From 86c791b8a68016d7eebd9fb2126d5bfc6219ee42 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Thu, 22 Jun 2023 15:12:33 -0700
Subject: [PATCH] reorganize federation domain packages to be more intuitive

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
---
 .../active_directory_upstream_watcher.go      |  2 +-
 .../active_directory_upstream_watcher_test.go |  6 +-
 .../federation_domain_watcher.go              |  2 +-
 .../federation_domain_watcher_test.go         |  2 +-
 .../ldap_upstream_watcher.go                  |  2 +-
 .../ldap_upstream_watcher_test.go             |  6 +-
 .../oidcclientwatcher/oidc_client_watcher.go  |  2 +-
 .../oidc_upstream_watcher.go                  |  4 +-
 .../oidc_upstream_watcher_test.go             |  8 +-
 .../upstreamwatchers/upstream_watchers.go     |  2 +-
 .../supervisorstorage/garbage_collector.go    |  6 +-
 .../garbage_collector_test.go                 | 10 +-
 .../clientregistry/clientregistry.go          |  4 +-
 .../clientregistry/clientregistry_test.go     |  4 +-
 .../provider => federationdomain}/csp/csp.go  |  2 +-
 .../csp/csp_test.go                           |  2 +-
 .../csrftoken/csrftoken.go                    |  2 +-
 .../csrftoken/csrftoken_test.go               |  2 +-
 .../downstreamsession/downstream_session.go   |  4 +-
 .../downstream_session_test.go                |  0
 .../dynamiccodec/codec.go                     |  4 +-
 .../dynamiccodec/codec_test.go                |  2 +-
 .../dynamic_tls_cert_provider.go              |  4 +-
 .../dynamic_upstream_idp_provider.go          |  4 +-
 .../endpoints}/auth/auth_handler.go           | 16 ++--
 .../endpoints}/auth/auth_handler_test.go      | 19 ++--
 .../endpoints}/callback/callback_handler.go   |  8 +-
 .../callback/callback_handler_test.go         |  9 +-
 .../endpoints}/discovery/discovery_handler.go |  2 +-
 .../discovery/discovery_handler_test.go       |  2 +-
 .../idpdiscovery/idp_discovery_handler.go     |  2 +-
 .../idp_discovery_handler_test.go             |  2 +-
 .../endpoints}/jwks/dynamic_jwks_provider.go  |  2 +-
 .../endpoints}/jwks/jwks_handler.go           |  2 +-
 .../endpoints}/jwks/jwks_handler_test.go      |  2 +-
 .../endpoints}/login/get_login_handler.go     |  6 +-
 .../login/get_login_handler_test.go           |  6 +-
 .../endpoints}/login/login_handler.go         |  8 +-
 .../endpoints}/login/login_handler_test.go    |  4 +-
 .../endpoints}/login/loginhtml/login_form.css |  2 +-
 .../login/loginhtml/login_form.gohtml         |  2 +-
 .../endpoints}/login/loginhtml/loginhtml.go   |  4 +-
 .../login/loginhtml/loginhtml_test.go         |  6 +-
 .../endpoints}/login/post_login_handler.go    |  6 +-
 .../login/post_login_handler_test.go          |  9 +-
 .../endpoints}/token/token_handler.go         | 10 +-
 .../endpoints}/token/token_handler_test.go    | 47 +++++-----
 .../tokenexchange}/token_exchange.go          | 28 +++---
 .../endpointsmanager}/manager.go              | 35 +++----
 .../endpointsmanager}/manager_test.go         | 10 +-
 ...domain_identity_providers_lister_finder.go |  4 +-
 .../federation_domain_issuer.go               |  0
 .../federation_domain_issuer_test.go          |  0
 .../formposthtml/form_post.css                |  2 +-
 .../formposthtml/form_post.gohtml             |  2 +-
 .../formposthtml/form_post.js                 |  2 +-
 .../formposthtml/formposthtml.go              |  4 +-
 .../formposthtml/formposthtml_test.go         |  2 +-
 .../idplister/upstream_idp_lister.go          |  2 +-
 internal/{ => federationdomain}/oidc/oidc.go  | 92 +++----------------
 .../oidcclientvalidator.go                    |  0
 .../resolvedprovider/resolved_provider.go     |  5 +-
 .../storage}/dynamic_global_secret_config.go  |  4 +-
 .../storage}/kube_storage.go                  |  9 +-
 .../storage/null_storage.go}                  |  6 +-
 .../strategy}/dynamic_oauth2_hmac_strategy.go | 40 ++++----
 .../dynamic_oauth2_hmac_strategy_test.go      | 12 +--
 .../dynamic_open_id_connect_ecdsa_strategy.go | 20 ++--
 ...mic_open_id_connect_ecdsa_strategy_test.go |  8 +-
 .../timeouts/timeouts_configuration.go        | 74 +++++++++++++++
 .../upstreamprovider/upsteam_provider.go      |  0
 .../fositestorage/accesstoken/accesstoken.go  |  2 +-
 .../accesstoken/accesstoken_test.go           |  2 +-
 .../authorizationcode/authorizationcode.go    |  2 +-
 .../authorizationcode_test.go                 |  2 +-
 internal/fositestorage/fositestorage.go       |  4 +-
 .../openidconnect/openidconnect.go            |  2 +-
 .../openidconnect/openidconnect_test.go       |  2 +-
 internal/fositestorage/pkce/pkce.go           |  2 +-
 internal/fositestorage/pkce/pkce_test.go      |  2 +-
 .../refreshtoken/refreshtoken.go              |  2 +-
 .../refreshtoken/refreshtoken_test.go         |  2 +-
 internal/mocks/issuermocks/generate.go        |  4 +-
 internal/mocks/issuermocks/issuermocks.go     |  2 +-
 .../generate.go                               |  2 +-
 .../mockupstreamoidcidentityprovider.go       |  4 +-
 internal/supervisor/server/server.go          | 19 ++--
 internal/testutil/oidcclient_test.go          |  6 +-
 .../testutil/oidctestutil/oidctestutil.go     | 24 ++---
 internal/upstreamldap/upstreamldap.go         |  4 +-
 internal/upstreamldap/upstreamldap_test.go    |  2 +-
 internal/upstreamoidc/upstreamoidc.go         |  8 +-
 internal/upstreamoidc/upstreamoidc_test.go    |  8 +-
 pkg/oidcclient/login.go                       |  2 +-
 pkg/oidcclient/login_test.go                  |  2 +-
 proposals/1113_ldap-ad-web-ui/README.md       |  2 +-
 .../docs/reference/code-walkthrough.md        | 18 ++--
 test/integration/formposthtml_test.go         |  2 +-
 test/integration/supervisor_login_test.go     |  9 +-
 test/integration/supervisor_storage_test.go   |  4 +-
 test/integration/supervisor_warnings_test.go  |  9 +-
 101 files changed, 401 insertions(+), 377 deletions(-)
 rename internal/{oidc => federationdomain}/clientregistry/clientregistry.go (98%)
 rename internal/{oidc => federationdomain}/clientregistry/clientregistry_test.go (99%)
 rename internal/{oidc/provider => federationdomain}/csp/csp.go (81%)
 rename internal/{oidc/provider => federationdomain}/csp/csp_test.go (81%)
 rename internal/{oidc => federationdomain}/csrftoken/csrftoken.go (87%)
 rename internal/{oidc => federationdomain}/csrftoken/csrftoken_test.go (84%)
 rename internal/{oidc => federationdomain}/downstreamsession/downstream_session.go (99%)
 rename internal/{oidc => federationdomain}/downstreamsession/downstream_session_test.go (100%)
 rename internal/{oidc => federationdomain}/dynamiccodec/codec.go (93%)
 rename internal/{oidc => federationdomain}/dynamiccodec/codec_test.go (98%)
 rename internal/{oidc/provider => federationdomain/dynamictlscertprovider}/dynamic_tls_cert_provider.go (93%)
 rename internal/{oidc/provider => federationdomain/dynamicupstreamprovider}/dynamic_upstream_idp_provider.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/auth/auth_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/auth/auth_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/callback/callback_handler.go (95%)
 rename internal/{oidc => federationdomain/endpoints}/callback/callback_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/discovery/discovery_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/discovery/discovery_handler_test.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/idpdiscovery/idp_discovery_handler.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/idpdiscovery/idp_discovery_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/dynamic_jwks_provider.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/jwks_handler.go (92%)
 rename internal/{oidc => federationdomain/endpoints}/jwks/jwks_handler_test.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/login/get_login_handler.go (84%)
 rename internal/{oidc => federationdomain/endpoints}/login/get_login_handler_test.go (95%)
 rename internal/{oidc => federationdomain/endpoints}/login/login_handler.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/login/login_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/login_form.css (96%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/login_form.gohtml (99%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/loginhtml.go (94%)
 rename internal/{oidc => federationdomain/endpoints}/login/loginhtml/loginhtml_test.go (97%)
 rename internal/{oidc => federationdomain/endpoints}/login/post_login_handler.go (96%)
 rename internal/{oidc => federationdomain/endpoints}/login/post_login_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints}/token/token_handler.go (98%)
 rename internal/{oidc => federationdomain/endpoints}/token/token_handler_test.go (99%)
 rename internal/{oidc => federationdomain/endpoints/tokenexchange}/token_exchange.go (91%)
 rename internal/{oidc/provider/manager => federationdomain/endpointsmanager}/manager.go (86%)
 rename internal/{oidc/provider/manager => federationdomain/endpointsmanager}/manager_test.go (98%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_identity_providers_lister_finder.go (98%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_issuer.go (100%)
 rename internal/{oidc/provider => federationdomain}/federationdomainproviders/federation_domain_issuer_test.go (100%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.css (97%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.gohtml (94%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/form_post.js (98%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/formposthtml.go (94%)
 rename internal/{oidc/provider => federationdomain}/formposthtml/formposthtml_test.go (99%)
 rename internal/{oidc => federationdomain}/idplister/upstream_idp_lister.go (92%)
 rename internal/{ => federationdomain}/oidc/oidc.go (70%)
 rename internal/{oidc => federationdomain}/oidcclientvalidator/oidcclientvalidator.go (100%)
 rename internal/{oidc/provider => federationdomain}/resolvedprovider/resolved_provider.go (87%)
 rename internal/{oidc => federationdomain/storage}/dynamic_global_secret_config.go (96%)
 rename internal/{oidc => federationdomain/storage}/kube_storage.go (97%)
 rename internal/{oidc/nullstorage.go => federationdomain/storage/null_storage.go} (96%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_oauth2_hmac_strategy.go (81%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_oauth2_hmac_strategy_test.go (97%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_open_id_connect_ecdsa_strategy.go (79%)
 rename internal/{oidc => federationdomain/strategy}/dynamic_open_id_connect_ecdsa_strategy_test.go (95%)
 create mode 100644 internal/federationdomain/timeouts/timeouts_configuration.go
 rename internal/{oidc/provider => federationdomain}/upstreamprovider/upsteam_provider.go (100%)

diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
index b1f214968..139592f0f 100644
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -26,7 +26,7 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
index c223441d7..f88287a01 100644
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@@ -29,9 +29,9 @@ import (
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/upstreamldap"
 )
@@ -2010,7 +2010,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
 				upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
 			})
diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go
index 0d68339e9..3923b498c 100644
--- a/internal/controller/supervisorconfig/federation_domain_watcher.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher.go
@@ -25,8 +25,8 @@ import (
 	"go.pinniped.dev/internal/celtransformer"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/controller/supervisorconfig/federation_domain_watcher_test.go b/internal/controller/supervisorconfig/federation_domain_watcher_test.go
index 67b893942..0e75cdd34 100644
--- a/internal/controller/supervisorconfig/federation_domain_watcher_test.go
+++ b/internal/controller/supervisorconfig/federation_domain_watcher_test.go
@@ -27,8 +27,8 @@ import (
 	pinnipedfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/testutil"
 )
 
diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
index fcf3a7e35..fe129588f 100644
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
@@ -20,7 +20,7 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
index 46b0b1a8a..4da286737 100644
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
@@ -28,9 +28,9 @@ import (
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/upstreamldap"
 )
@@ -1139,7 +1139,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI{
 				upstreamldap.New(upstreamldap.ProviderConfig{Name: "initial-entry"}),
 			})
diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
index fbd54d41d..3209a7f27 100644
--- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
+++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go
@@ -21,7 +21,7 @@ import (
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/plog"
 )
diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
index f56e4fc92..0f91d0d68 100644
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
@@ -34,8 +34,8 @@ import (
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatchers"
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamoidc"
 )
@@ -94,7 +94,7 @@ type UpstreamOIDCIdentityProviderICache interface {
 	SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI)
 }
 
-// lruValidatorCache caches the *oidc.Provider associated with a particular issuer/TLS configuration.
+// lruValidatorCache caches the *coreosoidc.Provider associated with a particular issuer/TLS configuration.
 type lruValidatorCache struct{ cache *cache.Expiring }
 
 type lruValidatorCacheEntry struct {
diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
index c8e392aef..c6a63698c 100644
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go
@@ -28,8 +28,8 @@ import (
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/controllerlib"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -81,7 +81,7 @@ func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset()
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
 				&upstreamoidc.ProviderConfig{Name: "initial-entry"},
 			})
@@ -1416,7 +1416,7 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
 			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
-			cache := provider.NewDynamicUpstreamIDPProvider()
+			cache := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 			cache.SetOIDCIdentityProviders([]upstreamprovider.UpstreamOIDCIdentityProviderI{
 				&upstreamoidc.ProviderConfig{Name: "initial-entry"},
 			})
diff --git a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
index 114a66b5b..0417463fa 100644
--- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
+++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
@@ -16,7 +16,7 @@ import (
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamldap"
 )
diff --git a/internal/controller/supervisorstorage/garbage_collector.go b/internal/controller/supervisorstorage/garbage_collector.go
index 0006f6875..4a736463b 100644
--- a/internal/controller/supervisorstorage/garbage_collector.go
+++ b/internal/controller/supervisorstorage/garbage_collector.go
@@ -21,13 +21,13 @@ import (
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
 	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 )
@@ -144,7 +144,7 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
 				// cleaning them out of etcd storage.
 				fourHoursAgo := frozenClock.Now().Add(-4 * time.Hour)
 				nowIsLessThanFourHoursBeyondSecretGCTime := garbageCollectAfterTime.After(fourHoursAgo)
-				if errors.As(revokeErr, &provider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
+				if errors.As(revokeErr, &dynamicupstreamprovider.RetryableRevocationError{}) && nowIsLessThanFourHoursBeyondSecretGCTime {
 					// Hasn't been very long since secret expired, so skip deletion to try revocation again later.
 					plog.Trace("garbage collector keeping Secret to retry upstream OIDC token revocation later", logKV(secret)...)
 					continue
diff --git a/internal/controller/supervisorstorage/garbage_collector_test.go b/internal/controller/supervisorstorage/garbage_collector_test.go
index 1e23b1436..79e1c8c0d 100644
--- a/internal/controller/supervisorstorage/garbage_collector_test.go
+++ b/internal/controller/supervisorstorage/garbage_collector_test.go
@@ -25,12 +25,12 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 
 	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
-	"go.pinniped.dev/internal/oidc/clientregistry"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -138,7 +138,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
 
 		// Defer starting the informers until the last possible moment so that the
 		// nested Before's can keep adding things to the informer caches.
-		var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) {
+		var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) {
 			// Set this at the last second to allow for injection of server override.
 			subject = GarbageCollectorController(
 				idpCache,
@@ -774,7 +774,7 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
 					WithName("upstream-oidc-provider-name").
 					WithResourceUID("upstream-oidc-provider-uid").
 					// make the upstream revocation fail in a retryable way
-					WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
+					WithRevokeTokenError(dynamicupstreamprovider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
 				idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
 
 				startInformersAndController(idpListerBuilder.BuildDynamicUpstreamIDPProvider())
diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/federationdomain/clientregistry/clientregistry.go
similarity index 98%
rename from internal/oidc/clientregistry/clientregistry.go
rename to internal/federationdomain/clientregistry/clientregistry.go
index e1d87abb6..7dfa7d9f2 100644
--- a/internal/oidc/clientregistry/clientregistry.go
+++ b/internal/federationdomain/clientregistry/clientregistry.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package clientregistry defines Pinniped's OAuth2/OIDC clients.
@@ -18,7 +18,7 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/plog"
 )
diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/federationdomain/clientregistry/clientregistry_test.go
similarity index 99%
rename from internal/oidc/clientregistry/clientregistry_test.go
rename to internal/federationdomain/clientregistry/clientregistry_test.go
index 036514211..4c33dfccc 100644
--- a/internal/oidc/clientregistry/clientregistry_test.go
+++ b/internal/federationdomain/clientregistry/clientregistry_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package clientregistry
@@ -21,7 +21,7 @@ import (
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/oidc/provider/csp/csp.go b/internal/federationdomain/csp/csp.go
similarity index 81%
rename from internal/oidc/provider/csp/csp.go
rename to internal/federationdomain/csp/csp.go
index d3f97e504..8487ca0dd 100644
--- a/internal/oidc/provider/csp/csp.go
+++ b/internal/federationdomain/csp/csp.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package csp defines helpers related to HTML Content Security Policies.
diff --git a/internal/oidc/provider/csp/csp_test.go b/internal/federationdomain/csp/csp_test.go
similarity index 81%
rename from internal/oidc/provider/csp/csp_test.go
rename to internal/federationdomain/csp/csp_test.go
index 746d58220..5fa506977 100644
--- a/internal/oidc/provider/csp/csp_test.go
+++ b/internal/federationdomain/csp/csp_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csp
diff --git a/internal/oidc/csrftoken/csrftoken.go b/internal/federationdomain/csrftoken/csrftoken.go
similarity index 87%
rename from internal/oidc/csrftoken/csrftoken.go
rename to internal/federationdomain/csrftoken/csrftoken.go
index bc7b713cd..c1d79fe81 100644
--- a/internal/oidc/csrftoken/csrftoken.go
+++ b/internal/federationdomain/csrftoken/csrftoken.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csrftoken
diff --git a/internal/oidc/csrftoken/csrftoken_test.go b/internal/federationdomain/csrftoken/csrftoken_test.go
similarity index 84%
rename from internal/oidc/csrftoken/csrftoken_test.go
rename to internal/federationdomain/csrftoken/csrftoken_test.go
index 610307314..3c8f6e1ee 100644
--- a/internal/oidc/csrftoken/csrftoken_test.go
+++ b/internal/federationdomain/csrftoken/csrftoken_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package csrftoken
diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/federationdomain/downstreamsession/downstream_session.go
similarity index 99%
rename from internal/oidc/downstreamsession/downstream_session.go
rename to internal/federationdomain/downstreamsession/downstream_session.go
index f40bdff84..6a5f70fe8 100644
--- a/internal/oidc/downstreamsession/downstream_session.go
+++ b/internal/federationdomain/downstreamsession/downstream_session.go
@@ -20,9 +20,9 @@ import (
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/constable"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
diff --git a/internal/oidc/downstreamsession/downstream_session_test.go b/internal/federationdomain/downstreamsession/downstream_session_test.go
similarity index 100%
rename from internal/oidc/downstreamsession/downstream_session_test.go
rename to internal/federationdomain/downstreamsession/downstream_session_test.go
diff --git a/internal/oidc/dynamiccodec/codec.go b/internal/federationdomain/dynamiccodec/codec.go
similarity index 93%
rename from internal/oidc/dynamiccodec/codec.go
rename to internal/federationdomain/dynamiccodec/codec.go
index 5168b2b77..36e9a8e92 100644
--- a/internal/oidc/dynamiccodec/codec.go
+++ b/internal/federationdomain/dynamiccodec/codec.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package dynamiccodec provides a type that can encode information using a just-in-time signing and
@@ -10,7 +10,7 @@ import (
 
 	"github.com/gorilla/securecookie"
 
-	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 var _ oidc.Codec = &Codec{}
diff --git a/internal/oidc/dynamiccodec/codec_test.go b/internal/federationdomain/dynamiccodec/codec_test.go
similarity index 98%
rename from internal/oidc/dynamiccodec/codec_test.go
rename to internal/federationdomain/dynamiccodec/codec_test.go
index bcff2d038..d6c85357a 100644
--- a/internal/oidc/dynamiccodec/codec_test.go
+++ b/internal/federationdomain/dynamiccodec/codec_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package dynamiccodec
diff --git a/internal/oidc/provider/dynamic_tls_cert_provider.go b/internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
similarity index 93%
rename from internal/oidc/provider/dynamic_tls_cert_provider.go
rename to internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
index 7c48ad9c8..a27f2ef4a 100644
--- a/internal/oidc/provider/dynamic_tls_cert_provider.go
+++ b/internal/federationdomain/dynamictlscertprovider/dynamic_tls_cert_provider.go
@@ -1,7 +1,7 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package provider
+package dynamictlscertprovider
 
 import (
 	"crypto/tls"
diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
similarity index 97%
rename from internal/oidc/provider/dynamic_upstream_idp_provider.go
rename to internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
index e9a4333af..bb92e6105 100644
--- a/internal/oidc/provider/dynamic_upstream_idp_provider.go
+++ b/internal/federationdomain/dynamicupstreamprovider/dynamic_upstream_idp_provider.go
@@ -1,13 +1,13 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package provider
+package dynamicupstreamprovider
 
 import (
 	"fmt"
 	"sync"
 
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 )
 
 type DynamicUpstreamIDPProvider interface {
diff --git a/internal/oidc/auth/auth_handler.go b/internal/federationdomain/endpoints/auth/auth_handler.go
similarity index 98%
rename from internal/oidc/auth/auth_handler.go
rename to internal/federationdomain/endpoints/auth/auth_handler.go
index 3ea3e7ca2..e091a4658 100644
--- a/internal/oidc/auth/auth_handler.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler.go
@@ -16,17 +16,17 @@ import (
 	"golang.org/x/oauth2"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/login"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/federationdomain/endpoints/auth/auth_handler_test.go
similarity index 99%
rename from internal/oidc/auth/auth_handler_test.go
rename to internal/federationdomain/endpoints/auth/auth_handler_test.go
index 5a6a1087a..cb4750875 100644
--- a/internal/oidc/auth/auth_handler_test.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler_test.go
@@ -30,11 +30,12 @@ import (
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/authenticators"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -232,18 +233,18 @@ func TestAuthorizationEndpoint(t *testing.T) {
 	jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
 	timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 
-	createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.KubeStorage) {
+	createOauthHelperWithRealStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *storage.KubeStorage) {
 		// Configure fosite the same way that the production code would when using Kube storage.
 		// Inject this into our test subject at the last second so we get a fresh storage for every test.
 		// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-		kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+		kubeOauthStore := storage.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 		return oidc.FositeOauth2Helper(kubeOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), kubeOauthStore
 	}
 
-	createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *oidc.NullStorage) {
+	createOauthHelperWithNullStorage := func(secretsClient v1.SecretInterface, oidcClientsClient v1alpha1.OIDCClientInterface) (fosite.OAuth2Provider, *storage.NullStorage) {
 		// Configure fosite the same way that the production code would, using NullStorage to turn off storage.
 		// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-		nullOauthStore := oidc.NewNullStorage(secretsClient, oidcClientsClient, bcrypt.MinCost)
+		nullOauthStore := storage.NewNullStorage(secretsClient, oidcClientsClient, bcrypt.MinCost)
 		return oidc.FositeOauth2Helper(nullOauthStore, downstreamIssuer, hmacSecretFunc, jwksProviderIsUnused, timeoutsConfiguration), nullOauthStore
 	}
 
@@ -3175,7 +3176,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
 		},
 	}
 
-	runOneTestCase := func(t *testing.T, test testCase, subject http.Handler, kubeOauthStore *oidc.KubeStorage, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset, secretsClient v1.SecretInterface) {
+	runOneTestCase := func(t *testing.T, test testCase, subject http.Handler, kubeOauthStore *storage.KubeStorage, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset, secretsClient v1.SecretInterface) {
 		if test.kubeResources != nil {
 			test.kubeResources(t, supervisorClient, kubeClient)
 		}
diff --git a/internal/oidc/callback/callback_handler.go b/internal/federationdomain/endpoints/callback/callback_handler.go
similarity index 95%
rename from internal/oidc/callback/callback_handler.go
rename to internal/federationdomain/endpoints/callback/callback_handler.go
index 5613108ce..8ddb4b2ad 100644
--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler.go
@@ -10,12 +10,12 @@ import (
 
 	"github.com/ory/fosite"
 
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/callback/callback_handler_test.go b/internal/federationdomain/endpoints/callback/callback_handler_test.go
similarity index 99%
rename from internal/oidc/callback/callback_handler_test.go
rename to internal/federationdomain/endpoints/callback/callback_handler_test.go
index 5670ef3f0..15ec387bb 100644
--- a/internal/oidc/callback/callback_handler_test.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler_test.go
@@ -21,9 +21,10 @@ import (
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -1451,7 +1452,7 @@ func TestCallbackEndpoint(t *testing.T) {
 			// Inject this into our test subject at the last second so we get a fresh storage for every test.
 			timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 			// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-			oauthStore := oidc.NewKubeStorage(secrets, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+			oauthStore := storage.NewKubeStorage(secrets, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 			hmacSecretFunc := func() []byte { return []byte("some secret - must have at least 32 bytes") }
 			require.GreaterOrEqual(t, len(hmacSecretFunc()), 32, "fosite requires that hmac secrets have at least 32 bytes")
 			jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/federationdomain/endpoints/discovery/discovery_handler.go
similarity index 98%
rename from internal/oidc/discovery/discovery_handler.go
rename to internal/federationdomain/endpoints/discovery/discovery_handler.go
index 60609c3d3..b7389a84b 100644
--- a/internal/oidc/discovery/discovery_handler.go
+++ b/internal/federationdomain/endpoints/discovery/discovery_handler.go
@@ -11,7 +11,7 @@ import (
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
-	"go.pinniped.dev/internal/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 // Metadata holds all fields (that we care about) from the OpenID Provider Metadata section in the
diff --git a/internal/oidc/discovery/discovery_handler_test.go b/internal/federationdomain/endpoints/discovery/discovery_handler_test.go
similarity index 98%
rename from internal/oidc/discovery/discovery_handler_test.go
rename to internal/federationdomain/endpoints/discovery/discovery_handler_test.go
index 6896b564e..cd205974e 100644
--- a/internal/oidc/discovery/discovery_handler_test.go
+++ b/internal/federationdomain/endpoints/discovery/discovery_handler_test.go
@@ -10,8 +10,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
 )
 
 func TestDiscovery(t *testing.T) {
diff --git a/internal/oidc/idpdiscovery/idp_discovery_handler.go b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
similarity index 97%
rename from internal/oidc/idpdiscovery/idp_discovery_handler.go
rename to internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
index d9034828f..5efb9a577 100644
--- a/internal/oidc/idpdiscovery/idp_discovery_handler.go
+++ b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go
@@ -11,7 +11,7 @@ import (
 	"sort"
 
 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
 )
 
 // NewHandler returns an http.Handler that serves the upstream IDP discovery endpoint.
diff --git a/internal/oidc/idpdiscovery/idp_discovery_handler_test.go b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
similarity index 99%
rename from internal/oidc/idpdiscovery/idp_discovery_handler_test.go
rename to internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
index 9a7fedf24..5257c2543 100644
--- a/internal/oidc/idpdiscovery/idp_discovery_handler_test.go
+++ b/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler_test.go
@@ -10,8 +10,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
-	"go.pinniped.dev/internal/oidc"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
 
diff --git a/internal/oidc/jwks/dynamic_jwks_provider.go b/internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
similarity index 94%
rename from internal/oidc/jwks/dynamic_jwks_provider.go
rename to internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
index fa156e3c8..cb8f8e41b 100644
--- a/internal/oidc/jwks/dynamic_jwks_provider.go
+++ b/internal/federationdomain/endpoints/jwks/dynamic_jwks_provider.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package jwks
diff --git a/internal/oidc/jwks/jwks_handler.go b/internal/federationdomain/endpoints/jwks/jwks_handler.go
similarity index 92%
rename from internal/oidc/jwks/jwks_handler.go
rename to internal/federationdomain/endpoints/jwks/jwks_handler.go
index 2c975e958..1d9eb7dfd 100644
--- a/internal/oidc/jwks/jwks_handler.go
+++ b/internal/federationdomain/endpoints/jwks/jwks_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package discovery provides a handler for the OIDC discovery endpoint.
diff --git a/internal/oidc/jwks/jwks_handler_test.go b/internal/federationdomain/endpoints/jwks/jwks_handler_test.go
similarity index 97%
rename from internal/oidc/jwks/jwks_handler_test.go
rename to internal/federationdomain/endpoints/jwks/jwks_handler_test.go
index 37f53e8c9..69d624ce5 100644
--- a/internal/oidc/jwks/jwks_handler_test.go
+++ b/internal/federationdomain/endpoints/jwks/jwks_handler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package jwks
diff --git a/internal/oidc/login/get_login_handler.go b/internal/federationdomain/endpoints/login/get_login_handler.go
similarity index 84%
rename from internal/oidc/login/get_login_handler.go
rename to internal/federationdomain/endpoints/login/get_login_handler.go
index d6da85a6c..567e6a9e3 100644
--- a/internal/oidc/login/get_login_handler.go
+++ b/internal/federationdomain/endpoints/login/get_login_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -6,8 +6,8 @@ package login
 import (
 	"net/http"
 
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 )
 
 const (
diff --git a/internal/oidc/login/get_login_handler_test.go b/internal/federationdomain/endpoints/login/get_login_handler_test.go
similarity index 95%
rename from internal/oidc/login/get_login_handler_test.go
rename to internal/federationdomain/endpoints/login/get_login_handler_test.go
index 30567309c..74405d497 100644
--- a/internal/oidc/login/get_login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/get_login_handler_test.go
@@ -10,9 +10,9 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/testutil"
 )
 
diff --git a/internal/oidc/login/login_handler.go b/internal/federationdomain/endpoints/login/login_handler.go
similarity index 94%
rename from internal/oidc/login/login_handler.go
rename to internal/federationdomain/endpoints/login/login_handler.go
index 1b358f2b4..f7892c70e 100644
--- a/internal/oidc/login/login_handler.go
+++ b/internal/federationdomain/endpoints/login/login_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -8,11 +8,11 @@ import (
 	"net/url"
 
 	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login/loginhtml"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/login/loginhtml"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/login/login_handler_test.go b/internal/federationdomain/endpoints/login/login_handler_test.go
similarity index 99%
rename from internal/oidc/login/login_handler_test.go
rename to internal/federationdomain/endpoints/login/login_handler_test.go
index 113809507..854484b35 100644
--- a/internal/oidc/login/login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/login_handler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package login
@@ -13,8 +13,8 @@ import (
 	"github.com/gorilla/securecookie"
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
diff --git a/internal/oidc/login/loginhtml/login_form.css b/internal/federationdomain/endpoints/login/loginhtml/login_form.css
similarity index 96%
rename from internal/oidc/login/loginhtml/login_form.css
rename to internal/federationdomain/endpoints/login/loginhtml/login_form.css
index 5eba47e01..19680cc4a 100644
--- a/internal/oidc/login/loginhtml/login_form.css
+++ b/internal/federationdomain/endpoints/login/loginhtml/login_form.css
@@ -1,4 +1,4 @@
-/* Copyright 2022 the Pinniped contributors. All Rights Reserved. */
+/* Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. */
 /* SPDX-License-Identifier: Apache-2.0 */
 
 html {
diff --git a/internal/oidc/login/loginhtml/login_form.gohtml b/internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
similarity index 99%
rename from internal/oidc/login/loginhtml/login_form.gohtml
rename to internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
index c1ab8ba36..7ae90e8cf 100644
--- a/internal/oidc/login/loginhtml/login_form.gohtml
+++ b/internal/federationdomain/endpoints/login/loginhtml/login_form.gohtml
@@ -1,5 +1,5 @@
 <!--
-Copyright 2022 the Pinniped contributors. All Rights Reserved.
+Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 
 Notes:
diff --git a/internal/oidc/login/loginhtml/loginhtml.go b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
similarity index 94%
rename from internal/oidc/login/loginhtml/loginhtml.go
rename to internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
index eb4c59b88..c09b5ca84 100644
--- a/internal/oidc/login/loginhtml/loginhtml.go
+++ b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package loginhtml defines HTML templates used by the Supervisor.
@@ -11,7 +11,7 @@ import (
 
 	"github.com/tdewolff/minify/v2/minify"
 
-	"go.pinniped.dev/internal/oidc/provider/csp"
+	"go.pinniped.dev/internal/federationdomain/csp"
 )
 
 //nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
diff --git a/internal/oidc/login/loginhtml/loginhtml_test.go b/internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
similarity index 97%
rename from internal/oidc/login/loginhtml/loginhtml_test.go
rename to internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
index 50d8dc951..b8184275e 100644
--- a/internal/oidc/login/loginhtml/loginhtml_test.go
+++ b/internal/federationdomain/endpoints/login/loginhtml/loginhtml_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package loginhtml
@@ -8,9 +8,9 @@ import (
 	"fmt"
 	"testing"
 
-	"go.pinniped.dev/internal/testutil"
-
 	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/testutil"
 )
 
 var (
diff --git a/internal/oidc/login/post_login_handler.go b/internal/federationdomain/endpoints/login/post_login_handler.go
similarity index 96%
rename from internal/oidc/login/post_login_handler.go
rename to internal/federationdomain/endpoints/login/post_login_handler.go
index a9b0c7fcd..018ac4ffa 100644
--- a/internal/oidc/login/post_login_handler.go
+++ b/internal/federationdomain/endpoints/login/post_login_handler.go
@@ -9,10 +9,10 @@ import (
 
 	"github.com/ory/fosite"
 
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/oidc/login/post_login_handler_test.go b/internal/federationdomain/endpoints/login/post_login_handler_test.go
similarity index 99%
rename from internal/oidc/login/post_login_handler_test.go
rename to internal/federationdomain/endpoints/login/post_login_handler_test.go
index be4482189..b5c1c14d7 100644
--- a/internal/oidc/login/post_login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/post_login_handler_test.go
@@ -20,9 +20,10 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/internal/authenticators"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
@@ -978,7 +979,7 @@ func TestPostLoginEndpoint(t *testing.T) {
 			// Inject this into our test subject at the last second so we get a fresh storage for every test.
 			timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
 			// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-			kubeOauthStore := oidc.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
+			kubeOauthStore := storage.NewKubeStorage(secretsClient, oidcClientsClient, timeoutsConfiguration, bcrypt.MinCost)
 			hmacSecretFunc := func() []byte { return []byte("some secret - must have at least 32 bytes") }
 			require.GreaterOrEqual(t, len(hmacSecretFunc()), 32, "fosite requires that hmac secrets have at least 32 bytes")
 			jwksProviderIsUnused := jwks.NewDynamicJWKSProvider()
diff --git a/internal/oidc/token/token_handler.go b/internal/federationdomain/endpoints/token/token_handler.go
similarity index 98%
rename from internal/oidc/token/token_handler.go
rename to internal/federationdomain/endpoints/token/token_handler.go
index cddca4551..8f6512936 100644
--- a/internal/oidc/token/token_handler.go
+++ b/internal/federationdomain/endpoints/token/token_handler.go
@@ -18,13 +18,13 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 )
diff --git a/internal/oidc/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go
similarity index 99%
rename from internal/oidc/token/token_handler_test.go
rename to internal/federationdomain/endpoints/token/token_handler_test.go
index aaeef0f6c..48656f284 100644
--- a/internal/oidc/token/token_handler_test.go
+++ b/internal/federationdomain/endpoints/token/token_handler_test.go
@@ -24,7 +24,7 @@ import (
 	"github.com/ory/fosite"
 	fositeoauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
-	"github.com/ory/fosite/handler/pkce"
+	fositepkce "github.com/ory/fosite/handler/pkce"
 	"github.com/ory/fosite/token/jwt"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
@@ -42,19 +42,20 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
-	storagepkce "go.pinniped.dev/internal/fositestorage/pkce"
+	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
 	"go.pinniped.dev/internal/fositestoragei"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/clientregistry"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
@@ -955,7 +956,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, 1)
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: accesstoken.TypeLabelValue}, 0)
 			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, 0)
-			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0)
+			testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 0)
 			// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
 			testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2)
 		})
@@ -1005,7 +1006,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 		authcodeExchange     authcodeExchangeInputs
 		modifyRequestParams  func(t *testing.T, params url.Values)
 		modifyRequestHeaders func(r *http.Request)
-		modifyStorage        func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request)
+		modifyStorage        func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request)
 		requestedAudience    string
 		kubeResources        func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset)
 
@@ -1452,7 +1453,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			name:              "valid access token, but it was already deleted from storage",
 			authcodeExchange:  doValidAuthCodeExchange,
 			requestedAudience: "some-workload-cluster",
-			modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
+			modifyStorage: func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
 				parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
 				require.Len(t, parts, 2)
 				require.NoError(t, storage.DeleteAccessTokenSession(context.Background(), parts[1]))
@@ -1465,7 +1466,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			name:              "valid access token, but it has already expired",
 			authcodeExchange:  doValidAuthCodeExchange,
 			requestedAudience: "some-workload-cluster",
-			modifyStorage: func(t *testing.T, storage *oidc.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
+			modifyStorage: func(t *testing.T, storage *storage.KubeStorage, secrets v1.SecretInterface, pendingRequest *http.Request) {
 				// The fosite storage APIs don't offer a way to update an access token, so we will instead find the underlying
 				// storage Secret and update it in a more manual way. First get the access token's signature.
 				parts := strings.Split(pendingRequest.Form.Get("subject_token"), ".")
@@ -1955,7 +1956,7 @@ func TestRefreshGrant(t *testing.T) {
 		kubeResources             func(t *testing.T, supervisorClient *supervisorfake.Clientset, kubeClient *fake.Clientset)
 		authcodeExchange          authcodeExchangeInputs
 		refreshRequest            refreshRequestInputs
-		modifyRefreshTokenStorage func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string)
+		modifyRefreshTokenStorage func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string)
 	}{
 		{
 			name: "happy path refresh grant with openid scope granted (id token returned)",
@@ -2869,7 +2870,7 @@ func TestRefreshGrant(t *testing.T) {
 			name:             "when a valid refresh token is sent in the refresh request, but the token has already expired",
 			idps:             oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()),
 			authcodeExchange: happyAuthcodeExchangeInputsForOIDCUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				// The fosite storage APIs don't offer a way to update a refresh token, so we will instead find the underlying
 				// storage Secret and update it in a more manual way. First get the refresh token's signature.
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
@@ -3832,7 +3833,7 @@ func TestRefreshGrant(t *testing.T) {
 				Build(),
 			),
 			authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3870,7 +3871,7 @@ func TestRefreshGrant(t *testing.T) {
 					happyLDAPCustomSessionData,
 				),
 			},
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3908,7 +3909,7 @@ func TestRefreshGrant(t *testing.T) {
 					happyLDAPCustomSessionData,
 				),
 			},
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -3988,7 +3989,7 @@ func TestRefreshGrant(t *testing.T) {
 				Build(),
 			),
 			authcodeExchange: happyAuthcodeExchangeInputsForLDAPUpstream,
-			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *oidc.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
+			modifyRefreshTokenStorage: func(t *testing.T, oauthStore *storage.KubeStorage, secrets v1.SecretInterface, refreshToken string) {
 				refreshTokenSignature := getFositeDataSignature(t, refreshToken)
 				firstRequester, err := oauthStore.GetRefreshTokenSession(context.Background(), refreshTokenSignature, nil)
 				require.NoError(t, err)
@@ -4178,7 +4179,7 @@ func exchangeAuthcodeForTokens(
 	authCode string,
 	jwtSigningKey *ecdsa.PrivateKey,
 	secrets v1.SecretInterface,
-	oauthStore *oidc.KubeStorage,
+	oauthStore *storage.KubeStorage,
 ) {
 	authRequest := deepCopyRequestForm(happyAuthRequest)
 	if test.modifyAuthRequest != nil {
@@ -4196,7 +4197,7 @@ func exchangeAuthcodeForTokens(
 
 	var oauthHelper fosite.OAuth2Provider
 	// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
-	oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost)
+	oauthStore = storage.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost)
 
 	if test.makeJwksSigningKeyAndProvider == nil {
 		test.makeJwksSigningKeyAndProvider = generateJWTSigningKeyAndJWKSProvider
@@ -4214,7 +4215,7 @@ func exchangeAuthcodeForTokens(
 	}
 
 	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
-	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 1)
+	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 1)
 	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored)
 	// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
 	testutil.RequireNumberOfSecretsExcludingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: oidcclientsecretstorage.TypeLabelValue}, 2+expectedNumberOfIDSessionsStored)
@@ -4259,7 +4260,7 @@ func requireTokenEndpointBehavior(
 	wantNonceValueInIDToken bool,
 	tokenEndpointResponse *httptest.ResponseRecorder,
 	authCode string,
-	oauthStore *oidc.KubeStorage,
+	oauthStore *storage.KubeStorage,
 	jwtSigningKey *ecdsa.PrivateKey,
 	secrets v1.SecretInterface,
 	requestTime time.Time,
@@ -4298,7 +4299,7 @@ func requireTokenEndpointBehavior(
 
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: accesstoken.TypeLabelValue}, 1)
-		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: storagepkce.TypeLabelValue}, 0)
+		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 0)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: refreshtoken.TypeLabelValue}, expectedNumberOfRefreshTokenSessionsStored)
 		testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: openidconnect.TypeLabelValue}, expectedNumberOfIDSessionsStored)
 		// Assert the number of all secrets, excluding any OIDCClient's storage secret, since those are not related to session storage.
@@ -4650,7 +4651,7 @@ func requireInvalidAccessTokenStorage(
 func requireInvalidPKCEStorage(
 	t *testing.T,
 	code string,
-	storage pkce.PKCERequestStorage,
+	storage fositepkce.PKCERequestStorage,
 ) {
 	t.Helper()
 
diff --git a/internal/oidc/token_exchange.go b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
similarity index 91%
rename from internal/oidc/token_exchange.go
rename to internal/federationdomain/endpoints/tokenexchange/token_exchange.go
index 8ea6b31e3..61a67e367 100644
--- a/internal/oidc/token_exchange.go
+++ b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package tokenexchange
 
 import (
 	"context"
@@ -27,8 +27,8 @@ type stsParams struct {
 	requestedAudience  string
 }
 
-func TokenExchangeFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
-	return &TokenExchangeHandler{
+func HandlerFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
+	return &tokenExchangeHandler{
 		idTokenStrategy:     strategy.(openid.OpenIDConnectTokenStrategy),
 		accessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
 		accessTokenStorage:  storage.(oauth2.AccessTokenStorage),
@@ -36,23 +36,23 @@ func TokenExchangeFactory(config fosite.Configurator, storage interface{}, strat
 	}
 }
 
-type TokenExchangeHandler struct {
+type tokenExchangeHandler struct {
 	idTokenStrategy     openid.OpenIDConnectTokenStrategy
 	accessTokenStrategy oauth2.AccessTokenStrategy
 	accessTokenStorage  oauth2.AccessTokenStorage
 	fositeConfig        fosite.Configurator
 }
 
-var _ fosite.TokenEndpointHandler = (*TokenExchangeHandler)(nil)
+var _ fosite.TokenEndpointHandler = (*tokenExchangeHandler)(nil)
 
-func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
+func (t *tokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
 	if !t.CanHandleTokenEndpointRequest(ctx, requester) {
 		return errors.WithStack(fosite.ErrUnknownRequest)
 	}
 	return nil
 }
 
-func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
+func (t *tokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
 	// Skip this request if it's for a different grant type.
 	if err := t.HandleTokenEndpointRequest(ctx, requester); err != nil {
 		return errors.WithStack(err)
@@ -108,7 +108,7 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context
 	return nil
 }
 
-func (t *TokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Requester, audience string) (string, error) {
+func (t *tokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Requester, audience string) (string, error) {
 	downscoped := fosite.NewAccessRequest(requester.GetSession())
 	downscoped.Client.(*fosite.DefaultClient).ID = audience
 
@@ -119,7 +119,7 @@ func (t *TokenExchangeHandler) mintJWT(ctx context.Context, requester fosite.Req
 	return t.idTokenStrategy.GenerateIDToken(ctx, idTokenLifespan, downscoped)
 }
 
-func (t *TokenExchangeHandler) validateSession(requester fosite.Requester) error {
+func (t *tokenExchangeHandler) validateSession(requester fosite.Requester) error {
 	pSession, ok := requester.GetSession().(*psession.PinnipedSession)
 	if !ok {
 		// This shouldn't really happen.
@@ -135,7 +135,7 @@ func (t *TokenExchangeHandler) validateSession(requester fosite.Requester) error
 	return nil
 }
 
-func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, error) {
+func (t *tokenExchangeHandler) validateParams(params url.Values) (*stsParams, error) {
 	var result stsParams
 
 	// Validate some required parameters.
@@ -189,7 +189,7 @@ func (t *TokenExchangeHandler) validateParams(params url.Values) (*stsParams, er
 	return &result, nil
 }
 
-func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requester fosite.AccessRequester, accessToken string) (fosite.Requester, error) {
+func (t *tokenExchangeHandler) validateAccessToken(ctx context.Context, requester fosite.AccessRequester, accessToken string) (fosite.Requester, error) {
 	// Look up the access token's stored session data.
 	signature := t.accessTokenStrategy.AccessTokenSignature(ctx, accessToken)
 	originalRequester, err := t.accessTokenStorage.GetAccessTokenSession(ctx, signature, requester.GetSession())
@@ -204,10 +204,10 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
 	return originalRequester, nil
 }
 
-func (t *TokenExchangeHandler) CanSkipClientAuth(_ context.Context, _ fosite.AccessRequester) bool {
+func (t *tokenExchangeHandler) CanSkipClientAuth(_ context.Context, _ fosite.AccessRequester) bool {
 	return false
 }
 
-func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester fosite.AccessRequester) bool {
+func (t *tokenExchangeHandler) CanHandleTokenEndpointRequest(_ context.Context, requester fosite.AccessRequester) bool {
 	return requester.GetGrantTypes().ExactOne(oidcapi.GrantTypeTokenExchange)
 }
diff --git a/internal/oidc/provider/manager/manager.go b/internal/federationdomain/endpointsmanager/manager.go
similarity index 86%
rename from internal/oidc/provider/manager/manager.go
rename to internal/federationdomain/endpointsmanager/manager.go
index 2d0e760a3..494f8986c 100644
--- a/internal/oidc/provider/manager/manager.go
+++ b/internal/federationdomain/endpointsmanager/manager.go
@@ -1,9 +1,10 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package manager
+package endpointsmanager
 
 import (
+	"go.pinniped.dev/internal/httputil/requestutil"
 	"net/http"
 	"strings"
 	"sync"
@@ -11,20 +12,20 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/httputil/requestutil"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/auth"
-	"go.pinniped.dev/internal/oidc/callback"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/discovery"
-	"go.pinniped.dev/internal/oidc/dynamiccodec"
-	"go.pinniped.dev/internal/oidc/idpdiscovery"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/login"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
-	"go.pinniped.dev/internal/oidc/token"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/dynamiccodec"
+	"go.pinniped.dev/internal/federationdomain/endpoints/auth"
+	"go.pinniped.dev/internal/federationdomain/endpoints/callback"
+	"go.pinniped.dev/internal/federationdomain/endpoints/discovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/idpdiscovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/login"
+	"go.pinniped.dev/internal/federationdomain/endpoints/token"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/secret"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -101,7 +102,7 @@ func (m *Manager) SetFederationDomains(federationDomains ...*federationdomainpro
 		// Use NullStorage for the authorize endpoint because we do not actually want to store anything until
 		// the upstream callback endpoint is called later.
 		oauthHelperWithNullStorage := oidc.FositeOauth2Helper(
-			oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost),
+			storage.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost),
 			issuerURL,
 			tokenHMACKeyGetter,
 			nil,
@@ -110,7 +111,7 @@ func (m *Manager) SetFederationDomains(federationDomains ...*federationdomainpro
 
 		// For all the other endpoints, make another oauth helper with exactly the same settings except use real storage.
 		oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(
-			oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost),
+			storage.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost),
 			issuerURL,
 			tokenHMACKeyGetter,
 			m.dynamicJWKSProvider,
diff --git a/internal/oidc/provider/manager/manager_test.go b/internal/federationdomain/endpointsmanager/manager_test.go
similarity index 98%
rename from internal/oidc/provider/manager/manager_test.go
rename to internal/federationdomain/endpointsmanager/manager_test.go
index 8cf764c68..de6ea70b0 100644
--- a/internal/oidc/provider/manager/manager_test.go
+++ b/internal/federationdomain/endpointsmanager/manager_test.go
@@ -1,7 +1,7 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package manager
+package endpointsmanager
 
 import (
 	"crypto/ecdsa"
@@ -20,12 +20,12 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 
 	supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
+	"go.pinniped.dev/internal/federationdomain/endpoints/discovery"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/discovery"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider/federationdomainproviders"
 	"go.pinniped.dev/internal/secret"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
similarity index 98%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
index 27d76a1dd..ab1d9fd93 100644
--- a/internal/oidc/provider/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
+++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
@@ -9,9 +9,9 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 
+	"go.pinniped.dev/internal/federationdomain/idplister"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/idplister"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_issuer.go b/internal/federationdomain/federationdomainproviders/federation_domain_issuer.go
similarity index 100%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_issuer.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_issuer.go
diff --git a/internal/oidc/provider/federationdomainproviders/federation_domain_issuer_test.go b/internal/federationdomain/federationdomainproviders/federation_domain_issuer_test.go
similarity index 100%
rename from internal/oidc/provider/federationdomainproviders/federation_domain_issuer_test.go
rename to internal/federationdomain/federationdomainproviders/federation_domain_issuer_test.go
diff --git a/internal/oidc/provider/formposthtml/form_post.css b/internal/federationdomain/formposthtml/form_post.css
similarity index 97%
rename from internal/oidc/provider/formposthtml/form_post.css
rename to internal/federationdomain/formposthtml/form_post.css
index e272f13d1..90f15b3b0 100644
--- a/internal/oidc/provider/formposthtml/form_post.css
+++ b/internal/federationdomain/formposthtml/form_post.css
@@ -1,4 +1,4 @@
-/* Copyright 2021 the Pinniped contributors. All Rights Reserved. */
+/* Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. */
 /* SPDX-License-Identifier: Apache-2.0 */
 
 body {
diff --git a/internal/oidc/provider/formposthtml/form_post.gohtml b/internal/federationdomain/formposthtml/form_post.gohtml
similarity index 94%
rename from internal/oidc/provider/formposthtml/form_post.gohtml
rename to internal/federationdomain/formposthtml/form_post.gohtml
index 92be18d23..1fd0a70d7 100644
--- a/internal/oidc/provider/formposthtml/form_post.gohtml
+++ b/internal/federationdomain/formposthtml/form_post.gohtml
@@ -1,5 +1,5 @@
 <!--
-Copyright 2021 the Pinniped contributors. All Rights Reserved.
+Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 --><!DOCTYPE html>
 <html lang="en">
diff --git a/internal/oidc/provider/formposthtml/form_post.js b/internal/federationdomain/formposthtml/form_post.js
similarity index 98%
rename from internal/oidc/provider/formposthtml/form_post.js
rename to internal/federationdomain/formposthtml/form_post.js
index cb73c8cd4..dcf862755 100644
--- a/internal/oidc/provider/formposthtml/form_post.js
+++ b/internal/federationdomain/formposthtml/form_post.js
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 window.onload = () => {
diff --git a/internal/oidc/provider/formposthtml/formposthtml.go b/internal/federationdomain/formposthtml/formposthtml.go
similarity index 94%
rename from internal/oidc/provider/formposthtml/formposthtml.go
rename to internal/federationdomain/formposthtml/formposthtml.go
index 4fd709c1a..cdf2b85b6 100644
--- a/internal/oidc/provider/formposthtml/formposthtml.go
+++ b/internal/federationdomain/formposthtml/formposthtml.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package formposthtml defines HTML templates used by the Supervisor.
@@ -11,7 +11,7 @@ import (
 
 	"github.com/tdewolff/minify/v2/minify"
 
-	"go.pinniped.dev/internal/oidc/provider/csp"
+	"go.pinniped.dev/internal/federationdomain/csp"
 )
 
 //nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
diff --git a/internal/oidc/provider/formposthtml/formposthtml_test.go b/internal/federationdomain/formposthtml/formposthtml_test.go
similarity index 99%
rename from internal/oidc/provider/formposthtml/formposthtml_test.go
rename to internal/federationdomain/formposthtml/formposthtml_test.go
index e7d82b75c..3ab3a49a7 100644
--- a/internal/oidc/provider/formposthtml/formposthtml_test.go
+++ b/internal/federationdomain/formposthtml/formposthtml_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package formposthtml
diff --git a/internal/oidc/idplister/upstream_idp_lister.go b/internal/federationdomain/idplister/upstream_idp_lister.go
similarity index 92%
rename from internal/oidc/idplister/upstream_idp_lister.go
rename to internal/federationdomain/idplister/upstream_idp_lister.go
index 3ea4ea649..38b5e27eb 100644
--- a/internal/oidc/idplister/upstream_idp_lister.go
+++ b/internal/federationdomain/idplister/upstream_idp_lister.go
@@ -4,7 +4,7 @@
 package idplister
 
 import (
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 )
 
 type UpstreamOIDCIdentityProvidersLister interface {
diff --git a/internal/oidc/oidc.go b/internal/federationdomain/oidc/oidc.go
similarity index 70%
rename from internal/oidc/oidc.go
rename to internal/federationdomain/oidc/oidc.go
index 1367f35b3..a314ac68d 100644
--- a/internal/oidc/oidc.go
+++ b/internal/federationdomain/oidc/oidc.go
@@ -1,7 +1,8 @@
 // Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package oidc contains common OIDC functionality needed by Pinniped.
+// Package oidc contains common OIDC functionality needed by FederationDomains to implement
+// downstream OIDC functionality.
 package oidc
 
 import (
@@ -18,10 +19,13 @@ import (
 	errorsx "github.com/pkg/errors"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/csrftoken"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/tokenexchange"
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
+	"go.pinniped.dev/internal/federationdomain/strategy"
+	"go.pinniped.dev/internal/federationdomain/timeouts"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc/csrftoken"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -99,81 +103,13 @@ type UpstreamStateParamData struct {
 	FormatVersion string              `json:"v"`
 }
 
-type TimeoutsConfiguration struct {
-	// The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered
-	// valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much
-	// time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long
-	// the end user has to finish their login with the upstream IDP, including the time that it takes to fumble
-	// with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while
-	// the browser is sitting at the upstream IDP's login page.
-	UpstreamStateParamLifespan time.Duration
-
-	// How long an authcode issued by the callback endpoint is valid. This determines how much time the end user
-	// has to come back to exchange the authcode for tokens at the token endpoint.
-	AuthorizeCodeLifespan time.Duration
-
-	// The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally
-	// be fairly short-lived.
-	AccessTokenLifespan time.Duration
-
-	// The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same
-	// as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid
-	// for longer than their proof of authorization.
-	IDTokenLifespan time.Duration
-
-	// The lifetime of an downstream refresh token issued by the token endpoint. This should generally be
-	// significantly longer than the access token lifetime, so it can be used to refresh the access token
-	// multiple times. Once the refresh token expires, the user's session is over and they will need
-	// to start a new authorization request, which will require them to log in again with the upstream IDP
-	// in their web browser.
-	RefreshTokenLifespan time.Duration
-
-	// AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage
-	// collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the
-	// authcode as already used, so it can reject any future uses of the same authcode with special case handling which
-	// include revoking the access and refresh tokens associated with the session. Therefore, this should be
-	// significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than
-	// the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan.
-	AuthorizationCodeSessionStorageLifetime time.Duration
-
-	// PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from
-	// storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully
-	// redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed,
-	// but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll
-	// avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it
-	// while it is being used.
-	PKCESessionStorageLifetime time.Duration
-
-	// OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode
-	// is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly
-	// deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired.
-	// Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same
-	// as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used.
-	OIDCSessionStorageLifetime time.Duration
-
-	// AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed
-	// to be garbage collected from storage.  These must exist in storage for as long as the refresh token is valid
-	// or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan.
-	AccessTokenSessionStorageLifetime time.Duration
-
-	// RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed
-	// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid.
-	// Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same
-	// as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used.
-	// If an expired token is still stored when the user tries to refresh it, then they will get a more specific
-	// error message telling them that the token is expired, rather than a more generic error that is returned
-	// when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made
-	// to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup.
-	RefreshTokenSessionStorageLifetime time.Duration
-}
-
 // Get the defaults for the Supervisor server.
-func DefaultOIDCTimeoutsConfiguration() TimeoutsConfiguration {
+func DefaultOIDCTimeoutsConfiguration() timeouts.Configuration {
 	accessTokenLifespan := 2 * time.Minute
 	authorizationCodeLifespan := 10 * time.Minute
 	refreshTokenLifespan := 9 * time.Hour
 
-	return TimeoutsConfiguration{
+	return timeouts.Configuration{
 		UpstreamStateParamLifespan:              90 * time.Minute,
 		AuthorizeCodeLifespan:                   authorizationCodeLifespan,
 		AccessTokenLifespan:                     accessTokenLifespan,
@@ -192,7 +128,7 @@ func FositeOauth2Helper(
 	issuer string,
 	hmacSecretOfLengthAtLeast32Func func() []byte,
 	jwksProvider jwks.DynamicJWKSProvider,
-	timeoutsConfiguration TimeoutsConfiguration,
+	timeoutsConfiguration timeouts.Configuration,
 ) fosite.OAuth2Provider {
 	isRedirectURISecureStrict := func(_ context.Context, uri *url.URL) bool {
 		return fosite.IsRedirectURISecureStrict(uri)
@@ -234,15 +170,15 @@ func FositeOauth2Helper(
 		oauthStore,
 		&compose.CommonStrategy{
 			// Note that Fosite requires the HMAC secret to be at least 32 bytes.
-			CoreStrategy:               newDynamicOauth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32Func),
-			OpenIDConnectTokenStrategy: newDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
+			CoreStrategy:               strategy.NewDynamicOauth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32Func),
+			OpenIDConnectTokenStrategy: strategy.NewDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
 		},
 		compose.OAuth2AuthorizeExplicitFactory,
 		compose.OAuth2RefreshTokenGrantFactory,
 		compose.OpenIDConnectExplicitFactory,
 		compose.OpenIDConnectRefreshFactory,
 		compose.OAuth2PKCEFactory,
-		TokenExchangeFactory, // handle the "urn:ietf:params:oauth:grant-type:token-exchange" grant type
+		tokenexchange.HandlerFactory, // handle the "urn:ietf:params:oauth:grant-type:token-exchange" grant type
 	)
 
 	return oAuth2Provider
diff --git a/internal/oidc/oidcclientvalidator/oidcclientvalidator.go b/internal/federationdomain/oidcclientvalidator/oidcclientvalidator.go
similarity index 100%
rename from internal/oidc/oidcclientvalidator/oidcclientvalidator.go
rename to internal/federationdomain/oidcclientvalidator/oidcclientvalidator.go
diff --git a/internal/oidc/provider/resolvedprovider/resolved_provider.go b/internal/federationdomain/resolvedprovider/resolved_provider.go
similarity index 87%
rename from internal/oidc/provider/resolvedprovider/resolved_provider.go
rename to internal/federationdomain/resolvedprovider/resolved_provider.go
index f37f0a161..e2b43a869 100644
--- a/internal/oidc/provider/resolvedprovider/resolved_provider.go
+++ b/internal/federationdomain/resolvedprovider/resolved_provider.go
@@ -1,8 +1,11 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 package resolvedprovider
 
 import (
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/oidc/dynamic_global_secret_config.go b/internal/federationdomain/storage/dynamic_global_secret_config.go
similarity index 96%
rename from internal/oidc/dynamic_global_secret_config.go
rename to internal/federationdomain/storage/dynamic_global_secret_config.go
index b9001eeaa..50f997c4c 100644
--- a/internal/oidc/dynamic_global_secret_config.go
+++ b/internal/federationdomain/storage/dynamic_global_secret_config.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
diff --git a/internal/oidc/kube_storage.go b/internal/federationdomain/storage/kube_storage.go
similarity index 97%
rename from internal/oidc/kube_storage.go
rename to internal/federationdomain/storage/kube_storage.go
index a197335e9..e10ed60e3 100644
--- a/internal/oidc/kube_storage.go
+++ b/internal/federationdomain/storage/kube_storage.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
@@ -14,13 +14,14 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/timeouts"
 	"go.pinniped.dev/internal/fositestorage/accesstoken"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
 	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestorage/refreshtoken"
 	"go.pinniped.dev/internal/fositestoragei"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 )
 
@@ -38,7 +39,7 @@ var _ fositestoragei.AllFositeStorage = &KubeStorage{}
 func NewKubeStorage(
 	secrets corev1client.SecretInterface,
 	oidcClientsClient v1alpha1.OIDCClientInterface,
-	timeoutsConfiguration TimeoutsConfiguration,
+	timeoutsConfiguration timeouts.Configuration,
 	minBcryptCost int,
 ) *KubeStorage {
 	nowFunc := time.Now
diff --git a/internal/oidc/nullstorage.go b/internal/federationdomain/storage/null_storage.go
similarity index 96%
rename from internal/oidc/nullstorage.go
rename to internal/federationdomain/storage/null_storage.go
index 61476f811..ae5b0ecc8 100644
--- a/internal/oidc/nullstorage.go
+++ b/internal/federationdomain/storage/null_storage.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package storage
 
 import (
 	"context"
@@ -11,8 +11,8 @@ import (
 
 	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/constable"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestoragei"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 )
 
diff --git a/internal/oidc/dynamic_oauth2_hmac_strategy.go b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
similarity index 81%
rename from internal/oidc/dynamic_oauth2_hmac_strategy.go
rename to internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
index d5456b673..200dd41c9 100644
--- a/internal/oidc/dynamic_oauth2_hmac_strategy.go
+++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -11,6 +11,8 @@ import (
 	"github.com/ory/fosite/compose"
 	"github.com/ory/fosite/handler/oauth2"
 	errorsx "github.com/pkg/errors"
+
+	"go.pinniped.dev/internal/federationdomain/storage"
 )
 
 const (
@@ -24,7 +26,7 @@ const (
 	oryAuthcodePrefix = "ory_ac_"
 )
 
-// dynamicOauth2HMACStrategy is an oauth2.CoreStrategy that can dynamically load an HMAC key to sign
+// DynamicOauth2HMACStrategy is an oauth2.CoreStrategy that can dynamically load an HMAC key to sign
 // stuff (access tokens, refresh tokens, and auth codes). We want this dynamic capability since our
 // controllers for loading FederationDomain's and signing keys run in parallel, and thus the signing key
 // might not be ready when an FederationDomain is otherwise ready.
@@ -37,18 +39,18 @@ const (
 // out of context, such as when accidentally committed to a GitHub repo. After we implemented the
 // custom prefix feature, fosite later added the same feature, but did not make the prefix customizable.
 // Therefore, this code has been updated to replace the fosite prefix with our custom prefix.
-type dynamicOauth2HMACStrategy struct {
+type DynamicOauth2HMACStrategy struct {
 	fositeConfig *fosite.Config
 	keyFunc      func() []byte
 }
 
-var _ oauth2.CoreStrategy = &dynamicOauth2HMACStrategy{}
+var _ oauth2.CoreStrategy = &DynamicOauth2HMACStrategy{}
 
-func newDynamicOauth2HMACStrategy(
+func NewDynamicOauth2HMACStrategy(
 	fositeConfig *fosite.Config,
 	keyFunc func() []byte,
-) *dynamicOauth2HMACStrategy {
-	return &dynamicOauth2HMACStrategy{
+) *DynamicOauth2HMACStrategy {
+	return &DynamicOauth2HMACStrategy{
 		fositeConfig: fositeConfig,
 		keyFunc:      keyFunc,
 	}
@@ -58,11 +60,11 @@ func replacePrefix(s, prefixToReplace, newPrefix string) string {
 	return newPrefix + strings.TrimPrefix(s, prefixToReplace)
 }
 
-func (s *dynamicOauth2HMACStrategy) AccessTokenSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) AccessTokenSignature(ctx context.Context, token string) string {
 	return s.delegate().AccessTokenSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateAccessToken(
+func (s *DynamicOauth2HMACStrategy) GenerateAccessToken(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -78,7 +80,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateAccessToken(
 	return token, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateAccessToken(
+func (s *DynamicOauth2HMACStrategy) ValidateAccessToken(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -90,11 +92,11 @@ func (s *dynamicOauth2HMACStrategy) ValidateAccessToken(
 	return s.delegate().ValidateAccessToken(ctx, requester, replacePrefix(token, pinAccessTokenPrefix, oryAccessTokenPrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
 	return s.delegate().RefreshTokenSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateRefreshToken(
+func (s *DynamicOauth2HMACStrategy) GenerateRefreshToken(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -110,7 +112,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateRefreshToken(
 	return token, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateRefreshToken(
+func (s *DynamicOauth2HMACStrategy) ValidateRefreshToken(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -122,11 +124,11 @@ func (s *dynamicOauth2HMACStrategy) ValidateRefreshToken(
 	return s.delegate().ValidateRefreshToken(ctx, requester, replacePrefix(token, pinRefreshTokenPrefix, oryRefreshTokenPrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
+func (s *DynamicOauth2HMACStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
 	return s.delegate().AuthorizeCodeSignature(ctx, token)
 }
 
-func (s *dynamicOauth2HMACStrategy) GenerateAuthorizeCode(
+func (s *DynamicOauth2HMACStrategy) GenerateAuthorizeCode(
 	ctx context.Context,
 	requester fosite.Requester,
 ) (string, string, error) {
@@ -142,7 +144,7 @@ func (s *dynamicOauth2HMACStrategy) GenerateAuthorizeCode(
 	return authcode, sig, err
 }
 
-func (s *dynamicOauth2HMACStrategy) ValidateAuthorizeCode(
+func (s *DynamicOauth2HMACStrategy) ValidateAuthorizeCode(
 	ctx context.Context,
 	requester fosite.Requester,
 	token string,
@@ -154,6 +156,6 @@ func (s *dynamicOauth2HMACStrategy) ValidateAuthorizeCode(
 	return s.delegate().ValidateAuthorizeCode(ctx, requester, replacePrefix(token, pinAuthcodePrefix, oryAuthcodePrefix))
 }
 
-func (s *dynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy {
-	return compose.NewOAuth2HMACStrategy(NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc))
+func (s *DynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy {
+	return compose.NewOAuth2HMACStrategy(storage.NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc))
 }
diff --git a/internal/oidc/dynamic_oauth2_hmac_strategy_test.go b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
similarity index 97%
rename from internal/oidc/dynamic_oauth2_hmac_strategy_test.go
rename to internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
index c2028a79d..02bf861c3 100644
--- a/internal/oidc/dynamic_oauth2_hmac_strategy_test.go
+++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy_test.go
@@ -1,7 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -15,7 +15,7 @@ import (
 )
 
 func TestDynamicOauth2HMACStrategy_Signatures(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
@@ -57,12 +57,12 @@ func TestDynamicOauth2HMACStrategy_Signatures(t *testing.T) {
 }
 
 func TestDynamicOauth2HMACStrategy_Generate(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
 
-	generateTokenErrorCausingStrategy := newDynamicOauth2HMACStrategy(
+	generateTokenErrorCausingStrategy := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{},
 		func() []byte { return []byte("too_short_causes_error") }, // secret key is below required 32 characters
 	)
@@ -134,7 +134,7 @@ func TestDynamicOauth2HMACStrategy_Generate(t *testing.T) {
 }
 
 func TestDynamicOauth2HMACStrategy_Validate(t *testing.T) {
-	s := newDynamicOauth2HMACStrategy(
+	s := NewDynamicOauth2HMACStrategy(
 		&fosite.Config{}, // defaults are good enough for this unit test
 		func() []byte { return []byte("12345678901234567890123456789012") }, // 32 character secret key
 	)
diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
similarity index 79%
rename from internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
rename to internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
index 807828823..463a450c4 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
+++ b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -14,11 +14,11 @@ import (
 	"github.com/ory/fosite/handler/openid"
 
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
 	"go.pinniped.dev/internal/plog"
 )
 
-// dynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically
+// DynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically
 // load a signing key to issue ID tokens. We want this dynamic capability since our controllers for
 // loading FederationDomain's and signing keys run in parallel, and thus the signing key might not be
 // ready when an FederationDomain is otherwise ready.
@@ -26,24 +26,24 @@ import (
 // If we ever update FederationDomain's to hold their signing key, we might not need this type, since we
 // could have an invariant that routes to an FederationDomain's endpoints are only wired up if an
 // FederationDomain has a valid signing key.
-type dynamicOpenIDConnectECDSAStrategy struct {
+type DynamicOpenIDConnectECDSAStrategy struct {
 	fositeConfig *fosite.Config
 	jwksProvider jwks.DynamicJWKSProvider
 }
 
-var _ openid.OpenIDConnectTokenStrategy = &dynamicOpenIDConnectECDSAStrategy{}
+var _ openid.OpenIDConnectTokenStrategy = &DynamicOpenIDConnectECDSAStrategy{}
 
-func newDynamicOpenIDConnectECDSAStrategy(
+func NewDynamicOpenIDConnectECDSAStrategy(
 	fositeConfig *fosite.Config,
 	jwksProvider jwks.DynamicJWKSProvider,
-) *dynamicOpenIDConnectECDSAStrategy {
-	return &dynamicOpenIDConnectECDSAStrategy{
+) *DynamicOpenIDConnectECDSAStrategy {
+	return &DynamicOpenIDConnectECDSAStrategy{
 		fositeConfig: fositeConfig,
 		jwksProvider: jwksProvider,
 	}
 }
 
-func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
+func (s *DynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
 	ctx context.Context,
 	lifespan time.Duration,
 	requester fosite.Requester,
diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
similarity index 95%
rename from internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
rename to internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
index 3573f9872..94bf676a7 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
+++ b/internal/federationdomain/strategy/dynamic_open_id_connect_ecdsa_strategy_test.go
@@ -1,7 +1,7 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package oidc
+package strategy
 
 import (
 	"context"
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2"
 
-	"go.pinniped.dev/internal/oidc/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
 	"go.pinniped.dev/internal/testutil/oidctestutil"
 )
 
@@ -94,7 +94,7 @@ func TestDynamicOpenIDConnectECDSAStrategy(t *testing.T) {
 			if test.jwksProvider != nil {
 				test.jwksProvider(jwksProvider)
 			}
-			s := newDynamicOpenIDConnectECDSAStrategy(
+			s := NewDynamicOpenIDConnectECDSAStrategy(
 				&fosite.Config{IDTokenIssuer: test.issuer},
 				jwksProvider,
 			)
diff --git a/internal/federationdomain/timeouts/timeouts_configuration.go b/internal/federationdomain/timeouts/timeouts_configuration.go
new file mode 100644
index 000000000..9657eaa49
--- /dev/null
+++ b/internal/federationdomain/timeouts/timeouts_configuration.go
@@ -0,0 +1,74 @@
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package timeouts
+
+import "time"
+
+type Configuration struct {
+	// The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered
+	// valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much
+	// time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long
+	// the end user has to finish their login with the upstream IDP, including the time that it takes to fumble
+	// with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while
+	// the browser is sitting at the upstream IDP's login page.
+	UpstreamStateParamLifespan time.Duration
+
+	// How long an authcode issued by the callback endpoint is valid. This determines how much time the end user
+	// has to come back to exchange the authcode for tokens at the token endpoint.
+	AuthorizeCodeLifespan time.Duration
+
+	// The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally
+	// be fairly short-lived.
+	AccessTokenLifespan time.Duration
+
+	// The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same
+	// as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid
+	// for longer than their proof of authorization.
+	IDTokenLifespan time.Duration
+
+	// The lifetime of an downstream refresh token issued by the token endpoint. This should generally be
+	// significantly longer than the access token lifetime, so it can be used to refresh the access token
+	// multiple times. Once the refresh token expires, the user's session is over and they will need
+	// to start a new authorization request, which will require them to log in again with the upstream IDP
+	// in their web browser.
+	RefreshTokenLifespan time.Duration
+
+	// AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage
+	// collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the
+	// authcode as already used, so it can reject any future uses of the same authcode with special case handling which
+	// include revoking the access and refresh tokens associated with the session. Therefore, this should be
+	// significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than
+	// the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan.
+	AuthorizationCodeSessionStorageLifetime time.Duration
+
+	// PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from
+	// storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully
+	// redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed,
+	// but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll
+	// avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it
+	// while it is being used.
+	PKCESessionStorageLifetime time.Duration
+
+	// OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode
+	// is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly
+	// deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired.
+	// Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same
+	// as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used.
+	OIDCSessionStorageLifetime time.Duration
+
+	// AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed
+	// to be garbage collected from storage.  These must exist in storage for as long as the refresh token is valid
+	// or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan.
+	AccessTokenSessionStorageLifetime time.Duration
+
+	// RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed
+	// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid.
+	// Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same
+	// as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used.
+	// If an expired token is still stored when the user tries to refresh it, then they will get a more specific
+	// error message telling them that the token is expired, rather than a more generic error that is returned
+	// when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made
+	// to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup.
+	RefreshTokenSessionStorageLifetime time.Duration
+}
diff --git a/internal/oidc/provider/upstreamprovider/upsteam_provider.go b/internal/federationdomain/upstreamprovider/upsteam_provider.go
similarity index 100%
rename from internal/oidc/provider/upstreamprovider/upsteam_provider.go
rename to internal/federationdomain/upstreamprovider/upsteam_provider.go
diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go
index 07b065ed4..042478898 100644
--- a/internal/fositestorage/accesstoken/accesstoken.go
+++ b/internal/fositestorage/accesstoken/accesstoken.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/accesstoken/accesstoken_test.go b/internal/fositestorage/accesstoken/accesstoken_test.go
index 52a731f30..2e571e9af 100644
--- a/internal/fositestorage/accesstoken/accesstoken_test.go
+++ b/internal/fositestorage/accesstoken/accesstoken_test.go
@@ -22,7 +22,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go
index 6c451acfd..c2fe859d9 100644
--- a/internal/fositestorage/authorizationcode/authorizationcode.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode.go
@@ -17,8 +17,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go
index 355800018..69912765f 100644
--- a/internal/fositestorage/authorizationcode/authorizationcode_test.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go
@@ -34,8 +34,8 @@ import (
 	kubetesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/fositestorage.go b/internal/fositestorage/fositestorage.go
index af99caed7..c15c8c90e 100644
--- a/internal/fositestorage/fositestorage.go
+++ b/internal/fositestorage/fositestorage.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package fositestorage
@@ -7,7 +7,7 @@ import (
 	"github.com/ory/fosite"
 
 	"go.pinniped.dev/internal/constable"
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go
index 4770e41f6..c2aa553d8 100644
--- a/internal/fositestorage/openidconnect/openidconnect.go
+++ b/internal/fositestorage/openidconnect/openidconnect.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/openidconnect/openidconnect_test.go b/internal/fositestorage/openidconnect/openidconnect_test.go
index e4740ac73..e278deeae 100644
--- a/internal/fositestorage/openidconnect/openidconnect_test.go
+++ b/internal/fositestorage/openidconnect/openidconnect_test.go
@@ -21,7 +21,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go
index 3f44a00d3..6cea9a851 100644
--- a/internal/fositestorage/pkce/pkce.go
+++ b/internal/fositestorage/pkce/pkce.go
@@ -15,8 +15,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/pkce/pkce_test.go b/internal/fositestorage/pkce/pkce_test.go
index f0a24fd4a..bc424593c 100644
--- a/internal/fositestorage/pkce/pkce_test.go
+++ b/internal/fositestorage/pkce/pkce_test.go
@@ -21,7 +21,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go
index 9feaed559..d3abdc4f0 100644
--- a/internal/fositestorage/refreshtoken/refreshtoken.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken.go
@@ -16,8 +16,8 @@ import (
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/psession"
 )
 
diff --git a/internal/fositestorage/refreshtoken/refreshtoken_test.go b/internal/fositestorage/refreshtoken/refreshtoken_test.go
index 8e2826b9e..24da03a1f 100644
--- a/internal/fositestorage/refreshtoken/refreshtoken_test.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken_test.go
@@ -22,7 +22,7 @@ import (
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
 
-	"go.pinniped.dev/internal/oidc/clientregistry"
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 )
diff --git a/internal/mocks/issuermocks/generate.go b/internal/mocks/issuermocks/generate.go
index 7d0c9937e..c770c9275 100644
--- a/internal/mocks/issuermocks/generate.go
+++ b/internal/mocks/issuermocks/generate.go
@@ -1,6 +1,6 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package issuermocks
 
-//go:generate go run -v github.com/golang/mock/mockgen  -destination=issuermocks.go -package=issuermocks -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/issuer ClientCertIssuer
+//go:generate go run -v github.com/golang/mock/mockgen  -destination=issuermocks.go -package=issuermocks -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/clientcertissuer ClientCertIssuer
diff --git a/internal/mocks/issuermocks/issuermocks.go b/internal/mocks/issuermocks/issuermocks.go
index 6867a2a0e..2edd28481 100644
--- a/internal/mocks/issuermocks/issuermocks.go
+++ b/internal/mocks/issuermocks/issuermocks.go
@@ -3,7 +3,7 @@
 //
 
 // Code generated by MockGen. DO NOT EDIT.
-// Source: go.pinniped.dev/internal/issuer (interfaces: ClientCertIssuer)
+// Source: go.pinniped.dev/internal/clientcertissuer (interfaces: ClientCertIssuer)
 
 // Package issuermocks is a generated GoMock package.
 package issuermocks
diff --git a/internal/mocks/mockupstreamoidcidentityprovider/generate.go b/internal/mocks/mockupstreamoidcidentityprovider/generate.go
index d1ba84a07..e94a53380 100644
--- a/internal/mocks/mockupstreamoidcidentityprovider/generate.go
+++ b/internal/mocks/mockupstreamoidcidentityprovider/generate.go
@@ -3,4 +3,4 @@
 
 package mockupstreamoidcidentityprovider
 
-//go:generate go run -v github.com/golang/mock/mockgen  -destination=mockupstreamoidcidentityprovider.go -package=mockupstreamoidcidentityprovider -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/oidc/provider/upstreamprovider UpstreamOIDCIdentityProviderI
+//go:generate go run -v github.com/golang/mock/mockgen  -destination=mockupstreamoidcidentityprovider.go -package=mockupstreamoidcidentityprovider -copyright_file=../../../hack/header.txt go.pinniped.dev/internal/federationdomain/upstreamprovider UpstreamOIDCIdentityProviderI
diff --git a/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go b/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
index cc66519f6..cad36a261 100644
--- a/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
+++ b/internal/mocks/mockupstreamoidcidentityprovider/mockupstreamoidcidentityprovider.go
@@ -3,7 +3,7 @@
 //
 
 // Code generated by MockGen. DO NOT EDIT.
-// Source: go.pinniped.dev/internal/oidc/provider/upstreamprovider (interfaces: UpstreamOIDCIdentityProviderI)
+// Source: go.pinniped.dev/internal/federationdomain/upstreamprovider (interfaces: UpstreamOIDCIdentityProviderI)
 
 // Package mockupstreamoidcidentityprovider is a generated GoMock package.
 package mockupstreamoidcidentityprovider
@@ -14,7 +14,7 @@ import (
 	reflect "reflect"
 
 	gomock "github.com/golang/mock/gomock"
-	upstreamprovider "go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	upstreamprovider "go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	nonce "go.pinniped.dev/pkg/oidcclient/nonce"
 	oidctypes "go.pinniped.dev/pkg/oidcclient/oidctypes"
 	pkce "go.pinniped.dev/pkg/oidcclient/pkce"
diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go
index 5d67c2c30..5018038f2 100644
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -58,12 +58,13 @@ import (
 	"go.pinniped.dev/internal/deploymentref"
 	"go.pinniped.dev/internal/downward"
 	"go.pinniped.dev/internal/dynamiccert"
+	"go.pinniped.dev/internal/federationdomain/dynamictlscertprovider"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
+	"go.pinniped.dev/internal/federationdomain/endpointsmanager"
 	"go.pinniped.dev/internal/groupsuffix"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/leaderelection"
-	"go.pinniped.dev/internal/oidc/jwks"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/manager"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/pversion"
 	"go.pinniped.dev/internal/secret"
@@ -129,10 +130,10 @@ func signalCtx() context.Context {
 //nolint:funlen
 func prepareControllers(
 	cfg *supervisor.Config,
-	issuerManager *manager.Manager,
+	issuerManager *endpointsmanager.Manager,
 	dynamicJWKSProvider jwks.DynamicJWKSProvider,
-	dynamicTLSCertProvider provider.DynamicTLSCertProvider,
-	dynamicUpstreamIDPProvider provider.DynamicUpstreamIDPProvider,
+	dynamicTLSCertProvider dynamictlscertprovider.DynamicTLSCertProvider,
+	dynamicUpstreamIDPProvider dynamicupstreamprovider.DynamicUpstreamIDPProvider,
 	dynamicServingCertProvider dynamiccert.Private,
 	secretCache *secret.Cache,
 	supervisorDeployment *appsv1.Deployment,
@@ -436,12 +437,12 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 	dynamicServingCertProvider := dynamiccert.NewServingCert("supervisor-serving-cert")
 
 	dynamicJWKSProvider := jwks.NewDynamicJWKSProvider()
-	dynamicTLSCertProvider := provider.NewDynamicTLSCertProvider()
-	dynamicUpstreamIDPProvider := provider.NewDynamicUpstreamIDPProvider()
+	dynamicTLSCertProvider := dynamictlscertprovider.NewDynamicTLSCertProvider()
+	dynamicUpstreamIDPProvider := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 	secretCache := secret.Cache{}
 
 	// OIDC endpoints will be served by the oidProvidersManager, and any non-OIDC paths will fallback to the healthMux.
-	oidProvidersManager := manager.NewManager(
+	oidProvidersManager := endpointsmanager.NewManager(
 		healthMux,
 		dynamicJWKSProvider,
 		dynamicUpstreamIDPProvider,
diff --git a/internal/testutil/oidcclient_test.go b/internal/testutil/oidcclient_test.go
index cd8923137..c47a129a0 100644
--- a/internal/testutil/oidcclient_test.go
+++ b/internal/testutil/oidcclient_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package testutil
@@ -6,10 +6,10 @@ package testutil
 import (
 	"testing"
 
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
-
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
+
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
 )
 
 func TestBcryptConstants(t *testing.T) {
diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go
index e879ffcf3..46aab19ac 100644
--- a/internal/testutil/oidctestutil/oidctestutil.go
+++ b/internal/testutil/oidctestutil/oidctestutil.go
@@ -30,19 +30,19 @@ import (
 
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/crud"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/resolvedprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
 	"go.pinniped.dev/internal/fositestorage/openidconnect"
-	pkce2 "go.pinniped.dev/internal/fositestorage/pkce"
+	"go.pinniped.dev/internal/fositestorage/pkce"
 	"go.pinniped.dev/internal/fositestoragei"
 	"go.pinniped.dev/internal/idtransform"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/resolvedprovider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
-	"go.pinniped.dev/pkg/oidcclient/pkce"
+	oidcpkce "go.pinniped.dev/pkg/oidcclient/pkce"
 )
 
 // Test helpers for the OIDC package.
@@ -52,7 +52,7 @@ import (
 type ExchangeAuthcodeAndValidateTokenArgs struct {
 	Ctx                  context.Context
 	Authcode             string
-	PKCECodeVerifier     pkce.Code
+	PKCECodeVerifier     oidcpkce.Code
 	ExpectedIDTokenNonce nonce.Nonce
 	RedirectURI          string
 }
@@ -267,7 +267,7 @@ type TestUpstreamOIDCIdentityProvider struct {
 	ExchangeAuthcodeAndValidateTokensFunc func(
 		ctx context.Context,
 		authcode string,
-		pkceCodeVerifier pkce.Code,
+		pkceCodeVerifier oidcpkce.Code,
 		expectedIDTokenNonce nonce.Nonce,
 	) (*oidctypes.Token, error)
 
@@ -358,7 +358,7 @@ func (u *TestUpstreamOIDCIdentityProvider) PasswordCredentialsGrantAndValidateTo
 func (u *TestUpstreamOIDCIdentityProvider) ExchangeAuthcodeAndValidateTokens(
 	ctx context.Context,
 	authcode string,
-	pkceCodeVerifier pkce.Code,
+	pkceCodeVerifier oidcpkce.Code,
 	expectedIDTokenNonce nonce.Nonce,
 	redirectURI string,
 ) (*oidctypes.Token, error) {
@@ -595,8 +595,8 @@ func (b *UpstreamIDPListerBuilder) BuildFederationDomainIdentityProvidersListerF
 	}
 }
 
-func (b *UpstreamIDPListerBuilder) BuildDynamicUpstreamIDPProvider() provider.DynamicUpstreamIDPProvider {
-	idpProvider := provider.NewDynamicUpstreamIDPProvider()
+func (b *UpstreamIDPListerBuilder) BuildDynamicUpstreamIDPProvider() dynamicupstreamprovider.DynamicUpstreamIDPProvider {
+	idpProvider := dynamicupstreamprovider.NewDynamicUpstreamIDPProvider()
 
 	oidcUpstreams := make([]upstreamprovider.UpstreamOIDCIdentityProviderI, len(b.upstreamOIDCIdentityProviders))
 	for i := range b.upstreamOIDCIdentityProviders {
@@ -1038,7 +1038,7 @@ func (u *TestUpstreamOIDCIdentityProviderBuilder) Build() *TestUpstreamOIDCIdent
 		AdditionalClaimMappings:        u.additionalClaimMappings,
 		DisplayNameForFederationDomain: u.displayNameForFederationDomain,
 		TransformsForFederationDomain:  u.transformsForFederationDomain,
-		ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
+		ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier oidcpkce.Code, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
 			if u.authcodeExchangeErr != nil {
 				return nil, u.authcodeExchangeErr
 			}
@@ -1223,7 +1223,7 @@ func RequireAuthCodeRegexpMatch(
 	)
 
 	// One PKCE should have been stored.
-	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secretsClient, labels.Set{crud.SecretLabelKey: pkce2.TypeLabelValue}, 1)
+	testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secretsClient, labels.Set{crud.SecretLabelKey: pkce.TypeLabelValue}, 1)
 
 	validatePKCEStorage(
 		t,
diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go
index 7dd0dcc67..b178adf2e 100644
--- a/internal/upstreamldap/upstreamldap.go
+++ b/internal/upstreamldap/upstreamldap.go
@@ -27,8 +27,8 @@ import (
 	"go.pinniped.dev/internal/authenticators"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/endpointaddr"
-	"go.pinniped.dev/internal/oidc/downstreamsession"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/downstreamsession"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 )
 
diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go
index 02476b253..d07c2c9e1 100644
--- a/internal/upstreamldap/upstreamldap_test.go
+++ b/internal/upstreamldap/upstreamldap_test.go
@@ -25,8 +25,8 @@ import (
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/endpointaddr"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockldapconn"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/tlsassertions"
 	"go.pinniped.dev/internal/testutil/tlsserver"
diff --git a/internal/upstreamoidc/upstreamoidc.go b/internal/upstreamoidc/upstreamoidc.go
index dc61b11f4..8cd569a18 100644
--- a/internal/upstreamoidc/upstreamoidc.go
+++ b/internal/upstreamoidc/upstreamoidc.go
@@ -21,9 +21,9 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
@@ -221,7 +221,7 @@ func (p *ProviderConfig) tryRevokeToken(
 	if err != nil {
 		// Couldn't connect to the server or some similar error.
 		// Could be a temporary network problem, so it might be worth retrying.
-		return false, provider.NewRetryableRevocationError(err)
+		return false, dynamicupstreamprovider.NewRetryableRevocationError(err)
 	}
 	defer resp.Body.Close()
 
@@ -271,7 +271,7 @@ func (p *ProviderConfig) tryRevokeToken(
 		// be caused by an underlying problem which could potentially become resolved in the near future. We'll be
 		// optimistic and call all 5xx errors retryable.
 		plog.Trace("RevokeToken() got unexpected error response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth, "statusCode", status)
-		return false, provider.NewRetryableRevocationError(fmt.Errorf("server responded with status %d", status))
+		return false, dynamicupstreamprovider.NewRetryableRevocationError(fmt.Errorf("server responded with status %d", status))
 	default:
 		// Any other error is probably not due to failed client auth, and is probably not worth retrying later.
 		plog.Trace("RevokeToken() got unexpected error response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth, "statusCode", status)
diff --git a/internal/upstreamoidc/upstreamoidc_test.go b/internal/upstreamoidc/upstreamoidc_test.go
index e477f1ba6..cc4f06a23 100644
--- a/internal/upstreamoidc/upstreamoidc_test.go
+++ b/internal/upstreamoidc/upstreamoidc_test.go
@@ -23,9 +23,9 @@ import (
 	"gopkg.in/square/go-jose.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.pinniped.dev/internal/federationdomain/dynamicupstreamprovider"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/mocks/mockkeyset"
-	"go.pinniped.dev/internal/oidc/provider"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
 	"go.pinniped.dev/pkg/oidcclient/oidctypes"
@@ -715,8 +715,8 @@ func TestProviderConfig(t *testing.T) {
 					testutil.RequireErrorStringFromErr(t, err, tt.wantErr)
 
 					if tt.wantRetryableErrType {
-						require.ErrorAs(t, err, &provider.RetryableRevocationError{})
-					} else if errors.As(err, &provider.RetryableRevocationError{}) {
+						require.ErrorAs(t, err, &dynamicupstreamprovider.RetryableRevocationError{})
+					} else if errors.As(err, &dynamicupstreamprovider.RetryableRevocationError{}) {
 						// There is no NotErrorAs() assertion available in the current version of testify, so do the equivalent.
 						require.Fail(t, "error should not be As RetryableRevocationError")
 					}
diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go
index 341d1ffd9..fac2b99c4 100644
--- a/pkg/oidcclient/login.go
+++ b/pkg/oidcclient/login.go
@@ -30,10 +30,10 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/securityheader"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/upstreamoidc"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
diff --git a/pkg/oidcclient/login_test.go b/pkg/oidcclient/login_test.go
index 871d60141..b041dbfcf 100644
--- a/pkg/oidcclient/login_test.go
+++ b/pkg/oidcclient/login_test.go
@@ -28,11 +28,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog/v2"
 
+	"go.pinniped.dev/internal/federationdomain/upstreamprovider"
 	"go.pinniped.dev/internal/httputil/httperr"
 	"go.pinniped.dev/internal/httputil/roundtripper"
 	"go.pinniped.dev/internal/mocks/mockupstreamoidcidentityprovider"
 	"go.pinniped.dev/internal/net/phttp"
-	"go.pinniped.dev/internal/oidc/provider/upstreamprovider"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/internal/testutil/testlogger"
diff --git a/proposals/1113_ldap-ad-web-ui/README.md b/proposals/1113_ldap-ad-web-ui/README.md
index 1a204c454..090a3c543 100644
--- a/proposals/1113_ldap-ad-web-ui/README.md
+++ b/proposals/1113_ldap-ad-web-ui/README.md
@@ -160,7 +160,7 @@ Once dynamic clients are implemented:
 #### New Dependencies
 This should be kept to a very simple HTML page with minimal, clean CSS styling.
 Javascript should be avoided.
-The styling should match the [form post html page](https://github.com/vmware-tanzu/pinniped/tree/main/internal/oidc/provider/formposthtml)
+The styling should match the [form post html page](https://github.com/vmware-tanzu/pinniped/tree/main/internal/federationdomain/formposthtml)
 as much as possible, we should reuse some of the existing css and add to it to keep the style consistent.
 
 #### Observability Considerations
diff --git a/site/content/docs/reference/code-walkthrough.md b/site/content/docs/reference/code-walkthrough.md
index 11c84cd7a..bd18b6f91 100644
--- a/site/content/docs/reference/code-walkthrough.md
+++ b/site/content/docs/reference/code-walkthrough.md
@@ -192,28 +192,28 @@ The Supervisor's endpoints are:
 Each FederationDomain's endpoints are mounted under the path of the FederationDomain's `spec.issuer`,
 if the `spec.issuer` URL has a path component specified. If the issuer has no path, then they are mounted under `/`.
 These per-FederationDomain endpoint are all mounted by the code in
-[internal/oidc/provider/manager/manager.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/provider/manager/manager.go).
+[internal/federationdomain/endpointsmanager/manager.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpointsmanager/manager.go).
 
 The per-FederationDomain endpoints are:
 
 - `<issuer_path>/.well-known/openid-configuration` is the standard OIDC discovery endpoint, which can be used to discover all the other endpoints listed here.
-  See [internal/oidc/discovery/discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/discovery/discovery_handler.go).
+  See [internal/federationdomain/endpoints/discovery/discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/discovery/discovery_handler.go).
 - `<issuer_path>/jwks.json` is the standard OIDC JWKS discovery endpoint.
-  See [internal/oidc/jwks/jwks_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/jwks/jwks_handler.go).
+  See [internal/federationdomain/endpoints/jwks/jwks_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/jwks/jwks_handler.go).
 - `<issuer_path>/oauth2/authorize` is the standard OIDC authorize endpoint.
-  See [internal/oidc/auth/auth_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/auth/auth_handler.go).
+  See [internal/federationdomain/endpoints/auth/auth_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/auth/auth_handler.go).
 - `<issuer_path>/oauth2/token` is the standard OIDC token endpoint.
-  See [internal/oidc/token/token_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token/token_handler.go).
+  See [internal/federationdomain/endpoints/token/token_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/token/token_handler.go).
   The token endpoint can handle the standard OIDC `authorization_code` and `refresh_token` grant types, and has also been
-  extended in [internal/oidc/token_exchange.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/token_exchange.go)
+  extended in [internal/federationdomain/endpoints/tokenexchange/token_exchange.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/tokenexchange/token_exchange.go)
   to handle an additional grant type for [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693) token exchanges to
   reduce the applicable scope (technically, the `aud` claim) of ID tokens.
 - `<issuer_path>/callback` is a special endpoint that is used as the redirect URL when performing an OIDC authcode flow against an upstream OIDC identity provider as configured by an OIDCIdentityProvider custom resource.
-  See [internal/oidc/callback/callback_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/callback/callback_handler.go).
+  See [internal/federationdomain/endpoints/callback/callback_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/callback/callback_handler.go).
 - `<issuer_path>/v1alpha1/pinniped_identity_providers` is a custom discovery endpoint for clients to learn about available upstream identity providers.
-  See [internal/oidc/idpdiscovery/idp_discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/idpdiscovery/idp_discovery_handler.go).
+  See [internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/idpdiscovery/idp_discovery_handler.go).
 - `<issuer_path>/login` is a login UI page to support the optional browser-based login flow for LDAP and Active Directory identity providers.
-  See [internal/oidc/login/login_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/oidc/login/login_handler.go).
+  See [internal/federationdomain/endpoints/login/login_handler.go](https://github.com/vmware-tanzu/pinniped/blob/main/internal/federationdomain/endpoints/login/login_handler.go).
 
 The OIDC specifications implemented by the Supervisor can be found at [openid.net](https://openid.net/connect).
 
diff --git a/test/integration/formposthtml_test.go b/test/integration/formposthtml_test.go
index 1a3b45299..9056e065b 100644
--- a/test/integration/formposthtml_test.go
+++ b/test/integration/formposthtml_test.go
@@ -19,8 +19,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"go.pinniped.dev/internal/federationdomain/formposthtml"
 	"go.pinniped.dev/internal/httputil/securityheader"
-	"go.pinniped.dev/internal/oidc/provider/formposthtml"
 	"go.pinniped.dev/test/testlib"
 	"go.pinniped.dev/test/testlib/browsertest"
 )
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index ae58aead9..d424014c0 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -31,8 +31,9 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/pkg/oidcclient/nonce"
@@ -2240,7 +2241,7 @@ func testSupervisorLogin(
 		// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
 		require.NoError(t, err)
 
@@ -2302,7 +2303,7 @@ func testSupervisorLogin(
 		// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
 		require.NoError(t, err)
 
diff --git a/test/integration/supervisor_storage_test.go b/test/integration/supervisor_storage_test.go
index e58322622..d56cc6be1 100644
--- a/test/integration/supervisor_storage_test.go
+++ b/test/integration/supervisor_storage_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -17,8 +17,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.pinniped.dev/internal/federationdomain/clientregistry"
 	"go.pinniped.dev/internal/fositestorage/authorizationcode"
-	"go.pinniped.dev/internal/oidc/clientregistry"
 	"go.pinniped.dev/internal/testutil"
 	"go.pinniped.dev/test/testlib"
 )
diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go
index f84b5358d..5c93e687b 100644
--- a/test/integration/supervisor_warnings_test.go
+++ b/test/integration/supervisor_warnings_test.go
@@ -28,8 +28,9 @@ import (
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/certauthority"
-	"go.pinniped.dev/internal/oidc"
-	"go.pinniped.dev/internal/oidc/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/federationdomain/oidcclientvalidator"
+	"go.pinniped.dev/internal/federationdomain/storage"
 	"go.pinniped.dev/internal/psession"
 	"go.pinniped.dev/pkg/oidcclient"
 	"go.pinniped.dev/pkg/oidcclient/filesession"
@@ -186,7 +187,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 		// out of kube secret storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1]
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil)
 		require.NoError(t, err)
@@ -494,7 +495,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
 		// out of kube secret storage.
 		supervisorSecretsClient := testlib.NewKubernetesClientset(t).CoreV1().Secrets(env.SupervisorNamespace)
 		supervisorOIDCClientsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().OIDCClients(env.SupervisorNamespace)
-		oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
+		oauthStore := storage.NewKubeStorage(supervisorSecretsClient, supervisorOIDCClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), oidcclientvalidator.DefaultMinBcryptCost)
 		refreshTokenSignature := strings.Split(token.RefreshToken.Token, ".")[1]
 		storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, refreshTokenSignature, nil)
 		require.NoError(t, err)