Merge branch 'main' into feat/deny-by-default-acls

2026-05-17 01:30:13 +00:00 · 2026-05-16 21:27:30 +03:00
parent b9abab2f17 8932f2ad46
commit 7b5d882ee8
30 changed files with 5420 additions and 1296 deletions
@@ -1,38 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help improve Tinyauth
 title: "[BUG]"
 labels: bug
 assignees:
  - steveiliop56
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 **Logs**
 Please include the Tinyauth logs below, make sure to not include sensitive info.
 **Device (please complete the following information):**
 - OS: [e.g. iOS]
 - Browser [e.g. chrome, safari]
 - Tinyauth [e.g. v2.1.1]
 - Docker [e.g. 27.3.1]
 **
 **Additional context**
 Add any other context about the problem here.
@@ -0,0 +1,89 @@
 name: Bug Report
 description: Create a report to help us improve this project
 title: "[BUG]"
 labels: bug
 assignees:
  - steveiliop56
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for reporting a bug! Please provide detailed information below.
  - type: textarea
    id: description
    attributes:
      label: Describe the Bug
      description: "A clear and concise description of what the bug is."
    validations:
      required: true
  - type: textarea
    id: reproduce
    attributes:
      label: How to Reproduce
      description: Steps to reproduce the behavior.
      value: |
        1. Go to '...'
        2. Click on '....'
        3. Scroll down to '....'
        4. See error
    validations:
      required: false
  - type: textarea
    id: expected
    attributes:
      label: Expected Behavior
      description: "A clear and concise description of what you expected to happen."
    validations:
      required: true
  - type: textarea
    id: context
    attributes:
      label: "Additional Context"
      description: "If applicable add screenshots to help explain your problem."
    validations:
      required: false
  - type: textarea
    id: logs
    attributes:
      label: "Logs"
      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
    validations:
      required: false
  - type: input
    id: os
    attributes:
      label: Operating System
      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
  - type: input
    id: browser
    attributes:
      label: Browser
      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
  - type: input
    id: tinyauth
    attributes:
      label: Tinyauth Version
      placeholder: "e.g. v5.0.0"
  - type: input
    id: docker
    attributes:
      label: Docker Version (if applicable)
      placeholder: "e.g. 27.3.1"
  - type: checkboxes
    id: not-llm
    attributes:
      label: Human Written Confirmation
      options:
        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
          required: true
@@ -0,0 +1,8 @@
 blank_issues_enabled: true
 contact_links:
  - name: Tinyauth Community Support on Discord
    url: https://discord.gg/eHzVaCzRRd
    about: Please ask and answer questions here.
  - name: Tinyauth Documentation
    url: https://tinyauth.app/docs/getting-started/
    about: Please check the documentation here.
@@ -1,21 +0,0 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
 assignees:
  - steveiliop56
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
@@ -0,0 +1,52 @@
 name: Feature request
 description: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
 assignees:
  - steveiliop56
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for suggesting a feature! Please provide detailed information below.
  - type: textarea
    id: problem
    attributes:
      label: Is your feature request related to a problem? Please describe.
      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
    validations:
      required: false
  - type: textarea
    id: solution
    attributes:
      label: Describe the solution you'd like.
      description: "A clear and concise description of what you want to happen."
    validations:
      required: true
  - type: textarea
    id: alternatives
    attributes:
      label: Describe alternatives you've considered.
      description: "A clear and concise description of any alternative solutions or features you've considered."
    validations:
      required: false
  - type: textarea
    id: context
    attributes:
      label: Additional context
      description: "Add any other context or screenshots about the feature request here."
    validations:
      required: false
  - type: checkboxes
    id: not-llm
    attributes:
      label: Human Written Confirmation
      options:
        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
          required: true
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "bun"
+  - package-ecosystem: "npm"
    directory: "/frontend"
    groups:
      minor-patch:
@@ -15,8 +15,10 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -27,27 +29,22 @@ jobs:
        run: go mod download
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Set version
-        run: |
+        run: echo testing > internal/assets/version
          echo testing > internal/assets/version
      - name: Lint frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run lint
          bun run lint
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Copy frontend
-        run: |
+        run: cp -r frontend/dist internal/assets/dist
          cp -r frontend/dist internal/assets/dist
      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...
@@ -59,8 +59,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -68,18 +70,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -105,8 +104,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -114,18 +115,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -35,8 +35,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -44,18 +46,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -78,8 +77,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -87,18 +88,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -48,3 +48,6 @@ __debug_*
 # testing config
 config.certify.yml
 # deepsec
 /.deepsec
@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 ## Requirements
- Bun
+- pnpm
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 ```sh
 cd frontend/
-bun install
+pnpm ci
 ```
 ## Create the `.env` file
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
 COPY ./cmd ./cmd
 COPY ./internal ./internal
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	cd frontend && pnpm ci
 	go mod download
 # Clean data
@@ -31,7 +31,7 @@ clean-webui:
 # Build the web UI
 webui: clean-webui
-	bun run --cwd frontend build
+	cd frontend && pnpm run build
 	cp -r frontend/dist internal/assets
 # Build the binary
@@ -2,8 +2,56 @@
 ## Supported Versions
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 ## Reporting a Vulnerability
-Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
+Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
 Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
 Or send us an email at <security@tinyauth.app>.
 ### A note on AI-assisted reports
 If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
 When submitting a report, please use the structure below so it can be triaged quickly.
 ---
 ### 1. Summary
 A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
 ### 2. Steps to Reproduce / Proof of Concept
 Provide a minimal, reliable reproduction:
 1. Step one
 2. Step two
 3. Step three
 Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
 ### 3. Expected vs. Actual Behaviour
 - **Expected:** what *should* happen
 - **Actual:** what *does* happen, and why it's a security issue
 ### 4. Suggested Fix or Mitigation *(optional)*
 If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
 - **Have you tested this fix?** Yes / No
 - **If yes,** briefly describe how it was tested and what was verified.
 ---
 ## What to Expect
 - **Acknowledgement** within a reasonable timeframe after receiving your report
 - **Updates** as the issue is investigated and addressed
 - **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
 We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
@@ -1,6 +0,0 @@
 # Ignore artifacts:
 dist
 node_modules
 bun.lock
 package.json
 src/lib/i18n/locales
@@ -1 +0,0 @@
 {}
@@ -1,11 +1,13 @@
-FROM oven/bun:1.2.16-alpine
+FROM node:26.1-alpine3.23
 RUN npm install -g pnpm@11.1.2
 WORKDIR /frontend
 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+COPY ./frontend/pnpm-lock.yaml ./
-RUN bun install --frozen-lockfile
+RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,4 +21,4 @@ COPY ./frontend/vite.config.ts ./
 EXPOSE 5173
-ENTRYPOINT ["bun", "run", "dev"]
+ENTRYPOINT ["pnpm", "run", "dev"]
@@ -10,6 +10,7 @@
    "preview": "vite preview",
    "tsc": "tsc -b"
  },
  "packageManager": "pnpm@11.1.2",
  "dependencies": {
    "@hookform/resolvers": "^5.2.2",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -0,0 +1,4 @@
 dangerouslyAllowAllBuilds: false
 blockExoticSubdeps: true
 minimumReleaseAge: 1440 # 1 day
 trustPolicy: no-downgrade
@@ -208,7 +208,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = user.Name
 	} else {
 		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+		parts := strings.SplitN(user.Email, "@", 2)
 		if len(parts) == 2 {
 			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
 		} else {
 			name = utils.Capitalize(user.Email)
 		}
 	}
 	var username string
@@ -146,7 +146,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
-		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
@@ -288,7 +288,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to delete code")
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				controller.log.App.Warn().Msg("Code not found")
@@ -138,9 +138,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
+			c.JSON(403, gin.H{
-				"status":  401,
+				"status":  403,
-				"message": "Unauthorized",
+				"message": "Forbidden",
 			})
 			return
 		}
@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}
@@ -606,46 +606,49 @@ func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
-	if len(auth.oauthPendingSessions) >= MaxOAuthPendingSessions {
+	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
 		return
 	}
-		cleanupIds := make([]string, 0, OAuthCleanupCount)
+	type entry struct {
 		id        string
 		expiresAt int64
 	}
-		for range OAuthCleanupCount {
+	entries := make([]entry, 0, len(auth.oauthPendingSessions))
-			oldestId := ""
+	for id, session := range auth.oauthPendingSessions {
-			oldestTime := int64(0)
+		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
 	}
-			for id, session := range auth.oauthPendingSessions {
+	slices.SortFunc(entries, func(a, b entry) int {
-				if oldestTime == 0 {
+		if a.expiresAt < b.expiresAt {
-					oldestId = id
+			return -1
 					oldestTime = session.ExpiresAt.Unix()
 					continue
 				}
 				if slices.Contains(cleanupIds, id) {
 					continue
 				}
 				if session.ExpiresAt.Unix() < oldestTime {
 					oldestId = id
 					oldestTime = session.ExpiresAt.Unix()
 				}
 			}
 			cleanupIds = append(cleanupIds, oldestId)
 		}
-
+		if a.expiresAt > b.expiresAt {
-		for _, id := range cleanupIds {
+			return 1
 			delete(auth.oauthPendingSessions, id)
 		}
 		return 0
 	})
 	for _, e := range entries[:OAuthCleanupCount] {
 		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 func (auth *AuthService) lockdownMode() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	auth.lockdownCtx = ctx
 	auth.lockdownCancelFunc = cancel
 	auth.loginMutex.Lock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		auth.loginMutex.Unlock()
 		cancel()
 		return
 	}
 	auth.lockdownCtx = ctx
 	auth.lockdownCancelFunc = cancel
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 	auth.lockdown = &Lockdown{
@@ -658,10 +661,12 @@ func (auth *AuthService) lockdownMode() {
 	auth.loginAttempts = make(map[string]*LoginAttempt)
 	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
 	defer timer.Stop()
 	auth.loginMutex.Unlock()
 	defer cancel()
 	defer timer.Stop()
 	select {
 	case <-timer.C:
 		// Timer expired, end lockdown
@@ -26,6 +26,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: config.Insecure,
 				MinVersion:         tls.VersionTLS12,
 			},
 		},
 	}
@@ -121,7 +121,7 @@ type OIDCService struct {
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
+	publicKey  *rsa.PublicKey
 	issuer     string
 }
@@ -239,6 +239,16 @@ func NewOIDCService(
 		}
 	}
 	rPublicKey, ok := publicKey.(*rsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("public key is not an rsa public key")
 	}
 	if rPublicKey.N.Cmp(privateKey.N) != 0 || rPublicKey.E != privateKey.E {
 		return nil, fmt.Errorf("public key does not pair with private key")
 	}
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
@@ -271,7 +281,7 @@ func NewOIDCService(
 		clients:    clients,
 		privateKey: privateKey,
-		publicKey:  publicKey,
+		publicKey:  rPublicKey,
 		issuer:     issuer,
 	}
@@ -297,6 +307,11 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("access_denied")
 	}
 	// Redirect URI to verify that it's trusted
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
 	}
 	// Scopes
 	scopes := strings.Split(req.Scope, " ")
@@ -318,11 +333,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("unsupported_response_type")
 	}
 	// Redirect URI
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
 	}
 	// PKCE code challenge method if set
 	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
 		if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {
@@ -455,7 +465,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 	hasher := sha256.New()
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 	if der == nil {
 		return "", errors.New("failed to marshal public key")
@@ -813,7 +823,7 @@ func (service *OIDCService) cleanupRoutine() {
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
@@ -822,13 +832,13 @@ func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher.Write(der)
 	jwk := jose.JSONWebKey{
-		Key:       service.privateKey,
+		Key:       service.publicKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
-	return jwk.Public().MarshalJSON()
+	return jwk.MarshalJSON()
 }
 func (service *OIDCService) ValidatePKCE(codeChallenge string, codeVerifier string) bool {