9a7fedf2..5257c254 100644
--- a/internal/oidc/idpdiscovery/idp_discovery_handler_test.go
+++ b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
@@ -10,8 +10,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
 
diff --git a/internal/oidc/jwks/dynamic_jwks_provider.go b/internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
similarity index 94%
rename from internal/oidc/jwks/dynamic_jwks_provider.go
rename to internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
index fa156e3c..cb8f8e41 100644
--- a/internal/oidc/jwks/dynamic_jwks_provider.go
+++ b/internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package jwks
diff --git a/internal/oidc/jwks/jwks_handler.go b/internal/federationdomain/endpoints/jwks/jwks_handler.go
similarity index 92%
rename from internal/oidc/jwks/jwks_handler.go
rename to internal/federationdomain/endpoints/jwks/jwks_handler.go
index 2c975e95..1d9eb7df 100644
--- a/internal/oidc/jwks/jwks_handler.go
+++ b/internal/federationdomain/endpoints/jwks/jwks_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package discovery provides a handler for the OIDC discovery endpoint.
diff --git a/internal/oidc/jwks/jwks_handler_test.go b/internal/federationdomain/endpoints/jwks/jwks_handler_test.go
similarity index 97%
rename from internal/oidc/jwks/jwks_handler_test.go
rename to internal/federationdomain/endpoints/jwks/jwks_handler_test.go
index 37f53e8c..69d624ce 100644
--- a/internal/oidc/jwks/jwks_handler_test.go
+++ b/internal/federationdomain/endpoints/jwks/jwks_handler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package jwks
diff --git a/internal/oidc/login/get_login_handler.go b/internal/federationdomain/endpoints/login/get_login_handler.go
similarity index 84%
rename from internal/oidc/login/get_login_handler.go
rename to internal/federationdomain/endpoints/login/get_login_handler.go
index d6da85a6..567e6a9e 100644
--- a/internal/oidc/login/get_login_handler.go
+++ b/internal/federationdomain/endpoints/login/get_login_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -6,8 +6,8 @@ package login
 import (
 	"net/http"
 
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 const (
diff --git a/internal/oidc/login/get_login_handler_test.go b/internal/federationdomain/endpoints/login/get_login_handler_test.go
similarity index 95%
rename from internal/oidc/login/get_login_handler_test.go
rename to internal/federationdomain/endpoints/login/get_login_handler_test.go
index 30567309..74405d49 100644
--- a/internal/oidc/login/get_login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/get_login_handler_test.go
@@ -10,9 +10,9 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/testutil"
 )
 
diff --git a/internal/oidc/login/login_handler.go b/internal/federationdomain/endpoints/login/login_handler.go
similarity index 94%
rename from internal/oidc/login/login_handler.go
rename to internal/federationdomain/endpoints/login/login_handler.go
index 1b358f2b..f7892c70 100644
--- a/internal/oidc/login/login_handler.go
+++ b/internal/federationdomain/endpoints/login/login_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -8,11 +8,11 @@ import (
 	"net/url"
 
 	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/login/login_handler_test.go b/internal/federationdomain/endpoints/login/login_handler_test.go
similarity index 99%
rename from internal/oidc/login/login_handler_test.go
rename to internal/federationdomain/endpoints/login/login_handler_test.go
index 11380950..854484b3 100644
--- a/internal/oidc/login/login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/login_handler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -13,8 +13,8 @@ import (
 	"github.com/gorilla/securecookie"
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
diff --git a/internal/oidc/login/loginhtml/login_form.css b/internal/federationdomain/endpoints/login/loginhtml/login_form.css
similarity index 96%
rename from internal/oidc/login/loginhtml/login_form.css
rename to internal/federationdomain/endpoints/login/loginhtml/login_form.css
index 5eba47e0..19680cc4 100644
--- a/internal/oidc/login/loginhtml/login_form.css
+++ b/internal/federationdomain/endpoints/login/loginhtml/login_form.css
@@ -1,4 +1,4 @@
-/* Copyright 2022 the Pinniped contributors. All Rights Reserved. */
+/* Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. */
 /* SPDX-License-Identifier: Apache-2.0 */
 
 html {
diff --git a/internal/oidc/login/loginhtml/login_form.gohtml b/internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
similarity index 99%
rename from internal/oidc/login/loginhtml/login_form.gohtml
rename to internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
index c1ab8ba3..7ae90e8c 100644
--- a/internal/oidc/login/loginhtml/login_form.gohtml
+++ b/internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
@@ -1,5 +1,5 @@
 <!--
-Copyright 2022 the Pinniped contributors. All Rights Reserved.
+Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 
 Notes:
diff --git a/internal/oidc/login/loginhtml/loginhtml.go b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
similarity index 94%
rename from internal/oidc/login/loginhtml/loginhtml.go
rename to internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
index eb4c59b8..c09b5ca8 100644
--- a/internal/oidc/login/loginhtml/loginhtml.go
+++ b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package loginhtml defines HTML templates used by the Supervisor.
@@ -11,7 +11,7 @@ import (
 
 	"github.com/tdewolff/minify/v2/minify"
 
-	"go.pinniped.dev/internal/oidc/provider/csp"
+	"go.pinniped.dev/internal/federationdomain/csp"
 )
 
 //nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
diff --git a/internal/oidc/login/loginhtml/loginhtml_test.go b/internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
similarity index 97%
rename from internal/oidc/login/loginhtml/loginhtml_test.go
rename to internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
index 50d8dc95..b8184275 100644
--- a/internal/oidc/login/loginhtml/loginhtml_test.go
+++ b/internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package loginhtml
@@ -8,9 +8,9 @@ import (
 	"fmt"
 	"testing"
 
-	"go.pinniped.dev/internal/testutil"
-
 	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/testutil"
 )
 
 var (
diff --git a/internal/oidc/login/post_login_handler.go b/internal/federationdomain/endpoints/login/post_login_handler.go
similarity index 96%
rename from internal/oidc/login/post_login_handler.go
rename to internal/federationdomain/endpoints/login/post_login_handler.go
index a9b0c7fc..018ac4ff 100644
--- a/internal/oidc/login/post_login_handler.go
+++ b/internal/federationdomain/endpoints/login/post_login_handler.go
@@ -9,10 +9,10 @@ import (
 
 	"github.com/ory/fosite"
 
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/login/post_login_handler_test.go b/internal/federationdomain/endpoints/login/post_login_handler_test.go
similarity index 99%
rename from internal/oidc/login/post_login_handler_test.go
rename to internal/federationdomain/endpoints/login/post_login_handler_test.go
index be448218..b5c1c14d 100644
--- a/internal/oidc/login/post_login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/post_login_handler_test.go
@@ -20,9 +20,10 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/internal/authenticators"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -978,7 +979,7 @@ func TestPostLoginEndpoint(t *testing.T) {
 			// Inject this into our test subject at the last second so we get a fresh storage for every test.
 			timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 			// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-			kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+			kubeOauthStore := storage.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 			hmacSecretFunc := func() []byte { return []byte("some secret - must have at least 32 bytes") }
 			require.GreaterOrEqual(t, len(hmacSecretFunc()), 32, "fosite requires that hmac secrets have at least 32 bytes")
 			jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
diff --git a/internal/oidc/token/token_handler.go b/internal/federationdomain/endpoints/token/token_handler.go
similarity index 98%
rename from internal/oidc/token/token_handler.go
rename to internal/federationdomain/endpoints/token/token_handler.go
index cddca455..8f651293 100644
--- a/internal/oidc/token/token_handler.go
+++ b/internal/federationdomain/endpoints/token/token_handler.go
@@ -18,13 +18,13 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 )
diff --git a/internal/oidc/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go
similarity index 99%
rename from internal/oidc/token/token_handler_test.go
rename to internal/federationdomain/endpoints/token/token_handler_test.go
index aaeef0f6..48656f28 100644
--- a/internal/oidc/token/token_handler_test.go
+++ b/internal/federationdomain/endpoints/token/token_handler_test.go
@@ -24,7 +24,7 @@ import (
 	"github.com/ory/fosite"
 	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
-	"github.com/ory/fosite/handler/pkce"
+	fositepkce "github.com/ory/fosite/handler/pkce"
 	"github.com/ory/fosite/token/jwt"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
@@ -42,19 +42,20 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
-	storagepkce "go.pinniped.dev/internal/fositestorage/pkce"
+	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
 	"go.pinniped.dev/internal/fositestoragei"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/clientregistry"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
@@ -955,7 +956,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, 1)
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: accesstoken.TypeLabelValue}, 0)
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, 0)
-			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0)
+			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 0)
 			// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
 			testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2)
 		})
@@ -1005,7 +1006,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 		authcodeExchange     authcodeExchangeInputs
 		modifyRequestParams  func(t *testing.T, params url.Values)
 		modifyRequestHeaders func(r *http.Request)
-		modifyStorage        func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request)
+		modifyStorage        func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request)
 		requestedAudience    string
 		kubeResources        func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset)
 
@@ -1452,7 +1453,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			name:              "valid access token, but it was already deleted from storage",
 			authcodeExchange:  doValidAuthCodeExchange,
 			requestedAudience: "some-workload-cluster",
-			modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
+			modifyStorage: func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
 				parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
 				require.Len(t, parts, 2)
 				require.NoError(t, storage.DeleteAccessTokenSession(context.Background(), parts[1]))
@@ -1465,7 +1466,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			name:              "valid access token, but it has already expired",
 			authcodeExchange:  doValidAuthCodeExchange,
 			requestedAudience: "some-workload-cluster",
-			modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
+			modifyStorage: func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
 				// The fosite storage APIs don't offer a way to update an access token, so we will instead find the underlying
 				// storage Secret and update it in a more manual way. First get the access token's signature.
 				parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
@@ -1955,7 +1956,7 @@ func TestRefreshGrant(t *testing.T) {
 		kubeResources             func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset)
 		authcodeExchange          authcodeExchangeInputs
 		refreshRequest            refreshRequestInputs
-		modifyRefreshTokenStorage func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string)
+		modifyRefreshTokenStorage func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string)
 	}{
 		{
 			name: "happy path refresh grant with openid scope granted (id token returned)",
@@ -2869,7 +2870,7 @@ func TestRefreshGrant(t *testing.T) {
 			name:             "when a valid refresh token is sent in the refresh request, but the token has already expired",
 			idps:             oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()),
 			authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				// The fosite storage APIs don't offer a way to update a refresh token, so we will instead find the underlying
 				// storage Secret and update it in a more manual way. First get the refresh token's signature.
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
@@ -3832,7 +3833,7 @@ func TestRefreshGrant(t *testing.T) {
 				Build(),
 			),
 			authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3870,7 +3871,7 @@ func TestRefreshGrant(t *testing.T) {
 					happyLDAPCustomSessionData,
 				),
 			},
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3908,7 +3909,7 @@ func TestRefreshGrant(t *testing.T) {
 					happyLDAPCustomSessionData,
 				),
 			},
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3988,7 +3989,7 @@ func TestRefreshGrant(t *testing.T) {
 				Build(),
 			),
 			authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -4178,7 +4179,7 @@ func exchangeAuthcodeForTokens(
 	authCode string,
 	jwtSigningKey *ecdsa.PrivateKey,
 	secrets v1.SecretInterface,
-	oauthStore *oidc.KubeStorage,
+	oauthStore *storage.KubeStorage,
 ) {
 	authRequest := deepCopyRequestForm(happyAuthRequest)
 	if test.modifyAuthRequest != nil {
@@ -4196,7 +4197,7 @@ func exchangeAuthcodeForTokens(
 
 	var oauthHelper fosite.OAuth2Provider
 	// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-	oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost)
+	oauthStore = storage.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost)
 
 	if test.makeJwksSigningKeyAndProvider == nil {
 		test.makeJwksSigningKeyAndProvider = generateJWTSigningKeyAndJWKSProvider
@@ -4214,7 +4215,7 @@ func exchangeAuthcodeForTokens(
 	}
 
 	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
-	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 1)
+	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 1)
 	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored)
 	// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
 	testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2+expectedNumberOfIDSessionsStored)
@@ -4259,7 +4260,7 @@ func requireTokenEndpointBehavior(
 	wantNonceValueInIDToken bool,
 	tokenEndpointResponse *httptest.ResponseRecorder,
 	authCode string,
-	oauthStore *oidc.KubeStorage,
+	oauthStore *storage.KubeStorage,
 	jwtSigningKey *ecdsa.PrivateKey,
 	secrets v1.SecretInterface,
 	requestTime time.Time,
@@ -4298,7 +4299,7 @@ func requireTokenEndpointBehavior(
 
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: accesstoken.TypeLabelValue}, 1)
-		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0)
+		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 0)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, expectedNumberOfRefreshTokenSessionsStored)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored)
 		// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
@@ -4650,7 +4651,7 @@ func requireInvalidAccessTokenStorage(
 func requireInvalidPKCEStorage(
 	t *testing.T,
 	code string,
-	storage pkce.PKCERequestStorage,
+	storage fositepkce.PKCERequestStorage,
 ) {
 	t.Helper()
 
diff --git a/internal/oidc/token_exchange.go b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
similarity index 91%
rename from internal/oidc/token_exchange.go
rename to internal/federationdomain/endpoints/tokenexchange/token_exchange.go
index 8ea6b31e..61a67e36 100644
--- a/internal/oidc/token_exchange.go
+++ b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package tokenexchange
 
 import (
 	"context"
@@ -27,8 +27,8 @@ type stsParams struct {
 	requestedAudience  string
 }
 
-func TokenExchangeFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
-	return &TokenExchangeHandler{
+func HandlerFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
+	return &tokenExchangeHandler{
 		idTokenStrategy:     strategy.(openid.OpenIDConnectTokenStrategy),
 		accessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
 		accessTokenStorage:  storage.(oauth2.AccessTokenStorage),
@@ -36,23 +36,23 @@ func TokenExchangeFactory(config fosite.Configurator, storage interface{}, strat
 	}
 }
 
-type TokenExchangeHandler struct {
+type tokenExchangeHandler struct {
 	idTokenStrategy     openid.OpenIDConnectTokenStrategy
 	accessTokenStrategy oauth2.AccessTokenStrategy
 	accessTokenStorage  oauth2.AccessTokenStorage
 	fositeConfig        fosite.Configurator
 }
 
-var _ fosite.TokenEndpointHandler = (*TokenExchangeHandler)(nil)
+var _ fosite.TokenEndpointHandler = (*tokenExchangeHandler)(nil)
 
-func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
+func (t *tokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
 	if !t.CanHandleTokenEndpointRequest(ctx, requester) {
 		return errors.WithStack(fosite.ErrUnknownRequest)
 	}
 	return nil
 }
 
-func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
+func (t *tokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
 	// Skip this request if it's for a different grant type.
 	if err := t.HandleTokenEndpointRequest(ctx, requester); err != nil {
 		return errors.WithStack(err)
@@ -108,7 +108,7 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context
 	return nil
 }
 
-func (t *TokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Requester, audience string) (string, error) {
+func (t *tokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Requester, audience string) (string, error) {
 	downscoped := fosite.NewAccessRequest(requester.GetSession())
 	downscoped.Client.(*fosite.DefaultClient).ID = audience
 
@@ -119,7 +119,7 @@ func (t *TokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Req
 	return t.idTokenStrategy.GenerateIDToken(ctx, idTokenLifespan, downscoped)
 }
 
-func (t *TokenExchangeHandler) validateSession(requester fosite.Requester) error {
+func (t *tokenExchangeHandler) validateSession(requester fosite.Requester) error {
 	pSession, ok := requester.GetSession().(*psession.PinnipedSession)
 	if !ok {
 		// This shouldn't really happen.
@@ -135,7 +135,7 @@ func (t *TokenExchangeHandler) validateSession(requester fosite.Requester) error
 	return nil
 }
 
-func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, error) {
+func (t *tokenExchangeHandler) validateParams(params url.Values) (*stsParams, error) {
 	var result stsParams
 
 	// Validate some required parameters.
@@ -189,7 +189,7 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er
 	return &result, nil
 }
 
-func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requester fosite.AccessRequester, accessToken string) (fosite.Requester, error) {
+func (t *tokenExchangeHandler) validateAccessToken(ctx context.Context, requester fosite.AccessRequester, accessToken string) (fosite.Requester, error) {
 	// Look up the access token's stored session data.
 	signature := t.accessTokenStrategy.AccessTokenSignature(ctx, accessToken)
 	originalRequester, err := t.accessTokenStorage.GetAccessTokenSession(ctx, signature, requester.GetSession())
@@ -204,10 +204,10 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
 	return originalRequester, nil
 }
 
-func (t *TokenExchangeHandler) CanSkipClientAuth(_ context.Context, _ fosite.AccessRequester) bool {
+func (t *tokenExchangeHandler) CanSkipClientAuth(_ context.Context, _ fosite.AccessRequester) bool {
 	return false
 }
 
-func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester fosite.AccessRequester) bool {
+func (t *tokenExchangeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester fosite.AccessRequester) bool {
 	return requester.GetGrantTypes().ExactOne(oidcapi.GrantTypeTokenExchange)
 }
diff --git a/internal/oidc/provider/manager/manager.go b/internal/federationdomain/endpointsmanager/manager.go
similarity index 86%
rename from internal/oidc/provider/manager/manager.go
rename to internal/federationdomain/endpointsmanager/manager.go
index 2d0e760a..494f8986 100644
--- a/internal/oidc/provider/manager/manager.go
+++ b/internal/federationdomain/endpointsmanager/manager.go
@@ -1,9 +1,10 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package manager
+package endpointsmanager
 
 import (
+	"go.pinniped.dev/internal/httputil/requestutil"
 	"net/http"
 	"strings"
 	"sync"
@@ -11,20 +12,20 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/httputil/requestutil"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/auth"
-	"go.pinniped.dev/internal/oidc/callback"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/discovery"
-	"go.pinniped.dev/internal/oidc/dynamiccodec"
-	"go.pinniped.dev/internal/oidc/idpdiscovery"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/login"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/token"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/dynamiccodec"
+	"go.pinniped.dev/internal/federationdomain/endpoints/auth"
+	"go.pinniped.dev/internal/federationdomain/endpoints/callback"
+	"go.pinniped.dev/internal/federationdomain/endpoints/discovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/idpdiscovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login"
+	"go.pinniped.dev/internal/federationdomain/endpoints/token"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/secret"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -101,7 +102,7 @@ func (m *Manager) SetFederationDomains(federationDomains ...*federationdomainpro
 		// Use NullStorage for the authorize endpoint because we do not actually want to store anything until
 		// the upstream callback endpoint is called later.
 		oauthHelperWithNullStorage := oidc.FositeOauth2Helper(
-			oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost),
+			storage.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost),
 			issuerURL,
 			tokenHMACKeyGetter,
 			nil,
@@ -110,7 +111,7 @@ func (m *Manager) SetFederationDomains(federationDomains ...*federationdomainpro
 
 		// For all the other endpoints, make another oauth helper with exactly the same settings except use real storage.
 		oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(
-			oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost),
+			storage.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost),
 			issuerURL,
 			tokenHMACKeyGetter,
 			m.dynamicJWKSProvider,
diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/federationdomain/endpointsmanager/manager_test.go
similarity index 98%
rename from internal/oidc/provider/manager/manager_test.go
rename to internal/federationdomain/endpointsmanager/manager_test.go
index 8cf764c6..de6ea70b 100644
--- a/internal/oidc/provider/manager/manager_test.go
+++ b/internal/federationdomain/endpointsmanager/manager_test.go
@@ -1,7 +1,7 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package manager
+package endpointsmanager
 
 import (
 	"crypto/ecdsa"
@@ -20,12 +20,12 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
+	"go.pinniped.dev/internal/federationdomain/endpoints/discovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/discovery"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/secret"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
similarity index 98%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
index 27d76a1d..ab1d9fd9 100644
--- a/internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
+++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
@@ -9,9 +9,9 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_issuer.go b/internal/federationdomain/federationdomainproviders/federation_domain_issuer.go
similarity index 100%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_issuer.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_issuer.go
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_issuer_test.go b/internal/federationdomain/federationdomainproviders/federation_domain_issuer_test.go
similarity index 100%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_issuer_test.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_issuer_test.go
diff --git a/internal/oidc/provider/formposthtml/form_post.css b/internal/federationdomain/formposthtml/form_post.css
similarity index 97%
rename from internal/oidc/provider/formposthtml/form_post.css
rename to internal/federationdomain/formposthtml/form_post.css
index e272f13d..90f15b3b 100644
--- a/internal/oidc/provider/formposthtml/form_post.css
+++ b/internal/federationdomain/formposthtml/form_post.css
@@ -1,4 +1,4 @@
-/* Copyright 2021 the Pinniped contributors. All Rights Reserved. */
+/* Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. */
 /* SPDX-License-Identifier: Apache-2.0 */
 
 body {
diff --git a/internal/oidc/provider/formposthtml/form_post.gohtml b/internal/federationdomain/formposthtml/form_post.gohtml
similarity index 94%
rename from internal/oidc/provider/formposthtml/form_post.gohtml
rename to internal/federationdomain/formposthtml/form_post.gohtml
index 92be18d2..1fd0a70d 100644
--- a/internal/oidc/provider/formposthtml/form_post.gohtml
+++ b/internal/federationdomain/formposthtml/form_post.gohtml
@@ -1,5 +1,5 @@
 <!--
-Copyright 2021 the Pinniped contributors. All Rights Reserved.
+Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 --><!DOCTYPE html>
 <html lang="en">
diff --git a/internal/oidc/provider/formposthtml/form_post.js b/internal/federationdomain/formposthtml/form_post.js
similarity index 98%
rename from internal/oidc/provider/formposthtml/form_post.js
rename to internal/federationdomain/formposthtml/form_post.js
index cb73c8cd..dcf86275 100644
--- a/internal/oidc/provider/formposthtml/form_post.js
+++ b/internal/federationdomain/formposthtml/form_post.js
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 window.onload = () => {
diff --git a/internal/oidc/provider/formposthtml/formposthtml.go b/internal/federationdomain/formposthtml/formposthtml.go
similarity index 94%
rename from internal/oidc/provider/formposthtml/formposthtml.go
rename to internal/federationdomain/formposthtml/formposthtml.go
index 4fd709c1..cdf2b85b 100644
--- a/internal/oidc/provider/formposthtml/formposthtml.go
+++ b/internal/federationdomain/formposthtml/formposthtml.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package formposthtml defines HTML templates used by the Supervisor.
@@ -11,7 +11,7 @@ import (
 
 	"github.com/tdewolff/minify/v2/minify"
 
-	"go.pinniped.dev/internal/oidc/provider/csp"
+	"go.pinniped.dev/internal/federationdomain/csp"
 )
 
 //nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
diff --git a/internal/oidc/provider/formposthtml/formposthtml_test.go b/internal/federationdomain/formposthtml/formposthtml_test.go
similarity index 99%
rename from internal/oidc/provider/formposthtml/formposthtml_test.go
rename to internal/federationdomain/formposthtml/formposthtml_test.go
index e7d82b75..3ab3a49a 100644
--- a/internal/oidc/provider/formposthtml/formposthtml_test.go
+++ b/internal/federationdomain/formposthtml/formposthtml_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package formposthtml
diff --git a/internal/oidc/idplister/upstream_idp_lister.go b/internal/federationdomain/idplister/upstream_idp_lister.go
similarity index 92%
rename from internal/oidc/idplister/upstream_idp_lister.go
rename to internal/federationdomain/idplister/upstream_idp_lister.go
index 3ea4ea64..38b5e27e 100644
--- a/internal/oidc/idplister/upstream_idp_lister.go
+++ b/internal/federationdomain/idplister/upstream_idp_lister.go
@@ -4,7 +4,7 @@
 package idplister
 
 import (
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 )
 
 type UpstreamOIDCIdentityProvidersLister interface {
diff --git a/internal/oidc/oidc.go b/internal/federationdomain/oidc/oidc.go
similarity index 70%
rename from internal/oidc/oidc.go
rename to internal/federationdomain/oidc/oidc.go
index 1367f35b..a314ac68 100644
--- a/internal/oidc/oidc.go
+++ b/internal/federationdomain/oidc/oidc.go
@@ -1,7 +1,8 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package oidc contains common OIDC functionality needed by Pinniped.
+// Package oidc contains common OIDC functionality needed by FederationDomains to implement
+// downstream OIDC functionality.
 package oidc
 
 import (
@@ -18,10 +19,13 @@ import (
 	errorsx "github.com/pkg/errors"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/tokenexchange"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/strategy"
+	"go.pinniped.dev/internal/federationdomain/timeouts"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -99,81 +103,13 @@ type UpstreamStateParamData struct {
 	FormatVersion string              `json:"v"`
 }
 
-type TimeoutsConfiguration struct {
-	// The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered
-	// valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much
-	// time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long
-	// the end user has to finish their login with the upstream IDP, including the time that it takes to fumble
-	// with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while
-	// the browser is sitting at the upstream IDP's login page.
-	UpstreamStateParamLifespan time.Duration
-
-	// How long an authcode issued by the callback endpoint is valid. This determines how much time the end user
-	// has to come back to exchange the authcode for tokens at the token endpoint.
-	AuthorizeCodeLifespan time.Duration
-
-	// The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally
-	// be fairly short-lived.
-	AccessTokenLifespan time.Duration
-
-	// The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same
-	// as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid
-	// for longer than their proof of authorization.
-	IDTokenLifespan time.Duration
-
-	// The lifetime of an downstream refresh token issued by the token endpoint. This should generally be
-	// significantly longer than the access token lifetime, so it can be used to refresh the access token
-	// multiple times. Once the refresh token expires, the user's session is over and they will need
-	// to start a new authorization request, which will require them to log in again with the upstream IDP
-	// in their web browser.
-	RefreshTokenLifespan time.Duration
-
-	// AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage
-	// collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the
-	// authcode as already used, so it can reject any future uses of the same authcode with special case handling which
-	// include revoking the access and refresh tokens associated with the session. Therefore, this should be
-	// significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than
-	// the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan.
-	AuthorizationCodeSessionStorageLifetime time.Duration
-
-	// PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from
-	// storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully
-	// redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed,
-	// but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll
-	// avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it
-	// while it is being used.
-	PKCESessionStorageLifetime time.Duration
-
-	// OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode
-	// is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly
-	// deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired.
-	// Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same
-	// as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used.
-	OIDCSessionStorageLifetime time.Duration
-
-	// AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed
-	// to be garbage collected from storage.  These must exist in storage for as long as the refresh token is valid
-	// or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan.
-	AccessTokenSessionStorageLifetime time.Duration
-
-	// RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed
-	// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid.
-	// Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same
-	// as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used.
-	// If an expired token is still stored when the user tries to refresh it, then they will get a more specific
-	// error message telling them that the token is expired, rather than a more generic error that is returned
-	// when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made
-	// to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup.
-	RefreshTokenSessionStorageLifetime time.Duration
-}
-
 // Get the defaults for the Supervisor server.
-func DefaultOIDCTimeoutsConfiguration() TimeoutsConfiguration {
+func DefaultOIDCTimeoutsConfiguration() timeouts.Configuration {
 	accessTokenLifespan := 2 * time.Minute
 	authorizationCodeLifespan := 10 * time.Minute
 	refreshTokenLifespan := 9 * time.Hour
 
-	return TimeoutsConfiguration{
+	return timeouts.Configuration{
 		UpstreamStateParamLifespan:              90 * time.Minute,
 		AuthorizeCodeLifespan:                   authorizationCodeLifespan,
 		AccessTokenLifespan:                     accessTokenLifespan,
@@ -192,7 +128,7 @@ func FositeOauth2Helper(
 	issuer string,
 	hmacSecretOfLengthAtLeast32Func func() []byte,
 	jwksProvider jwks.DynamicJWKSProvider,
-	timeoutsConfiguration TimeoutsConfiguration,
+	timeoutsConfiguration timeouts.Configuration,
 ) fosite.OAuth2Provider {
 	isRedirectURISecureStrict := func(_ context.Context, uri *url.URL) bool {
 		return fosite.IsRedirectURISecureStrict(uri)
@@ -234,15 +170,15 @@ func FositeOauth2Helper(
 		oauthStore,
 		&compose.CommonStrategy{
 			// Note that Fosite requires the HMAC secret to be at least 32 bytes.
-			CoreStrategy:               newDynamicOauth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32Func),
-			OpenIDConnectTokenStrategy: newDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
+			CoreStrategy:               strategy.NewDynamicOauth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32Func),
+			OpenIDConnectTokenStrategy: strategy.NewDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
 		},
 		compose.OAuth2AuthorizeExplicitFactory,
 		compose.OAuth2RefreshTokenGrantFactory,
 		compose.OpenIDConnectExplicitFactory,
 		compose.OpenIDConnectRefreshFactory,
 		compose.OAuth2PKCEFactory,
-		TokenExchangeFactory, // handle the "urn:ietf:params:oauth:grant-type:token-exchange" grant type
+		tokenexchange.HandlerFactory, // handle the "urn:ietf:params:oauth:grant-type:token-exchange" grant type
 	)
 
 	return oAuth2Provider
diff --git a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go b/internal/federationdomain/oidcclientvalidator/oidcclientvalidator.go
similarity index 100%
rename from internal/oidc/oidcclientvalidator/oidcclientvalidator.go
rename to internal/federationdomain/oidcclientvalidator/oidcclientvalidator.go
diff --git a/internal/oidc/provider/resolvedprovider/resolved_provider.go b/internal/federationdomain/resolvedprovider/resolved_provider.go
similarity index 87%
rename from internal/oidc/provider/resolvedprovider/resolved_provider.go
rename to internal/federationdomain/resolvedprovider/resolved_provider.go
index f37f0a16..e2b43a86 100644
--- a/internal/oidc/provider/resolvedprovider/resolved_provider.go
+++ b/internal/federationdomain/resolvedprovider/resolved_provider.go
@@ -1,8 +1,11 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 package resolvedprovider
 
 import (
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/oidc/dynamic_global_secret_config.go b/internal/federationdomain/storage/dynamic_global_secret_config.go
similarity index 96%
rename from internal/oidc/dynamic_global_secret_config.go
rename to internal/federationdomain/storage/dynamic_global_secret_config.go
index b9001eea..50f997c4 100644
--- a/internal/oidc/dynamic_global_secret_config.go
+++ b/internal/federationdomain/storage/dynamic_global_secret_config.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
diff --git a/internal/oidc/kube_storage.go b/internal/federationdomain/storage/kube_storage.go
similarity index 97%
rename from internal/oidc/kube_storage.go
rename to internal/federationdomain/storage/kube_storage.go
index a197335e..e10ed60e 100644
--- a/internal/oidc/kube_storage.go
+++ b/internal/federationdomain/storage/kube_storage.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
@@ -14,13 +14,14 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/timeouts"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
 	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
 	"go.pinniped.dev/internal/fositestoragei"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 )
 
@@ -38,7 +39,7 @@ var _ fositestoragei.AllFositeStorage = &KubeStorage{}
 func NewKubeStorage(
 	secrets corev1client.SecretInterface,
 	oidcClientsClient v1alpha1.OIDCClientInterface,
-	timeoutsConfiguration TimeoutsConfiguration,
+	timeoutsConfiguration timeouts.Configuration,
 	minBcryptCost int,
 ) *KubeStorage {
 	nowFunc := time.Now
diff --git a/internal/oidc/nullstorage.go b/internal/federationdomain/storage/null_storage.go
similarity index 96%
rename from internal/oidc/nullstorage.go
rename to internal/federationdomain/storage/null_storage.go
index 61476f81..ae5b0ecc 100644
--- a/internal/oidc/nullstorage.go
+++ b/internal/federationdomain/storage/null_storage.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
@@ -11,8 +11,8 @@ import (
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/constable"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestoragei"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 )
 
diff --git a/internal/oidc/dynamic_oauth2_hmac_strategy.go b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
similarity index 81%
rename from internal/oidc/dynamic_oauth2_hmac_strategy.go
rename to internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
index d5456b67..200dd41c 100644
--- a/internal/oidc/dynamic_oauth2_hmac_strategy.go
+++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -11,6 +11,8 @@ import (
 	"github.com/ory/fosite/compose"
 	"github.com/ory/fosite/handler/oauth2"
 	errorsx "github.com/pkg/errors"
+
+	"go.pinniped.dev/internal/federationdomain/storage"
 )
 
 const (
@@ -24,7 +26,7 @@ const (
 	oryAuthcodePrefix = "ory_ac_"
 )
 
-// dynamicOauth2HMACStrategy is an oauth2.CoreStrategy that can dynamically load an HMAC key to sign
+// DynamicOauth2HMACStrategy is an oauth2.CoreStrategy that can dynamically load an HMAC key to sign
 // stuff (access tokens, refresh tokens, and auth codes). We want this dynamic capability since our
 // controllers for loading FederationDomain's and signing keys run in parallel, and thus the signing key
 // might not be ready when an FederationDomain is otherwise ready.
@@ -37,18 +39,18 @@ const (
 // out of context, such as when accidentally committed to a GitHub repo. After we implemented the
 // custom prefix feature, fosite later added the same feature, but did not make the prefix customizable.
 // Therefore, this code has been updated to replace the fosite prefix with our custom prefix.
-type dynamicOauth2HMACStrategy struct {
+type DynamicOauth2HMACStrategy struct {
 	fositeConfig *fosite.Config
 	keyFunc      func() []byte
 }
 
-var _ oauth2.CoreStrategy = &dynamicOauth2HMACStrategy{}
+var _ oauth2.CoreStrategy = &DynamicOauth2HMACStrategy{}
 
-func newDynamicOauth2HMACStrategy(
+func NewDynamicOauth2HMACStrategy(
 	fositeConfig *fosite.Config,
 	keyFunc func() []byte,
-) *dynamicOauth2HMACStrategy {
-	return &dynamicOauth2HMACStrategy{
+) *DynamicOauth2HMACStrategy {
+	return &DynamicOauth2HMACStrategy{
 		fositeConfig: fositeConfig,
 		keyFunc:      keyFunc,
 	}
@@ -58,11 +60,11 @@ func replacePrefix(s, prefixToReplace, newPrefix string) string {
 	return newPrefix + strings.TrimPrefix(s, prefixToReplace)
 }
 
-func (s *dynamicOauth2HMACStrategy) AccessTokenSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) AccessTokenSignature(ctx context.Context, token string) string {
 	return s.delegate().AccessTokenSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateAccessToken(
+func (s *DynamicOauth2HMACStrategy) GenerateAccessToken(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -78,7 +80,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateAccessToken(
 	return token, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateAccessToken(
+func (s *DynamicOauth2HMACStrategy) ValidateAccessToken(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -90,11 +92,11 @@ func (s *dynamicOauth2HMACStrategy) ValidateAccessToken(
 	return s.delegate().ValidateAccessToken(ctx, requester, replacePrefix(token, pinAccessTokenPrefix, oryAccessTokenPrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
 	return s.delegate().RefreshTokenSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateRefreshToken(
+func (s *DynamicOauth2HMACStrategy) GenerateRefreshToken(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -110,7 +112,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateRefreshToken(
 	return token, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateRefreshToken(
+func (s *DynamicOauth2HMACStrategy) ValidateRefreshToken(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -122,11 +124,11 @@ func (s *dynamicOauth2HMACStrategy) ValidateRefreshToken(
 	return s.delegate().ValidateRefreshToken(ctx, requester, replacePrefix(token, pinRefreshTokenPrefix, oryRefreshTokenPrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
 	return s.delegate().AuthorizeCodeSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateAuthorizeCode(
+func (s *DynamicOauth2HMACStrategy) GenerateAuthorizeCode(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -142,7 +144,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateAuthorizeCode(
 	return authcode, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateAuthorizeCode(
+func (s *DynamicOauth2HMACStrategy) ValidateAuthorizeCode(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -154,6 +156,6 @@ func (s *dynamicOauth2HMACStrategy) ValidateAuthorizeCode(
 	return s.delegate().ValidateAuthorizeCode(ctx, requester, replacePrefix(token, pinAuthcodePrefix, oryAuthcodePrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy {
-	return compose.NewOAuth2HMACStrategy(NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc))
+func (s *DynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy {
+	return compose.NewOAuth2HMACStrategy(storage.NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc))
 }
diff --git a/internal/oidc/dynamic_oauth2_hmac_strategy_test.go b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
similarity index 97%
rename from internal/oidc/dynamic_oauth2_hmac_strategy_test.go
rename to internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
index c2028a79..02bf861c 100644
--- a/internal/oidc/dynamic_oauth2_hmac_strategy_test.go
+++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
@@ -1,7 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -15,7 +15,7 @@ import (
 )
 
 func TestDynamicOauth2HMACStrategy_Signatures(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
@@ -57,12 +57,12 @@ func TestDynamicOauth2HMACStrategy_Signatures(t *testing.T) {
 }
 
 func TestDynamicOauth2HMACStrategy_Generate(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
 
-	generateTokenErrorCausingStrategy := newDynamicOauth2HMACStrategy(
+	generateTokenErrorCausingStrategy := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{},
 		func() []byte { return []byte("too_short_causes_error") }, // secret key is below required 32 characters
 	)
@@ -134,7 +134,7 @@ func TestDynamicOauth2HMACStrategy_Generate(t *testing.T) {
 }
 
 func TestDynamicOauth2HMACStrategy_Validate(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
similarity index 79%
rename from internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
rename to internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
index 80782882..463a450c 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
+++ b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -14,11 +14,11 @@ import (
 	"github.com/ory/fosite/handler/openid"
 
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
 	"go.pinniped.dev/internal/plog"
 )
 
-// dynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically
+// DynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically
 // load a signing key to issue ID tokens. We want this dynamic capability since our controllers for
 // loading FederationDomain's and signing keys run in parallel, and thus the signing key might not be
 // ready when an FederationDomain is otherwise ready.
@@ -26,24 +26,24 @@ import (
 // If we ever update FederationDomain's to hold their signing key, we might not need this type, since we
 // could have an invariant that routes to an FederationDomain's endpoints are only wired up if an
 // FederationDomain has a valid signing key.
-type dynamicOpenIDConnectECDSAStrategy struct {
+type DynamicOpenIDConnectECDSAStrategy struct {
 	fositeConfig *fosite.Config
 	jwksProvider jwks.DynamicJWKSProvider
 }
 
-var _ openid.OpenIDConnectTokenStrategy = &dynamicOpenIDConnectECDSAStrategy{}
+var _ openid.OpenIDConnectTokenStrategy = &DynamicOpenIDConnectECDSAStrategy{}
 
-func newDynamicOpenIDConnectECDSAStrategy(
+func NewDynamicOpenIDConnectECDSAStrategy(
 	fositeConfig *fosite.Config,
 	jwksProvider jwks.DynamicJWKSProvider,
-) *dynamicOpenIDConnectECDSAStrategy {
-	return &dynamicOpenIDConnectECDSAStrategy{
+) *DynamicOpenIDConnectECDSAStrategy {
+	return &DynamicOpenIDConnectECDSAStrategy{
 		fositeConfig: fositeConfig,
 		jwksProvider: jwksProvider,
 	}
 }
 
-func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
+func (s *DynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
 	ctx context.Context,
 	lifespan time.Duration,
 	requester fosite.Requester,
diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
similarity index 95%
rename from internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
rename to internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
index 3573f987..94bf676a 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
+++ b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2"
 
-	"go.pinniped.dev/internal/oidc/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
 
@@ -94,7 +94,7 @@ func TestDynamicOpenIDConnectECDSAStrategy(t *testing.T) {
 			if test.jwksProvider != nil {
 				test.jwksProvider(jwksProvider)
 			}
-			s := newDynamicOpenIDConnectECDSAStrategy(
+			s := NewDynamicOpenIDConnectECDSAStrategy(
 				&fosite.Config{IDTokenIssuer: test.issuer},
 				jwksProvider,
 			)
diff --git a/internal/federationdomain/timeouts/timeouts_configuration.go b/internal/federationdomain/timeouts/timeouts_configuration.go
new file mode 100644
index 00000000..9657eaa4
--- /dev/null
+++ b/internal/federationdomain/timeouts/timeouts_configuration.go
@@ -0,0 +1,74 @@
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package timeouts
+
+import "time"
+
+type Configuration struct {
+	// The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered
+	// valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much
+	// time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long
+	// the end user has to finish their login with the upstream IDP, including the time that it takes to fumble
+	// with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while
+	// the browser is sitting at the upstream IDP's login page.
+	UpstreamStateParamLifespan time.Duration
+
+	// How long an authcode issued by the callback endpoint is valid. This determines how much time the end user
+	// has to come back to exchange the authcode for tokens at the token endpoint.
+	AuthorizeCodeLifespan time.Duration
+
+	// The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally
+	// be fairly short-lived.
+	AccessTokenLifespan time.Duration
+
+	// The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same
+	// as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid
+	// for longer than their proof of authorization.
+	IDTokenLifespan time.Duration
+
+	// The lifetime of an downstream refresh token issued by the token endpoint. This should generally be
+	// significantly longer than the access token lifetime, so it can be used to refresh the access token
+	// multiple times. Once the refresh token expires, the user's session is over and they will need
+	// to start a new authorization request, which will require them to log in again with the upstream IDP
+	// in their web browser.
+	RefreshTokenLifespan time.Duration
+
+	// AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage
+	// collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the
+	// authcode as already used, so it can reject any future uses of the same authcode with special case handling which
+	// include revoking the access and refresh tokens associated with the session. Therefore, this should be
+	// significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than
+	// the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan.
+	AuthorizationCodeSessionStorageLifetime time.Duration
+
+	// PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from
+	// storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully
+	// redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed,
+	// but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll
+	// avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it
+	// while it is being used.
+	PKCESessionStorageLifetime time.Duration
+
+	// OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode
+	// is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly
+	// deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired.
+	// Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same
+	// as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used.
+	OIDCSessionStorageLifetime time.Duration
+
+	// AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed
+	// to be garbage collected from storage.  These must exist in storage for as long as the refresh token is valid
+	// or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan.
+	AccessTokenSessionStorageLifetime time.Duration
+
+	// RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed
+	// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid.
+	// Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same
+	// as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used.
+	// If an expired token is still stored when the user tries to refresh it, then they will get a more specific
+	// error message telling them that the token is expired, rather than a more generic error that is returned
+	// when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made
+	// to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup.
+	RefreshTokenSessionStorageLifetime time.Duration
+}
diff --git a/internal/oidc/provider/upstreamprovider/upsteam_provider.go b/internal/federationdomain/upstreamprovider/upsteam_provider.go
similarity index 100%
rename from internal/oidc/provider/upstreamprovider/upsteam_provider.go
rename to internal/federationdomain/upstreamprovider/upsteam_provider.go
diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go
index 07b065ed..04247889 100644
--- a/internal/fositestorage/accesstoken/accesstoken.go
+++ b/internal/fositestorage/accesstoken/accesstoken.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/accesstoken/accesstoken_test.go b/internal/fositestorage/accesstoken/accesstoken_test.go
index 52a731f3..2e571e9a 100644
--- a/internal/fositestorage/accesstoken/accesstoken_test.go
+++ b/internal/fositestorage/accesstoken/accesstoken_test.go
@@ -22,7 +22,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go
index 6c451acf..c2fe859d 100644
--- a/internal/fositestorage/authorizationcode/authorizationcode.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode.go
@@ -17,8 +17,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go
index 35580001..69912765 100644
--- a/internal/fositestorage/authorizationcode/authorizationcode_test.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go
@@ -34,8 +34,8 @@ import (
 	kubetesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/fositestorage.go b/internal/fositestorage/fositestorage.go
index af99caed..c15c8c90 100644
--- a/internal/fositestorage/fositestorage.go
+++ b/internal/fositestorage/fositestorage.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package fositestorage
@@ -7,7 +7,7 @@ import (
 	"github.com/ory/fosite"
 
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go
index 4770e41f..c2aa553d 100644
--- a/internal/fositestorage/openidconnect/openidconnect.go
+++ b/internal/fositestorage/openidconnect/openidconnect.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/openidconnect/openidconnect_test.go b/internal/fositestorage/openidconnect/openidconnect_test.go
index e4740ac7..e278deea 100644
--- a/internal/fositestorage/openidconnect/openidconnect_test.go
+++ b/internal/fositestorage/openidconnect/openidconnect_test.go
@@ -21,7 +21,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go
index 3f44a00d..6cea9a85 100644
--- a/internal/fositestorage/pkce/pkce.go
+++ b/internal/fositestorage/pkce/pkce.go
@@ -15,8 +15,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/pkce/pkce_test.go b/internal/fositestorage/pkce/pkce_test.go
index f0a24fd4..bc424593 100644
--- a/internal/fositestorage/pkce/pkce_test.go
+++ b/internal/fositestorage/pkce/pkce_test.go
@@ -21,7 +21,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go
index 9feaed55..d3abdc4f 100644
--- a/internal/fositestorage/refreshtoken/refreshtoken.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/refreshtoken/refreshtoken_test.go b/internal/fositestorage/refreshtoken/refreshtoken_test.go
index 8e2826b9..24da03a1 100644
--- a/internal/fositestorage/refreshtoken/refreshtoken_test.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken_test.go
@@ -22,7 +22,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/mocks/issuermocks/generate.go b/internal/mocks/issuermocks/generate.go
index 7d0c9937..c770c927 100644
--- a/internal/mocks/issuermocks/generate.go
+++ b/internal/mocks/issuermocks/generate.go
@@ -1,6 +1,6 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package issuermocks
 
-//go:generate go run -v github.com/golang/mock/mockgen  -destination=issuermocks.go -package=issuermocks -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/issuer ClientCertIssuer
+//go:generate go run -v github.com/golang/mock/mockgen  -destination=issuermocks.go -package=issuermocks -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/clientcertissuer ClientCertIssuer
diff --git a/internal/mocks/issuermocks/issuermocks.go b/internal/mocks/issuermocks/issuermocks.go
index 6867a2a0..2edd2848 100644
--- a/internal/mocks/issuermocks/issuermocks.go
+++ b/internal/mocks/issuermocks/issuermocks.go
@@ -3,7 +3,7 @@
 //
 
 // Code generated by MockGen. DO NOT EDIT.
-// Source: go.pinniped.dev/internal/issuer (interfaces: ClientCertIssuer)
+// Source: go.pinniped.dev/internal/clientcertissuer (interfaces: ClientCertIssuer)
 
 // Package issuermocks is a generated GoMock package.
 package issuermocks
diff --git a/internal/mocks/mockupstreamoidcidentityprovider/generate.go b/internal/mocks/mockupstreamoidcidentityprovider/generate.go
index d1ba84a0..e94a5338 100644
--- a/internal/mocks/mockupstreamoidcidentityprovider/generate.go
+++ b/internal/mocks/mockupstreamoidcidentityprovider/generate.go
@@ -3,4 +3,4 @@
 
 package mockupstreamoidcidentityprovider
 
-//go:generate go run -v github.com/golang/mock/mockgen  -destination=mockupstreamoidcidentityprovider.go -package=mockupstreamoidcidentityprovider -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/oidc/provider/upstreamprovider UpstreamOIDCIdentityProviderI
+//go:generate go run -v github.com/golang/mock/mockgen  -destination=mockupstreamoidcidentityprovider.go -package=mockupstreamoidcidentityprovider -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/federationdomain/upstreamprovider UpstreamOIDCIdentityProviderI
diff --git a/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go b/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
index cc66519f..cad36a26 100644
--- a/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
+++ b/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
@@ -3,7 +3,7 @@
 //
 
 // Code generated by MockGen. DO NOT EDIT.
-// Source: go.pinniped.dev/internal/oidc/provider/upstreamprovider (interfaces: UpstreamOIDCIdentityProviderI)
+// Source: go.pinniped.dev/internal/federationdomain/upstreamprovider (interfaces: UpstreamOIDCIdentityProviderI)
 
 // Package mockupstreamoidcidentityprovider is a generated GoMock package.
 package mockupstreamoidcidentityprovider
@@ -14,7 +14,7 @@ import (
 	reflect "reflect"
 
 	gomock "github.com/golang/mock/gomock"
-	upstreamprovider "go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	upstreamprovider "go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	nonce "go.pinniped.dev/pkg/oidcclient/nonce"
 	oidctypes "go.pinniped.dev/pkg/oidcclient/oidctypes"
 	pkce "go.pinniped.dev/pkg/oidcclient/pkce"
diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go
index 5d67c2c3..5018038f 100644
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -58,12 +58,13 @@ import (
 	"go.pinniped.dev/internal/deploymentref"
 	"go.pinniped.dev/internal/downward"
 	"go.pinniped.dev/internal/dynamiccert"
+	"go.pinniped.dev/internal/federationdomain/dynamictlscertprovider"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpointsmanager"
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/leaderelection"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/manager"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/pversion"
 	"go.pinniped.dev/internal/secret"
@@ -129,10 +130,10 @@ func signalCtx() context.Context {
 //nolint:funlen
 func prepareControllers(
 	cfg *supervisor.Config,
-	issuerManager *manager.Manager,
+	issuerManager *endpointsmanager.Manager,
 	dynamicJWKSProvider jwks.DynamicJWKSProvider,
-	dynamicTLSCertProvider provider.DynamicTLSCertProvider,
-	dynamicUpstreamIDPProvider provider.DynamicUpstreamIDPProvider,
+	dynamicTLSCertProvider dynamictlscertprovider.DynamicTLSCertProvider,
+	dynamicUpstreamIDPProvider dynamicupstreamprovider.DynamicUpstreamIDPProvider,
 	dynamicServingCertProvider dynamiccert.Private,
 	secretCache *secret.Cache,
 	supervisorDeployment *appsv1.Deployment,
@@ -436,12 +437,12 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 	dynamicServingCertProvider := dynamiccert.NewServingCert("supervisor-serving-cert")
 
 	dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
-	dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
-	dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
+	dynamicTLSCertProvider := dynamictlscertprovider.NewDynamicTLSCertProvider()
+	dynamicUpstreamIDPProvider := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 	secretCache := secret.Cache{}
 
 	// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
-	oidProvidersManager := manager.NewManager(
+	oidProvidersManager := endpointsmanager.NewManager(
 		healthMux,
 		dynamicJWKSProvider,
 		dynamicUpstreamIDPProvider,
diff --git a/internal/testutil/oidcclient_test.go b/internal/testutil/oidcclient_test.go
index cd892313..c47a129a 100644
--- a/internal/testutil/oidcclient_test.go
+++ b/internal/testutil/oidcclient_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package testutil
@@ -6,10 +6,10 @@ package testutil
 import (
 	"testing"
 
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
+
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 )
 
 func TestBcryptConstants(t *testing.T) {
diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go
index e879ffcf..46aab19a 100644
--- a/internal/testutil/oidctestutil/oidctestutil.go
+++ b/internal/testutil/oidctestutil/oidctestutil.go
@@ -30,19 +30,19 @@ import (
 
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
-	pkce2 "go.pinniped.dev/internal/fositestorage/pkce"
+	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestoragei"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
-	"go.pinniped.dev/pkg/oidcclient/pkce"
+	oidcpkce "go.pinniped.dev/pkg/oidcclient/pkce"
 )
 
 // Test helpers for the OIDC package.
@@ -52,7 +52,7 @@ import (
 type ExchangeAuthcodeAndValidateTokenArgs struct {
 	Ctx                  context.Context
 	Authcode             string
-	PKCECodeVerifier     pkce.Code
+	PKCECodeVerifier     oidcpkce.Code
 	ExpectedIDTokenNonce nonce.Nonce
 	RedirectURI          string
 }
@@ -267,7 +267,7 @@ type TestUpstreamOIDCIdentityProvider struct {
 	ExchangeAuthcodeAndValidateTokensFunc func(
 		ctx context.Context,
 		authcode string,
-		pkceCodeVerifier pkce.Code,
+		pkceCodeVerifier oidcpkce.Code,
 		expectedIDTokenNonce nonce.Nonce,
 	) (*oidctypes.Token, error)
 
@@ -358,7 +358,7 @@ func (u *TestUpstreamOIDCIdentityProvider) PasswordCredentialsGrantAndValidateTo
 func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(
 	ctx context.Context,
 	authcode string,
-	pkceCodeVerifier pkce.Code,
+	pkceCodeVerifier oidcpkce.Code,
 	expectedIDTokenNonce nonce.Nonce,
 	redirectURI string,
 ) (*oidctypes.Token, error) {
@@ -595,8 +595,8 @@ func (b *UpstreamIDPListerBuilder) BuildFederationDomainIdentityProvidersListerF
 	}
 }
 
-func (b *UpstreamIDPListerBuilder) BuildDynamicUpstreamIDPProvider() provider.DynamicUpstreamIDPProvider {
-	idpProvider := provider.NewDynamicUpstreamIDPProvider()
+func (b *UpstreamIDPListerBuilder) BuildDynamicUpstreamIDPProvider() dynamicupstreamprovider.DynamicUpstreamIDPProvider {
+	idpProvider := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 
 	oidcUpstreams := make([]upstreamprovider.UpstreamOIDCIdentityProviderI, len(b.upstreamOIDCIdentityProviders))
 	for i := range b.upstreamOIDCIdentityProviders {
@@ -1038,7 +1038,7 @@ func (u *TestUpstreamOIDCIdentityProviderBuilder) Build() *TestUpstreamOIDCIdent
 		AdditionalClaimMappings:        u.additionalClaimMappings,
 		DisplayNameForFederationDomain: u.displayNameForFederationDomain,
 		TransformsForFederationDomain:  u.transformsForFederationDomain,
-		ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
+		ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier oidcpkce.Code, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
 			if u.authcodeExchangeErr != nil {
 				return nil, u.authcodeExchangeErr
 			}
@@ -1223,7 +1223,7 @@ func RequireAuthCodeRegexpMatch(
 	)
 
 	// One PKCE should have been stored.
-	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secretsClient, labels.Set{crud.SecretLabelKey: pkce2.TypeLabelValue}, 1)
+	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secretsClient, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 1)
 
 	validatePKCEStorage(
 		t,
diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go
index 7dd0dcc6..b178adf2 100644
--- a/internal/upstreamldap/upstreamldap.go
+++ b/internal/upstreamldap/upstreamldap.go
@@ -27,8 +27,8 @@ import (
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/endpointaddr"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go
index 02476b25..d07c2c9e 100644
--- a/internal/upstreamldap/upstreamldap_test.go
+++ b/internal/upstreamldap/upstreamldap_test.go
@@ -25,8 +25,8 @@ import (
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/tlsassertions"
 	"go.pinniped.dev/internal/testutil/tlsserver"
diff --git a/internal/upstreamoidc/upstreamoidc.go b/internal/upstreamoidc/upstreamoidc.go
index dc61b11f..8cd569a1 100644
--- a/internal/upstreamoidc/upstreamoidc.go
+++ b/internal/upstreamoidc/upstreamoidc.go
@@ -21,9 +21,9 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
@@ -221,7 +221,7 @@ func (p *ProviderConfig) tryRevokeToken(
 	if err != nil {
 		// Couldn't connect to the server or some similar error.
 		// Could be a temporary network problem, so it might be worth retrying.
-		return false, provider.NewRetryableRevocationError(err)
+		return false, dynamicupstreamprovider.NewRetryableRevocationError(err)
 	}
 	defer resp.Body.Close()
 
@@ -271,7 +271,7 @@ func (p *ProviderConfig) tryRevokeToken(
 		// be caused by an underlying problem which could potentially become resolved in the near future. We'll be
 		// optimistic and call all 5xx errors retryable.
 		plog.Trace("RevokeToken() got unexpected error response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth, "statusCode", status)
-		return false, provider.NewRetryableRevocationError(fmt.Errorf("server responded with status %d", status))
+		return false, dynamicupstreamprovider.NewRetryableRevocationError(fmt.Errorf("server responded with status %d", status))
 	default:
 		// Any other error is probably not due to failed client auth, and is probably not worth retrying later.
 		plog.Trace("RevokeToken() got unexpected error response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth, "statusCode", status)
diff --git a/internal/upstreamoidc/upstreamoidc_test.go b/internal/upstreamoidc/upstreamoidc_test.go
index e477f1ba..cc4f06a2 100644
--- a/internal/upstreamoidc/upstreamoidc_test.go
+++ b/internal/upstreamoidc/upstreamoidc_test.go
@@ -23,9 +23,9 @@ import (
 	"gopkg.in/square/go-jose.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockkeyset"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
@@ -715,8 +715,8 @@ func TestProviderConfig(t *testing.T) {
 					testutil.RequireErrorStringFromErr(t, err, tt.wantErr)
 
 					if tt.wantRetryableErrType {
-						require.ErrorAs(t, err, &provider.RetryableRevocationError{})
-					} else if errors.As(err, &provider.RetryableRevocationError{}) {
+						require.ErrorAs(t, err, &dynamicupstreamprovider.RetryableRevocationError{})
+					} else if errors.As(err, &dynamicupstreamprovider.RetryableRevocationError{}) {
 						// There is no NotErrorAs() assertion available in the current version of testify, so do the equivalent.
 						require.Fail(t, "error should not be As RetryableRevocationError")
 					}
diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go
index 341d1ffd..fac2b99c 100644
--- a/pkg/oidcclient/login.go
+++ b/pkg/oidcclient/login.go
@@ -30,10 +30,10 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamoidc"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
diff --git a/pkg/oidcclient/login_test.go b/pkg/oidcclient/login_test.go
index 871d6014..b041dbfc 100644
--- a/pkg/oidcclient/login_test.go
+++ b/pkg/oidcclient/login_test.go
@@ -28,11 +28,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog/v2"
 
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/roundtripper"
 	"go.pinniped.dev/internal/mocks/mockupstreamoidcidentityprovider"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/testlogger"
diff --git a/proposals/1113_ldap-ad-web-ui/README.md b/proposals/1113_ldap-ad-web-ui/README.md
index 1a204c45..090a3c54 100644
--- a/proposals/1113_ldap-ad-web-ui/README.md
+++ b/proposals/1113_ldap-ad-web-ui/README.md
@@ -160,7 +160,7 @@ Once dynamic clients are implemented:
 #### New Dependencies
 This should be kept to a very simple HTML page with minimal, clean CSS styling.
 Javascript should be avoided.
-The styling should match the [form post html page](https://github.com/vmware-tanzu/pinniped/tree/main/internal/oidc/provider/formposthtml)
+The styling should match the [form post html page](https://github.com/vmware-tanzu/pinniped/tree/main/internal/federationdomain/formposthtml)
 as much as possible, we should reuse some of the existing css and add to it to keep the style consistent.
 
 #### Observability Considerations
diff --git a/site/content/docs/reference/code-walkthrough.md b/site/content/docs/reference/code-walkthrough.md
index 11c84cd7..bd18b6f9 100644
--- a/site/content/docs/reference/code-walkthrough.md
+++ b/site/content/docs/reference/code-walkthrough.md
@@ -192,28 +192,28 @@ The Supervisor's endpoints are:
 Each FederationDomain's endpoints are mounted under the path of the FederationDomain's `spec.issuer`,
 if the `spec.issuer` URL has a path component specified. If the issuer has no path, then they are mounted under `/`.
 These per-FederationDomain endpoint are all mounted by the code in
-[internal/oidc/provider/manager/manager.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/provider/manager/manager.go).
+[internal/federationdomain/endpointsmanager/manager.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpointsmanager/manager.go).
 
 The per-FederationDomain endpoints are:
 
 - `<issuer_path>/.well-known/openid-configuration` is the standard OIDC discovery endpoint, which can be used to discover all the other endpoints listed here.
-  See [internal/oidc/discovery/discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/discovery/discovery_handler.go).
+  See [internal/federationdomain/endpoints/discovery/discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/discovery/discovery_handler.go).
 - `<issuer_path>/jwks.json` is the standard OIDC JWKS discovery endpoint.
-  See [internal/oidc/jwks/jwks_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/jwks/jwks_handler.go).
+  See [internal/federationdomain/endpoints/jwks/jwks_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/jwks/jwks_handler.go).
 - `<issuer_path>/oauth2/authorize` is the standard OIDC authorize endpoint.
-  See [internal/oidc/auth/auth_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/auth/auth_handler.go).
+  See [internal/federationdomain/endpoints/auth/auth_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/auth/auth_handler.go).
 - `<issuer_path>/oauth2/token` is the standard OIDC token endpoint.
-  See [internal/oidc/token/token_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token/token_handler.go).
+  See [internal/federationdomain/endpoints/token/token_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/token/token_handler.go).
   The token endpoint can handle the standard OIDC `authorization_code` and `refresh_token` grant types, and has also been
-  extended in [internal/oidc/token_exchange.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token_exchange.go)
+  extended in [internal/federationdomain/endpoints/tokenexchange/token_exchange.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/tokenexchange/token_exchange.go)
   to handle an additional grant type for [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693) token exchanges to
   reduce the applicable scope (technically, the `aud` claim) of ID tokens.
 - `<issuer_path>/callback` is a special endpoint that is used as the redirect URL when performing an OIDC authcode flow against an upstream OIDC identity provider as configured by an OIDCIdentityProvider custom resource.
-  See [internal/oidc/callback/callback_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/callback/callback_handler.go).
+  See [internal/federationdomain/endpoints/callback/callback_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/callback/callback_handler.go).
 - `<issuer_path>/v1alpha1/pinniped_identity_providers` is a custom discovery endpoint for clients to learn about available upstream identity providers.
-  See [internal/oidc/idpdiscovery/idp_discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/idpdiscovery/idp_discovery_handler.go).
+  See [internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go).
 - `<issuer_path>/login` is a login UI page to support the optional browser-based login flow for LDAP and Active Directory identity providers.
-  See [internal/oidc/login/login_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/login/login_handler.go).
+  See [internal/federationdomain/endpoints/login/login_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/login/login_handler.go).
 
 The OIDC specifications implemented by the Supervisor can be found at [openid.net](https://openid.net/connect).
 
diff --git a/test/integration/formposthtml_test.go b/test/integration/formposthtml_test.go
index 1a3b4529..9056e065 100644
--- a/test/integration/formposthtml_test.go
+++ b/test/integration/formposthtml_test.go
@@ -19,8 +19,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/test/testlib"
 	"go.pinniped.dev/test/testlib/browsertest"
 )
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index ae58aead..d424014c 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -31,8 +31,9 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -2240,7 +2241,7 @@ func testSupervisorLogin(
 		// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
 		require.NoError(t, err)
 
@@ -2302,7 +2303,7 @@ func testSupervisorLogin(
 		// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
 		require.NoError(t, err)
 
diff --git a/test/integration/supervisor_storage_test.go b/test/integration/supervisor_storage_test.go
index e5832262..d56cc6be 100644
--- a/test/integration/supervisor_storage_test.go
+++ b/test/integration/supervisor_storage_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -17,8 +17,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/test/testlib"
 )
diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go
index f84b5358..5c93e687 100644
--- a/test/integration/supervisor_warnings_test.go
+++ b/test/integration/supervisor_warnings_test.go
@@ -28,8 +28,9 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient"
 	"go.pinniped.dev/pkg/oidcclient/filesession"
@@ -186,7 +187,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 		// out of kube secret storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1]
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil)
 		require.NoError(t, err)
@@ -494,7 +495,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 		// out of kube secret storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1]
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil)
 		require.NoError(t, err)