fix: fix typo in get code entry

fix: use withlock for get oidc code entry
chore: rabbit comments
2026-06-03 01:50:14 +00:00 · 2026-06-02 12:46:27 +03:00 · 2026-06-02 12:14:10 +03:00 · 2026-06-01 15:47:19 +03:00 · 2026-06-01 12:22:49 +03:00 · 2026-06-01 12:10:59 +03:00
35 changed files with 1570 additions and 2595 deletions
@@ -7,9 +7,9 @@ TINYAUTH_APPURL=
 # database config
-# The database driver to use. Valid values: sqlite, memory.
+# The database driver to use. Valid values: sqlite, postgres, memory.
 TINYAUTH_DATABASE_DRIVER="sqlite"
-# The path to the SQLite database, including file name. Only used when driver is sqlite.
+# The path to the SQLite database file, or connection URL when driver is postgres.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 # analytics config
@@ -62,6 +62,15 @@ binary-linux-arm64:
 test:
 	go test -v ./...
 # Go vet
 .PHONY: vet
 vet:
 	go vet ./...
 # Go race
 test-race:
 	go test -race ./...
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
@@ -0,0 +1,46 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE "oidc_codes" (
    "sub"            TEXT   NOT NULL UNIQUE,
    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
    "scope"          TEXT   NOT NULL,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope"                    TEXT   NOT NULL,
    "client_id"                TEXT   NOT NULL,
    "token_expires_at"         BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce"                    TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -0,0 +1,28 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce" TEXT NOT NULL DEFAULT '',
    "userinfo_json" TEXT NOT NULL
 );
@@ -0,0 +1,46 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
    "name"                  TEXT    NOT NULL,
    "preferred_username"    TEXT    NOT NULL,
    "email"                 TEXT    NOT NULL,
    "groups"                TEXT    NOT NULL,
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
@@ -0,0 +1,28 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "userinfo_json" TEXT NOT NULL
 );
@@ -1,6 +1,7 @@
 package controller
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -12,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -169,7 +169,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	client, ok := controller.oidc.GetClient(req.ClientID)
+	_, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
@@ -203,9 +203,8 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
+	// Create the sub to find and delete old sessions
-	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
+	sub := controller.oidc.CreateSub(*userContext, req.ClientID)
 	code := utils.GenerateString(32)
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -221,37 +220,8 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	err = controller.oidc.StoreCode(c, sub, code, req)
+	// Create the authorization code
-
+	code := controller.oidc.CreateCode(req, *userContext)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to store code",
 			reasonPublic:  "Failed to store code",
 			callback:      req.RedirectURI,
 			callbackError: "server_error",
 			state:         req.State,
 		})
 		return
 	}
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, authorizeErrorParams{
 				err:           err,
 				reason:        "Failed to store user info",
 				reasonPublic:  "Failed to store user info",
 				callback:      req.RedirectURI,
 				callbackError: "server_error",
 				state:         req.State,
 			})
 			return
 		}
 	}
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
@@ -354,38 +324,33 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	switch req.GrantType {
 	case "authorization_code":
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
+		entry, ok := controller.oidc.GetCodeEntry(controller.oidc.Hash(req.Code), client.ClientID)
 		if !ok {
 			// ensure no code reuse
 			usedCodeSub, ok := controller.oidc.IsCodeUsed(controller.oidc.Hash(req.Code))
 			if ok {
 				controller.log.App.Warn().Msg("Code reuse detected")
 				err := controller.oidc.DeleteSessionBySub(c, usedCodeSub)
 				if err != nil {
-			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
+					controller.log.App.Error().Err(err).Msg("Failed to delete session for reused code")
 				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 				}
-			if errors.Is(err, service.ErrCodeNotFound) {
+				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			controller.log.App.Warn().Msg("Code not found")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
-			if errors.Is(err, service.ErrCodeExpired) {
+
-				controller.log.App.Warn().Msg("Code expired")
+		// mark code as used to prevent reuse
-				c.JSON(400, gin.H{
+		controller.oidc.MarkCodeAsUsed(controller.oidc.Hash(req.Code), entry.Userinfo.Sub)
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
 				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
 			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		if entry.RedirectURI != req.RedirectURI {
 			controller.log.App.Warn().Msg("Redirect URI does not match")
@@ -395,7 +360,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
+		ok = controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 		if !ok {
 			controller.log.App.Warn().Msg("PKCE validation failed")
@@ -405,7 +370,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
+		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, *entry)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
@@ -415,7 +380,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = tokenRes
+		tokenResponse = *tokenRes
 	case "refresh_token":
 		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
@@ -443,7 +408,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = tokenRes
+		tokenResponse = *tokenRes
 	}
 	c.Header("cache-control", "no-store")
@@ -507,7 +472,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
+	entry, err := controller.oidc.GetSessionByToken(c, controller.oidc.Hash(token))
 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
@@ -526,15 +491,17 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	}
 	// If we don't have the openid scope, return an error
-	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
+	if !slices.Contains(strings.Split(entry.Scope, " "), "openid") {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
 		return
 	}
-	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
+	var userinfo service.UserinfoResponse
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userinfo)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get user info")
@@ -544,7 +511,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
+	c.JSON(200, controller.oidc.CompileUserinfo(userinfo, entry.Scope))
 }
 func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
@@ -422,7 +422,7 @@ func TestUserController(t *testing.T) {
 	beforeEach := func() {
 		// Clear failed login attempts before each test
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 	}
 	for _, test := range tests {
@@ -326,11 +326,6 @@ func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*mod
 			Name:     whois.DisplayName,
 		},
 		UserID: whois.UserID,
 		Tags:   whois.Tags,
 	}
 	if !strings.ContainsAny(uctx.Email, "@") {
 		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
 	}
 	return &uctx, nil
@@ -263,7 +263,7 @@ func TestContextMiddleware(t *testing.T) {
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 	for _, test := range tests {
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 		t.Run(test.description, func(t *testing.T) {
 			gin.SetMode(gin.TestMode)
@@ -59,8 +59,6 @@ type LDAPContext struct {
 type TailscaleContext struct {
 	BaseContext
 	UserID string
 	// for future use
 	Tags []string
 }
 func (c *UserContext) IsAuthenticated() bool {
@@ -101,366 +101,182 @@ func TestMemoryStore(t *testing.T) {
 			},
 		},
 		{
-			description: "Create and get OIDC code",
+			description: "Create and get OIDC session",
 			run: func(t *testing.T, s repository.Store) {
-				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
+				sess, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:              "sub-1",
-					CodeHash: "hash-1",
+					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 					Scope:            "openid",
 				})
 				require.NoError(t, err)
-				assert.Equal(t, "sub-1", code.Sub)
+				assert.Equal(t, "sub-1", sess.Sub)
-				// destructive read removes the record
+				got, err := s.GetOIDCSessionBySub(ctx, "sub-1")
 				got, err := s.GetOidcCode(ctx, "hash-1")
 				require.NoError(t, err)
-				assert.Equal(t, code, got)
+				assert.Equal(t, sess, got)
-
+			},
-				_, err = s.GetOidcCode(ctx, "hash-1")
+		},
 		{
 			description: "Get OIDC session by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC code not found",
+			description: "Get OIDC session by access token hash",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCode(ctx, "missing")
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// destructive — gone after read
 				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "hash-1", got.CodeHash)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC code unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
 			},
 		},
 		{
 			description: "Delete OIDC code",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC codes",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
 				require.NoError(t, err)
 				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
 				require.NoError(t, err)
 				require.Len(t, deleted, 1)
 				assert.Equal(t, "hash-1", deleted[0].CodeHash)
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC token",
 			run: func(t *testing.T, s repository.Store) {
 				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-hash-1",
 					CodeHash:        "code-hash-1",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", tok.Sub)
 				got, err := s.GetOidcToken(ctx, "at-hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, tok, got)
 			},
 		},
 		{
 			description: "Get OIDC token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC token unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
 			},
 		},
 		{
 			description: "Get OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
+				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
-			description: "Get OIDC token by refresh token not found",
+			description: "Get OIDC session by access token hash not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
+				_, err := s.GetOIDCSessionByAccessTokenHash(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC token by sub",
+			description: "Get OIDC session by refresh token hash",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 				})
 				require.NoError(t, err)
 				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "at-1", got.AccessTokenHash)
 			},
 		},
 		{
 			description: "Get OIDC token by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcTokenBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Update OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
+				got, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "rt-1")
-					RefreshTokenHash_2:    "rt-1",
+				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
 			description: "Get OIDC session by refresh token hash not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC session unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.sub")
 			},
 		},
 		{
 			description: "Create OIDC session unique access token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-1", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.access_token_hash")
 			},
 		},
 		{
 			description: "Create OIDC session unique refresh token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-1"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 			},
 		},
 		{
 			description: "Update OIDC session",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
 				updated, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
 					Sub:                   "sub-1",
 					AccessTokenHash:       "at-2",
 					RefreshTokenHash:      "rt-2",
 					Scope:                 "openid profile",
 					TokenExpiresAt:        200,
 					RefreshTokenExpiresAt: 400,
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "at-2", updated.AccessTokenHash)
 				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
 				assert.Equal(t, "openid profile", updated.Scope)
-				// old key gone, new key present
+				// updated token hashes are now queryable, old ones are gone
-				_, err = s.GetOidcToken(ctx, "at-1")
+				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-2")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				got, err := s.GetOidcToken(ctx, "at-2")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
-			},
+
-		},
+				_, err = s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
 		{
 			description: "Update OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 					RefreshTokenHash_2: "missing",
 				})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete OIDC token",
+			description: "Update OIDC session not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
+				_, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{Sub: "missing"})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC session by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
-				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
+				require.NoError(t, s.DeleteOIDCSessionBySub(ctx, "sub-1"))
-				_, err = s.GetOidcToken(ctx, "at-1")
+				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete OIDC token by sub",
+			description: "Delete expired OIDC sessions",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token by code hash",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 					CodeHash:        "code-1",
 				})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC tokens",
 			run: func(t *testing.T, s repository.Store) {
 				// both expiries past
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
-					Sub: "sub-1", AccessTokenHash: "at-1",
+					Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1",
 					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
 				})
 				require.NoError(t, err)
 				// valid
-				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
-					Sub: "sub-3", AccessTokenHash: "at-3",
+					Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2",
 					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
 				})
 				require.NoError(t, err)
-				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+				require.NoError(t, s.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
 					TokenExpiresAt:        50,
 					RefreshTokenExpiresAt: 50,
-				})
+				}))
 				require.NoError(t, err)
 				assert.Len(t, deleted, 1)
-				_, err = s.GetOidcToken(ctx, "at-3")
+				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				_, err = s.GetOIDCSessionBySub(ctx, "sub-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
 					Sub:   "sub-1",
 					Name:  "Alice",
 					Email: "alice@example.com",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", u.Sub)
 				got, err := s.GetOidcUserInfo(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, u, got)
 			},
 		},
 		{
 			description: "Get OIDC user info not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcUserInfo(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
 				_, err = s.GetOidcUserInfo(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 	}
 	for _, test := range tests {
@@ -7,235 +7,90 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
-func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCSession(_ context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	// Enforce sub UNIQUE constraint
+	// Enforce UNIQUE constraints (sub is the primary key, access/refresh token hashes are unique).
-	for _, c := range s.oidcCodes {
+	for _, sess := range s.oidcSessions {
-		if c.Sub == arg.Sub {
+		switch {
-			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
+		case sess.Sub == arg.Sub:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.sub")
 		case sess.AccessTokenHash == arg.AccessTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.access_token_hash")
 		case sess.RefreshTokenHash == arg.RefreshTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 		}
 	}
-	code := repository.OidcCode(arg)
+	sess := repository.OidcSession(arg)
-	s.oidcCodes[arg.CodeHash] = code
+	s.oidcSessions[arg.Sub] = sess
-	return code, nil
+	return sess, nil
 }
-// GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
+func (s *Store) GetOIDCSessionBySub(_ context.Context, sub string) (repository.OidcSession, error) {
-func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
+	s.mu.RLock()
-	s.mu.Lock()
+	defer s.mu.RUnlock()
-	defer s.mu.Unlock()
+	sess, ok := s.oidcSessions[sub]
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
-		return repository.OidcCode{}, repository.ErrNotFound
+		return repository.OidcSession{}, repository.ErrNotFound
 	}
-	delete(s.oidcCodes, codeHash)
+	return sess, nil
 	return c, nil
 }
-// GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
+func (s *Store) GetOIDCSessionByAccessTokenHash(_ context.Context, accessTokenHash string) (repository.OidcSession, error) {
 func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 // GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	c, ok := s.oidcCodes[codeHash]
+	for _, sess := range s.oidcSessions {
 		if sess.AccessTokenHash == accessTokenHash {
 			return sess, nil
 		}
 	}
 	return repository.OidcSession{}, repository.ErrNotFound
 }
 func (s *Store) GetOIDCSessionByRefreshTokenHash(_ context.Context, refreshTokenHash string) (repository.OidcSession, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, sess := range s.oidcSessions {
 		if sess.RefreshTokenHash == refreshTokenHash {
 			return sess, nil
 		}
 	}
 	return repository.OidcSession{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOIDCSession(_ context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	sess, ok := s.oidcSessions[arg.Sub]
 	if !ok {
-		return repository.OidcCode{}, repository.ErrNotFound
+		return repository.OidcSession{}, repository.ErrNotFound
 	}
-	return c, nil
+	sess.AccessTokenHash = arg.AccessTokenHash
 	sess.RefreshTokenHash = arg.RefreshTokenHash
 	sess.Scope = arg.Scope
 	sess.ClientID = arg.ClientID
 	sess.TokenExpiresAt = arg.TokenExpiresAt
 	sess.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 	sess.Nonce = arg.Nonce
 	sess.UserinfoJson = arg.UserinfoJson
 	s.oidcSessions[arg.Sub] = sess
 	return sess, nil
 }
-// GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
+func (s *Store) DeleteOIDCSessionBySub(_ context.Context, sub string) error {
 func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, c := range s.oidcCodes {
 		if c.Sub == sub {
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	delete(s.oidcCodes, codeHash)
+	delete(s.oidcSessions, sub)
 	return nil
 }
-func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
+func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	for k, c := range s.oidcCodes {
+	for k, sess := range s.oidcSessions {
-		if c.Sub == sub {
+		if sess.TokenExpiresAt < arg.TokenExpiresAt && sess.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
-			delete(s.oidcCodes, k)
+			delete(s.oidcSessions, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcCode
 	for k, c := range s.oidcCodes {
 		if c.ExpiresAt < expiresAt {
 			deleted = append(deleted, c)
 			delete(s.oidcCodes, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, t := range s.oidcTokens {
 		if t.Sub == arg.Sub {
 			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
 		}
 	}
 	tok := repository.OidcToken{
 		Sub:                   arg.Sub,
 		AccessTokenHash:       arg.AccessTokenHash,
 		RefreshTokenHash:      arg.RefreshTokenHash,
 		CodeHash:              arg.CodeHash,
 		Scope:                 arg.Scope,
 		ClientID:              arg.ClientID,
 		TokenExpiresAt:        arg.TokenExpiresAt,
 		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
 		Nonce:                 arg.Nonce,
 	}
 	s.oidcTokens[arg.AccessTokenHash] = tok
 	return tok, nil
 }
 func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	t, ok := s.oidcTokens[accessTokenHash]
 	if !ok {
 		return repository.OidcToken{}, repository.ErrNotFound
 	}
 	return t, nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.RefreshTokenHash == refreshTokenHash {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.Sub == sub {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
 			delete(s.oidcTokens, k)
 			t.AccessTokenHash = arg.AccessTokenHash
 			t.RefreshTokenHash = arg.RefreshTokenHash
 			t.TokenExpiresAt = arg.TokenExpiresAt
 			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 			s.oidcTokens[arg.AccessTokenHash] = t
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcTokens, accessTokenHash)
 	return nil
 }
 func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.Sub == sub {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.CodeHash == codeHash {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
 		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	u := repository.OidcUserinfo(arg)
 	s.oidcUsers[arg.Sub] = u
 	return u, nil
 }
 func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	u, ok := s.oidcUsers[sub]
 	if !ok {
 		return repository.OidcUserinfo{}, repository.ErrNotFound
 	}
 	return u, nil
 }
 func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcUsers, sub)
 	return nil
 }
@@ -11,17 +11,13 @@ import (
 type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
-	oidcCodes  map[string]repository.OidcCode
+	oidcSessions map[string]repository.OidcSession
 	oidcTokens map[string]repository.OidcToken
 	oidcUsers  map[string]repository.OidcUserinfo
 }
 // New returns a new empty in-memory Store.
 func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
-		oidcCodes:  make(map[string]repository.OidcCode),
+		oidcSessions: make(map[string]repository.OidcSession),
 		oidcTokens: make(map[string]repository.OidcToken),
 		oidcUsers:  make(map[string]repository.OidcUserinfo),
 	}
 }
@@ -17,49 +17,16 @@ type Session struct {
 	OAuthSub    string
 }
-type OidcCode struct {
+type OidcSession struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type CreateSessionParams struct {
@@ -89,18 +56,7 @@ type UpdateSessionParams struct {
 	UUID        string
 }
-type CreateOidcCodeParams struct {
+type CreateOIDCSessionParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -108,41 +64,23 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
-}
+	UserinfoJson          string
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type CreateOidcUserInfoParams struct {
 	Sub                   string
-	Name              string
+}
-	PreferredUsername string
+
-	Email             string
+type DeleteExpiredOIDCSessionsParams struct {
-	Groups            string
+	TokenExpiresAt        int64
-	UpdatedAt         int64
+	RefreshTokenExpiresAt int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
@@ -4,49 +4,16 @@
 package postgres
-type OidcCode struct {
+type OidcSession struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,60 +9,8 @@ import (
 	"context"
 )
-const createOidcCode = `-- name: CreateOidcCode :one
+const createOIDCSession = `-- name: CreateOIDCSession :one
-INSERT INTO "oidc_codes" (
+INSERT INTO "oidc_sessions" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -70,15 +18,15 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type CreateOidcTokenParams struct {
+type CreateOIDCSessionParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -86,12 +34,12 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
+func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, createOidcToken,
+	row := q.db.QueryRowContext(ctx, createOIDCSession,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -99,483 +47,164 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
+const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
-INSERT INTO "oidc_userinfo" (
+DELETE FROM "oidc_sessions"
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type DeleteExpiredOidcTokensParams struct {
+type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
+func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
-	if err != nil {
+	return err
 		return nil, err
 }
-	defer rows.Close()
+
-	var items []OidcToken
+const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
-	for rows.Next() {
+DELETE FROM "oidc_sessions"
-		var i OidcToken
+WHERE "sub" = $1
-		if err := rows.Scan(
+`
 func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
 	return err
 }
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
 	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 			&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
-		); err != nil {
+		&i.UserinfoJson,
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
 	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
-const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
+const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1
 `
-func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
+const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = $1
 `
-func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcUserInfo = `-- name: GetOidcUserInfo :one
+const updateOIDCSession = `-- name: UpdateOIDCSession :one
-SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+UPDATE "oidc_sessions" SET
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash" = $1,
    "refresh_token_hash" = $2,
-    "token_expires_at"         = $3,
+    "scope" = $3,
-    "refresh_token_expires_at" = $4
+    "client_id" = $4,
-WHERE "refresh_token_hash" = $5
+    "token_expires_at" = $5,
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+    "refresh_token_expires_at" = $6,
    "nonce" = $7,
    "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
+func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
+	row := q.db.QueryRowContext(ctx, updateOIDCSession,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
-		arg.RefreshTokenHash_2,
+		arg.Nonce,
 		arg.UserinfoJson,
 		arg.Sub,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -32,28 +32,12 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
+	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -64,124 +48,44 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
-	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
+	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
+func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
+	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCode(ctx, codeHash)
+	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySub(ctx, sub)
+	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
+	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -192,12 +96,12 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
+	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -4,49 +4,16 @@
 package sqlite
-type OidcCode struct {
+type OidcSession struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,60 +9,8 @@ import (
 	"context"
 )
-const createOidcCode = `-- name: CreateOidcCode :one
+const createOIDCSession = `-- name: CreateOIDCSession :one
-INSERT INTO "oidc_codes" (
+INSERT INTO "oidc_sessions" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -70,15 +18,15 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type CreateOidcTokenParams struct {
+type CreateOIDCSessionParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -86,12 +34,12 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
+func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, createOidcToken,
+	row := q.db.QueryRowContext(ctx, createOIDCSession,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -99,483 +47,164 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
+const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
-INSERT INTO "oidc_userinfo" (
+DELETE FROM "oidc_sessions"
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type DeleteExpiredOidcTokensParams struct {
+type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
+func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
-	if err != nil {
+	return err
 		return nil, err
 }
-	defer rows.Close()
+
-	var items []OidcToken
+const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
-	for rows.Next() {
+DELETE FROM "oidc_sessions"
-		var i OidcToken
+WHERE "sub" = ?
-		if err := rows.Scan(
+`
 func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
 	return err
 }
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
 	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 			&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
-		); err != nil {
+		&i.UserinfoJson,
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
 	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
-const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
+const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
-func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
+const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = ?
 `
-func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcUserInfo = `-- name: GetOidcUserInfo :one
+const updateOIDCSession = `-- name: UpdateOIDCSession :one
-SELECT sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+UPDATE "oidc_sessions" SET
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?
+    "refresh_token_expires_at" = ?,
-WHERE "refresh_token_hash" = ?
+    "nonce" = ?,
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+    "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
+func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
+	row := q.db.QueryRowContext(ctx, updateOIDCSession,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
-		arg.RefreshTokenHash_2,
+		arg.Nonce,
 		arg.UserinfoJson,
 		arg.Sub,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -32,28 +32,12 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
+	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -64,124 +48,44 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
-	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
+	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
+func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
+	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCode(ctx, codeHash)
+	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySub(ctx, sub)
+	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
+	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -192,12 +96,12 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
+	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -19,29 +19,12 @@ type Store interface {
 	DeleteSession(ctx context.Context, uuid string) error
 	DeleteExpiredSessions(ctx context.Context, expiry int64) error
-	// OIDC codes
+	// OIDC sessions
-	CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error)
+	CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error)
-	GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error)
+	DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error
-	GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error)
+	DeleteOIDCSessionBySub(ctx context.Context, sub string) error
-	GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error)
+	GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error)
-	GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error)
+	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
-	DeleteOidcCode(ctx context.Context, codeHash string) error
+	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
-	DeleteOidcCodeBySub(ctx context.Context, sub string) error
+	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
 	DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error)
 	// OIDC tokens
 	CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error)
 	GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error)
 	GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error)
 	GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error)
 	UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error)
 	DeleteOidcToken(ctx context.Context, accessTokenHash string) error
 	DeleteOidcTokenBySub(ctx context.Context, sub string) error
 	DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error
 	DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error)
 	// OIDC userinfo
 	CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error)
 	GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error)
 	DeleteOidcUserInfo(ctx context.Context, sub string) error
 }
@@ -15,8 +15,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"slices"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
@@ -54,27 +52,17 @@ type OAuthPendingSession struct {
 	CallbackParams OAuthURLParams
 }
 type LdapGroupsCache struct {
 	Groups  []string
 	Expires time.Time
 }
 type LoginAttempt struct {
 	FailedAttempts int
 	LastAttempt    time.Time
 	LockedUntil    time.Time
 }
 type Lockdown struct {
 	Active      bool
 	ActiveUntil time.Time
 }
 type AuthService struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
-	context context.Context
+	ctx     context.Context
 	ldap         *LdapService
 	queries      repository.Store
@@ -82,15 +70,19 @@ type AuthService struct {
 	tailscale    *TailscaleService
 	policyEngine *PolicyEngine
-	loginAttempts        map[string]*LoginAttempt
+	lockdown struct {
-	ldapGroupsCache      map[string]*LdapGroupsCache
+		active     bool
-	oauthPendingSessions map[string]*OAuthPendingSession
+		until      time.Time
-	oauthMutex           sync.RWMutex
+		ctx        context.Context
-	loginMutex           sync.RWMutex
+		cancelFunc context.CancelFunc
-	ldapGroupsMutex      sync.RWMutex
+		mu         sync.RWMutex
-	lockdown             *Lockdown
+	}
-	lockdownCtx          context.Context
+
-	lockdownCancelFunc   context.CancelFunc
+	caches struct {
 		login *CacheStore[LoginAttempt]
 		oauth *CacheStore[OAuthPendingSession]
 		ldap  *CacheStore[[]string]
 	}
 }
 func NewAuthService(
@@ -108,11 +100,8 @@ func NewAuthService(
 	service := &AuthService{
 		log:          log,
 		runtime:      runtime,
-		context:              ctx,
+		ctx:          ctx,
 		config:       config,
 		loginAttempts:        make(map[string]*LoginAttempt),
 		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
 		oauthPendingSessions: make(map[string]*OAuthPendingSession),
 		ldap:         ldap,
 		queries:      queries,
 		oauthBroker:  oauthBroker,
@@ -120,7 +109,30 @@ func NewAuthService(
 		policyEngine: policy,
 	}
-	dg.Go(service.cleanupOAuthSessions, ding.RingMinor)
+	// caches setup
 	oauthCache := NewCacheStore[OAuthPendingSession](256)
 	loginCache := NewCacheStore[LoginAttempt](1024)
 	ldapCache := NewCacheStore[[]string](1024)
 	service.caches.oauth = oauthCache
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
 	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.oauth.Sweep()
 				service.caches.login.Sweep()
 				service.caches.ldap.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service
 }
@@ -195,14 +207,12 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, errors.New("ldap service not configured")
 	}
-	auth.ldapGroupsMutex.RLock()
+	entry, exists := auth.caches.ldap.Get(userDN)
 	entry, exists := auth.ldapGroupsCache[userDN]
 	auth.ldapGroupsMutex.RUnlock()
-	if exists && time.Now().Before(entry.Expires) {
+	if exists {
 		return &model.LDAPUser{
 			DN:     userDN,
-			Groups: entry.Groups,
+			Groups: entry,
 		}, nil
 	}
@@ -212,12 +222,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, fmt.Errorf("failed to get ldap groups: %w", err)
 	}
-	auth.ldapGroupsMutex.Lock()
+	auth.caches.ldap.Set(userDN, groups, time.Duration(auth.config.LDAP.GroupCacheTTL)*time.Second)
 	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
 		Groups:  groups,
 		Expires: time.Now().Add(time.Duration(auth.config.LDAP.GroupCacheTTL) * time.Second),
 	}
 	auth.ldapGroupsMutex.Unlock()
 	return &model.LDAPUser{
 		DN:     userDN,
@@ -226,11 +231,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 }
 func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
-	auth.loginMutex.RLock()
+	if locked, remaining := auth.IsInLockdown(); locked {
 	defer auth.loginMutex.RUnlock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		remaining := int(time.Until(auth.lockdown.ActiveUntil).Seconds())
 		return true, remaining
 	}
@@ -238,7 +239,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 		return false, 0
 	}
-	attempt, exists := auth.loginAttempts[identifier]
+	attempt, exists := auth.caches.login.Get(identifier)
 	if !exists {
 		return false, 0
 	}
@@ -256,38 +257,50 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 		return
 	}
-	auth.loginMutex.Lock()
+	if auth.caches.login.Size() >= MaxLoginAttemptRecords {
-	defer auth.loginMutex.Unlock()
+		if locked, _ := auth.IsInLockdown(); locked {
 	if len(auth.loginAttempts) >= MaxLoginAttemptRecords {
 		if auth.lockdown != nil && auth.lockdown.Active {
 			return
 		}
 		go auth.lockdownMode()
 		return
 	}
-	attempt, exists := auth.loginAttempts[identifier]
+	auth.caches.login.WithLock(func(actions CacheStoreActions[LoginAttempt]) {
-	if !exists {
+		entry, ok := actions.Get(identifier)
-		attempt = &LoginAttempt{}
+
-		auth.loginAttempts[identifier] = attempt
+		if !ok {
 			attempt := LoginAttempt{
 				LastAttempt: time.Now(),
 			}
-
+			if !success {
-	attempt.LastAttempt = time.Now()
+				attempt.FailedAttempts = 1
 	if success {
 		attempt.FailedAttempts = 0
 		attempt.LockedUntil = time.Time{} // Reset lock time
 		return
 	}
 	attempt.FailedAttempts++
 				if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
 					attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 					auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 				}
 			}
 			// match current tinyauth behavior which doesn't expire rate limits
 			actions.Set(identifier, attempt, 0)
 			return
 		}
 		entry.LastAttempt = time.Now()
 		if success {
 			entry.FailedAttempts = 0
 			entry.LockedUntil = time.Time{}
 		} else {
 			entry.FailedAttempts++
 			if entry.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
 				entry.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 				auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", entry.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 			}
 		}
 		actions.Set(identifier, entry, 0)
 	})
 }
 // We could also directly access the policyEngine.effectToAccess but
 // I believe it's better to use the exported functions instead
@@ -504,8 +517,6 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 }
 func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()
 	service, ok := auth.oauthBroker.GetService(serviceName)
 	if !ok {
@@ -529,9 +540,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 		CallbackParams: params,
 	}
-	auth.oauthMutex.Lock()
+	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
 	auth.oauthPendingSessions[sessionId.String()] = &session
 	auth.oauthMutex.Unlock()
 	return sessionId.String(), session, nil
 }
@@ -547,10 +556,10 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 }
 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, ok := auth.caches.oauth.Get(sessionId)
-	if err != nil {
+	if !ok {
-		return nil, err
+		return nil, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
 	token, err := (*session.Service).GetToken(code, session.Verifier)
@@ -559,9 +568,14 @@ func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.T
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 	}
 	auth.oauthMutex.Lock()
 	session.Token = token
-	auth.oauthMutex.Unlock()
+
 	// ttl 0 means keep current expiration
 	ok = auth.caches.oauth.Update(sessionId, session, 0)
 	if !ok {
 		return nil, fmt.Errorf("failed to update oauth session with token: %s", sessionId)
 	}
 	return token, nil
 }
@@ -597,123 +611,39 @@ func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, er
 }
 func (auth *AuthService) EndOAuthSession(sessionId string) {
-	auth.oauthMutex.Lock()
+	auth.caches.oauth.Delete(sessionId)
 	delete(auth.oauthPendingSessions, sessionId)
 	auth.oauthMutex.Unlock()
 }
 func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {
 	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
 	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-ticker.C:
 			auth.log.App.Debug().Msg("Running OAuth session cleanup")
 			auth.oauthMutex.Lock()
 			now := time.Now()
 			for sessionId, session := range auth.oauthPendingSessions {
 				if now.After(session.ExpiresAt) {
 					delete(auth.oauthPendingSessions, sessionId)
 				}
 			}
 			auth.oauthMutex.Unlock()
 			auth.log.App.Debug().Msg("OAuth session cleanup completed")
 		case <-ctx.Done():
 			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
 			return
 		}
 	}
 }
 func (auth *AuthService) GetOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
-	auth.ensureOAuthSessionLimit()
+	session, exists := auth.caches.oauth.Get(sessionId)
 	auth.oauthMutex.RLock()
 	session, exists := auth.oauthPendingSessions[sessionId]
 	auth.oauthMutex.RUnlock()
 	if !exists {
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
-	if time.Now().After(session.ExpiresAt) {
+	return &session, nil
 		auth.oauthMutex.Lock()
 		delete(auth.oauthPendingSessions, sessionId)
 		auth.oauthMutex.Unlock()
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session expired: %s", sessionId)
 	}
 	return session, nil
 }
 func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
 	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
 		return
 	}
 	type entry struct {
 		id        string
 		expiresAt int64
 	}
 	entries := make([]entry, 0, len(auth.oauthPendingSessions))
 	for id, session := range auth.oauthPendingSessions {
 		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
 	}
 	slices.SortFunc(entries, func(a, b entry) int {
 		if a.expiresAt < b.expiresAt {
 			return -1
 		}
 		if a.expiresAt > b.expiresAt {
 			return 1
 		}
 		return 0
 	})
 	for _, e := range entries[:OAuthCleanupCount] {
 		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 func (auth *AuthService) lockdownMode() {
-	ctx, cancel := context.WithCancel(context.Background())
+	auth.lockdown.mu.Lock()
-	auth.loginMutex.Lock()
+	if auth.lockdown.active {
-
+		auth.lockdown.mu.Unlock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		auth.loginMutex.Unlock()
 		cancel()
 		return
 	}
-	auth.lockdownCtx = ctx
+	ctx, cancel := context.WithCancel(context.Background())
 	auth.lockdownCancelFunc = cancel
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
-	auth.lockdown = &Lockdown{
+	auth.lockdown.active = true
-		Active:      true,
+	auth.lockdown.ctx = ctx
-		ActiveUntil: time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second),
+	auth.lockdown.cancelFunc = cancel
-	}
+	auth.lockdown.until = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
-	// At this point all login attemps will also expire so,
+	timer := time.NewTimer(time.Until(auth.lockdown.until))
 	// we might as well clear them to free up memory
 	auth.loginAttempts = make(map[string]*LoginAttempt)
-	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
+	auth.lockdown.mu.Unlock()
 	auth.loginMutex.Unlock()
 	defer cancel()
 	defer timer.Stop()
@@ -723,24 +653,33 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
-	case <-auth.context.Done():
+	case <-auth.ctx.Done():
 		// Service is shutting down, end lockdown
 	}
-	auth.loginMutex.Lock()
+	auth.lockdown.mu.Lock()
 	auth.log.App.Info().Msg("Exiting lockdown mode")
-	auth.lockdown = nil
+	auth.lockdown.active = false
-	auth.loginMutex.Unlock()
+	auth.lockdown.until = time.Time{}
 	auth.lockdown.ctx = nil
 	auth.lockdown.cancelFunc = nil
 	auth.lockdown.mu.Unlock()
 }
-// Function only used for testing - do not use in prod!
+func (auth *AuthService) IsInLockdown() (bool, int) {
-func (auth *AuthService) ClearRateLimitsTestingOnly() {
+	auth.lockdown.mu.RLock()
-	auth.loginMutex.Lock()
+	defer auth.lockdown.mu.RUnlock()
-	auth.loginAttempts = make(map[string]*LoginAttempt)
+	if auth.lockdown.active {
-	if auth.lockdown != nil {
+		remaining := int(time.Until(auth.lockdown.until).Seconds())
-		auth.lockdownCancelFunc()
+		return true, remaining
 	}
-	auth.loginMutex.Unlock()
+	return false, 0
 }
 // mostly a testing function, not useful for anything else
 func (auth *AuthService) ClearLoginAttempts() {
 	auth.caches.login.Clear()
 }
@@ -0,0 +1,197 @@
 package service
 import (
 	"slices"
 	"sync"
 	"time"
 )
 type CacheStoreActions[T any] struct {
 	Set    func(key string, value T, ttl time.Duration)
 	Get    func(key string) (T, bool)
 	Delete func(key string)
 	Update func(key string, value T, ttl time.Duration) bool
 }
 type cacheEntry[T any] struct {
 	value     T
 	expiresAt *time.Time
 }
 type CacheStore[T any] struct {
 	cache   map[string]cacheEntry[T]
 	order   []string
 	mu      sync.RWMutex
 	maxSize int
 }
 func NewCacheStore[T any](maxSize int) *CacheStore[T] {
 	return &CacheStore[T]{
 		cache:   make(map[string]cacheEntry[T]),
 		order:   make([]string, 0),
 		maxSize: maxSize,
 	}
 }
 // With lock allows performing multiple operations on the cache store atomically.
 // The provided mutate function receives a set of actions (Set, Get, Delete) that
 // can be used to manipulate the cache store within the locked context.
 func (cs *CacheStore[T]) WithLock(mutate func(actions CacheStoreActions[T])) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	actions := CacheStoreActions[T]{
 		Set:    cs.setCallback,
 		Get:    cs.getCallback,
 		Delete: cs.deleteCallback,
 		Update: cs.updateCallback,
 	}
 	mutate(actions)
 }
 func (cs *CacheStore[T]) updateCallback(key string, value T, ttl time.Duration) bool {
 	if currentEntry, exists := cs.cache[key]; exists {
 		if currentEntry.expiresAt != nil && time.Now().After(*currentEntry.expiresAt) {
 			return false
 		}
 		entry := cacheEntry[T]{
 			value:     value,
 			expiresAt: currentEntry.expiresAt,
 		}
 		if ttl > 0 {
 			expiration := time.Now().Add(ttl)
 			entry.expiresAt = &expiration
 		}
 		cs.cache[key] = entry
 		return true
 	}
 	return false
 }
 func (cs *CacheStore[T]) Update(key string, value T, ttl time.Duration) bool {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	return cs.updateCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) setCallback(key string, value T, ttl time.Duration) {
 	if cs.maxSize > 0 {
 		if _, exists := cs.cache[key]; !exists && len(cs.cache) >= cs.maxSize {
 			cs.evictOne()
 		}
 	}
 	var expiresAt *time.Time
 	if ttl > 0 {
 		expiration := time.Now().Add(ttl)
 		expiresAt = &expiration
 	}
 	cs.cache[key] = cacheEntry[T]{
 		value:     value,
 		expiresAt: expiresAt,
 	}
 	if !slices.Contains(cs.order, key) {
 		cs.order = append(cs.order, key)
 	}
 }
 func (cs *CacheStore[T]) Set(key string, value T, ttl time.Duration) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.setCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) getCallback(key string) (T, bool) {
 	entry, exists := cs.cache[key]
 	if !exists {
 		var zero T
 		return zero, false
 	}
 	if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 		var zero T
 		return zero, false
 	}
 	return entry.value, true
 }
 func (cs *CacheStore[T]) Get(key string) (T, bool) {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return cs.getCallback(key)
 }
 func (cs *CacheStore[T]) deleteCallback(key string) {
 	delete(cs.cache, key)
 	keyIdx := slices.Index(cs.order, key)
 	if keyIdx != -1 {
 		cs.order = append(cs.order[:keyIdx], cs.order[keyIdx+1:]...)
 	}
 }
 func (cs *CacheStore[T]) Delete(key string) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.deleteCallback(key)
 }
 func (cs *CacheStore[T]) Sweep() {
 	cs.mu.Lock()
 	for key, entry := range cs.cache {
 		if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 			cs.deleteCallback(key)
 		}
 	}
 	cs.mu.Unlock()
 }
 func (cs *CacheStore[T]) evictOne() bool {
 	now := time.Now()
 	var oldestKey string
 	var oldestExp *time.Time
 	for k, e := range cs.cache {
 		if e.expiresAt != nil && now.After(*e.expiresAt) {
 			cs.deleteCallback(k)
 			return true
 		}
 		if e.expiresAt != nil && (oldestExp == nil || e.expiresAt.Before(*oldestExp)) {
 			oldestKey, oldestExp = k, e.expiresAt
 		}
 	}
 	// If we found an oldest key, evict it else we delete the first key in the order list
 	if oldestKey != "" {
 		cs.deleteCallback(oldestKey)
 		return true
 	} else {
 		if len(cs.order) > 0 {
 			cs.deleteCallback(cs.order[0])
 			return true
 		}
 	}
 	return false
 }
 func (cs *CacheStore[T]) Size() int {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return len(cs.cache)
 }
 func (cs *CacheStore[T]) Clear() {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.cache = make(map[string]cacheEntry[T])
 	cs.order = make([]string, 0)
 }
@@ -0,0 +1,383 @@
 package service
 import (
 	"strconv"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
 func TestCacheStoreGet(t *testing.T) {
 	tests := []struct {
 		name      string
 		setup     func(cs *CacheStore[string])
 		wantValue string
 		wantOk    bool
 	}{
 		{
 			name:      "returns a stored value",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", 0) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name:   "reports a missing key",
 			setup:  func(cs *CacheStore[string]) {},
 			wantOk: false,
 		},
 		{
 			name: "returns the latest value after an overwrite",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "first", 0)
 				cs.Set("key", "second", 0)
 			},
 			wantValue: "second",
 			wantOk:    true,
 		},
 		{
 			name:      "returns a non-expired entry",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", time.Minute) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name: "treats an expired entry as missing",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			wantOk: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			value, ok := cs.Get("key")
 			assert.Equal(t, tt.wantOk, ok)
 			if tt.wantOk {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreUpdate(t *testing.T) {
 	tests := []struct {
 		name        string
 		setup       func(cs *CacheStore[string])
 		ttl         time.Duration
 		wantOk      bool
 		afterWait   time.Duration
 		wantPresent bool
 		wantValue   string
 	}{
 		{
 			name:        "updates an existing entry",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 0) },
 			ttl:         0,
 			wantOk:      true,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name:        "does not create a missing entry",
 			setup:       func(cs *CacheStore[string]) {},
 			ttl:         0,
 			wantOk:      false,
 			wantPresent: false,
 		},
 		{
 			name:        "preserves the existing expiry when ttl is zero",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 30*time.Millisecond) },
 			ttl:         0,
 			wantOk:      true,
 			afterWait:   40 * time.Millisecond,
 			wantPresent: false,
 		},
 		{
 			name:        "refreshes the expiry when ttl is provided",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 10*time.Millisecond) },
 			ttl:         time.Minute,
 			wantOk:      true,
 			afterWait:   20 * time.Millisecond,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name: "does not update an expired entry",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "old", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			ttl:         time.Minute,
 			wantOk:      false,
 			wantPresent: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			ok := cs.Update("key", "new", tt.ttl)
 			assert.Equal(t, tt.wantOk, ok)
 			time.Sleep(tt.afterWait)
 			value, present := cs.Get("key")
 			assert.Equal(t, tt.wantPresent, present)
 			if tt.wantPresent {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreDelete(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		key      string
 		wantSize int
 	}{
 		{
 			name: "removes an existing key",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 			},
 			key:      "a",
 			wantSize: 1,
 		},
 		{
 			name:     "is a no-op for a missing key",
 			setup:    func(cs *CacheStore[string]) { cs.Set("a", "1", 0) },
 			key:      "missing",
 			wantSize: 1,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Delete(tt.key)
 			_, ok := cs.Get(tt.key)
 			assert.False(t, ok)
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSweep(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "removes expired entries and keeps the rest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("permanent", "value", 0)
 				cs.Set("expired", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			present:  []string{"permanent"},
 			absent:   []string{"expired"},
 			wantSize: 1,
 		},
 		{
 			name: "keeps all live entries",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "value", 0)
 				cs.Set("b", "value", time.Minute)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Sweep()
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreEviction(t *testing.T) {
 	// Every case uses a cache with maxSize 2; the final Set in setup is the
 	// insertion that overflows the cache and triggers an eviction.
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "evicts an already expired entry first",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("expired", "value", 10*time.Millisecond)
 				cs.Set("fresh", "value", time.Minute)
 				time.Sleep(20 * time.Millisecond)
 				cs.Set("new", "value", time.Minute)
 			},
 			present:  []string{"fresh", "new"},
 			absent:   []string{"expired"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the entry expiring soonest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("soon", "value", 50*time.Millisecond)
 				cs.Set("later", "value", time.Hour)
 				cs.Set("new", "value", time.Hour)
 			},
 			present:  []string{"later", "new"},
 			absent:   []string{"soon"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the oldest inserted entry when none have a ttl",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("first", "value", 0)
 				cs.Set("second", "value", 0)
 				cs.Set("third", "value", 0)
 			},
 			present:  []string{"second", "third"},
 			absent:   []string{"first"},
 			wantSize: 2,
 		},
 		{
 			name: "overwriting an existing key does not trigger eviction",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 				cs.Set("a", "updated", 0)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](2)
 			tt.setup(cs)
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSizeAndClear(t *testing.T) {
 	cs := NewCacheStore[string](0)
 	assert.Equal(t, 0, cs.Size())
 	cs.Set("a", "1", 0)
 	cs.Set("b", "2", 0)
 	assert.Equal(t, 2, cs.Size())
 	cs.Clear()
 	assert.Equal(t, 0, cs.Size())
 	_, ok := cs.Get("a")
 	assert.False(t, ok)
 }
 func TestCacheStoreWithLock(t *testing.T) {
 	cs := NewCacheStore[int](0)
 	cs.Set("counter", 1, 0)
 	// All four actions run atomically under a single lock.
 	cs.WithLock(func(actions CacheStoreActions[int]) {
 		current, ok := actions.Get("counter")
 		assert.True(t, ok)
 		actions.Set("counter", current+1, 0)
 		actions.Set("other", 100, 0)
 		actions.Delete("counter")
 		updated := actions.Update("other", 200, 0)
 		assert.True(t, updated)
 	})
 	_, ok := cs.Get("counter")
 	assert.False(t, ok)
 	value, ok := cs.Get("other")
 	assert.True(t, ok)
 	assert.Equal(t, 200, value)
 }
 // TestCacheStoreConcurrency exercises every locking path concurrently so the
 // race detector (go test -race) can flag unsynchronised access.
 func TestCacheStoreConcurrency(t *testing.T) {
 	cs := NewCacheStore[int](64)
 	const goroutines = 16
 	const iterations = 200
 	var wg sync.WaitGroup
 	wg.Add(goroutines)
 	for g := range goroutines {
 		go func(g int) {
 			defer wg.Done()
 			for i := range iterations {
 				key := strconv.Itoa((g*iterations + i) % 32)
 				switch i % 6 {
 				case 0:
 					cs.Set(key, i, time.Minute)
 				case 1:
 					cs.Get(key)
 				case 2:
 					cs.Update(key, i, time.Minute)
 				case 3:
 					cs.Delete(key)
 				case 4:
 					cs.Size()
 				case 5:
 					cs.WithLock(func(actions CacheStoreActions[int]) {
 						if v, ok := actions.Get(key); ok {
 							actions.Set(key, v+1, time.Minute)
 						}
 					})
 				}
 			}
 		}(g)
 	}
 	wg.Wait()
 }
@@ -17,7 +17,7 @@ type GithubEmailResponse []struct {
 	Verified bool   `json:"verified"`
 }
-type GithubUserInfoResponse struct {
+type GithubUserinfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
 	ID    int    `json:"id"`
@@ -30,7 +30,7 @@ func defaultExtractor(client *http.Client, url string) (*model.Claims, error) {
 func githubExtractor(client *http.Client, _ string) (*model.Claims, error) {
 	var user model.Claims
-	userInfo, err := simpleReq[GithubUserInfoResponse](client, "https://api.github.com/user", map[string]string{
+	userInfo, err := simpleReq[GithubUserinfoResponse](client, "https://api.github.com/user", map[string]string{
 		"accept": "application/vnd.github+json",
 	})
 	if err != nil {
@@ -10,13 +10,13 @@ import (
 	"golang.org/x/oauth2"
 )
-type UserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
+type OAuthUserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
 type OAuthService struct {
 	serviceCfg        model.OAuthServiceConfig
 	config            *oauth2.Config
 	ctx               context.Context
-	userinfoExtractor UserinfoExtractor
+	userinfoExtractor OAuthUserinfoExtractor
 	id                string
 }
@@ -50,7 +50,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 	}
 }
-func (s *OAuthService) WithUserinfoExtractor(extractor UserinfoExtractor) *OAuthService {
+func (s *OAuthService) WithUserinfoExtractor(extractor OAuthUserinfoExtractor) *OAuthService {
 	s.userinfoExtractor = extractor
 	return s
 }
@@ -19,7 +19,6 @@ import (
 	"slices"
 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -42,6 +41,10 @@ var (
 	ErrInvalidClient = errors.New("invalid_client")
 )
 // This is not spec-compliant, the ID token SHOULD NOT contain user info claims but,
 // it has became a "standard" and apps are looking for the claims in the ID tokens
 // instead of calling the userinfo endpoint, so we include them in the ID token as well
 // for better compatibility with existing apps
 type ClaimSet struct {
 	Iss               string   `json:"iss"`
 	Aud               string   `json:"aud"`
@@ -67,6 +70,8 @@ type ClaimSet struct {
 	Nonce             string   `json:"nonce,omitempty"`
 }
 // We use this struct as both a response struct and a struct to store userinfo
 // in the database
 type UserinfoResponse struct {
 	Sub                 string              `json:"sub"`
 	Name                string              `json:"name,omitempty"`
@@ -111,6 +116,20 @@ type AuthorizeRequest struct {
 	CodeChallengeMethod string `json:"code_challenge_method"`
 }
 type AuthorizeCodeEntry struct {
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	Nonce         string
 	CodeChallenge string
 	Userinfo      UserinfoResponse
 }
 type UsedCodeEntry struct {
 	Sub string
 }
 type OIDCService struct {
 	log     *logger.Logger
 	config  model.Config
@@ -121,6 +140,11 @@ type OIDCService struct {
 	privateKey *rsa.PrivateKey
 	publicKey  *rsa.PublicKey
 	issuer     string
 	caches struct {
 		code     *CacheStore[AuthorizeCodeEntry]
 		usedCode *CacheStore[UsedCodeEntry]
 	}
 }
 func NewOIDCService(
@@ -284,6 +308,28 @@ func NewOIDCService(
 	// Start cleanup routine
 	dg.Go(service.cleanupRoutine, ding.RingMinor)
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
 	// Start cache cleanup routine
 	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service, nil
 }
@@ -345,19 +391,17 @@ func (service *OIDCService) filterScopes(scopes []string) []string {
 	})
 }
-func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, req AuthorizeRequest) error {
+func (service *OIDCService) CreateCode(req AuthorizeRequest, userContext model.UserContext) string {
-	// Fixed 10 minutes
+	code := utils.GenerateString(32)
-	expiresAt := time.Now().Add(time.Minute * time.Duration(10)).Unix()
+	sub := service.CreateSub(userContext, req.ClientID)
-	entry := repository.CreateOidcCodeParams{
+	entry := AuthorizeCodeEntry{
 		Sub:      sub,
 		CodeHash:    service.Hash(code),
-		// Here it's safe to split and trust the output since, we validated the scopes before
+		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), " "),
 		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), ","),
 		RedirectURI: req.RedirectURI,
 		ClientID:    req.ClientID,
 		ExpiresAt:   expiresAt,
 		Nonce:       req.Nonce,
 		Userinfo:    service.userinfoFromContext(userContext, sub),
 	}
 	if req.CodeChallenge != "" {
@@ -369,14 +413,14 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 		}
 	}
-	// Insert the code into the database
+	// Store the code in the cache
-	_, err := service.queries.CreateOidcCode(c, entry)
+	service.caches.code.Set(entry.CodeHash, entry, 1*time.Minute)
-	return err
+	return code
 }
-func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContext model.UserContext, req AuthorizeRequest) error {
+func (service *OIDCService) userinfoFromContext(userContext model.UserContext, sub string) UserinfoResponse {
-	userInfoParams := repository.CreateOidcUserInfoParams{
+	userInfo := UserinfoResponse{
 		Sub:               sub,
 		Name:              userContext.GetName(),
 		Email:             userContext.GetEmail(),
@@ -385,37 +429,31 @@ func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContex
 	}
 	if userContext.IsLocal() {
-		addressJSON, err := json.Marshal(userContext.Local.Attributes.Address)
+		userInfo.GivenName = userContext.Local.Attributes.GivenName
-		if err != nil {
+		userInfo.FamilyName = userContext.Local.Attributes.FamilyName
-			return err
+		userInfo.MiddleName = userContext.Local.Attributes.MiddleName
-		}
+		userInfo.Nickname = userContext.Local.Attributes.Nickname
-		userInfoParams.GivenName = userContext.Local.Attributes.GivenName
+		userInfo.Profile = userContext.Local.Attributes.Profile
-		userInfoParams.FamilyName = userContext.Local.Attributes.FamilyName
+		userInfo.Picture = userContext.Local.Attributes.Picture
-		userInfoParams.MiddleName = userContext.Local.Attributes.MiddleName
+		userInfo.Website = userContext.Local.Attributes.Website
-		userInfoParams.Nickname = userContext.Local.Attributes.Nickname
+		userInfo.Gender = userContext.Local.Attributes.Gender
-		userInfoParams.Profile = userContext.Local.Attributes.Profile
+		userInfo.Birthdate = userContext.Local.Attributes.Birthdate
-		userInfoParams.Picture = userContext.Local.Attributes.Picture
+		userInfo.Zoneinfo = userContext.Local.Attributes.Zoneinfo
-		userInfoParams.Website = userContext.Local.Attributes.Website
+		userInfo.Locale = userContext.Local.Attributes.Locale
-		userInfoParams.Gender = userContext.Local.Attributes.Gender
+		userInfo.PhoneNumber = userContext.Local.Attributes.PhoneNumber
-		userInfoParams.Birthdate = userContext.Local.Attributes.Birthdate
+		userInfo.Address = &userContext.Local.Attributes.Address
 		userInfoParams.Zoneinfo = userContext.Local.Attributes.Zoneinfo
 		userInfoParams.Locale = userContext.Local.Attributes.Locale
 		userInfoParams.PhoneNumber = userContext.Local.Attributes.PhoneNumber
 		userInfoParams.Address = string(addressJSON)
 	}
 	// Tinyauth will pass through the groups it got from an LDAP or an OIDC server
 	if userContext.IsLDAP() {
-		userInfoParams.Groups = strings.Join(userContext.LDAP.Groups, ",")
+		userInfo.Groups = userContext.LDAP.Groups
 	}
 	if userContext.IsOAuth() {
-		userInfoParams.Groups = strings.Join(userContext.OAuth.Groups, ",")
+		userInfo.Groups = userContext.OAuth.Groups
 	}
-	_, err := service.queries.CreateOidcUserInfo(c, userInfoParams)
+	return userInfo
 	return err
 }
 func (service *OIDCService) ValidateGrantType(grantType string) error {
@@ -426,36 +464,34 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }
-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(codeHash string, clientId string) (*AuthorizeCodeEntry, bool) {
-	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
+	var entry AuthorizeCodeEntry
 	var ok bool
-	if err != nil {
+	service.caches.code.WithLock(func(actions CacheStoreActions[AuthorizeCodeEntry]) {
-		if errors.Is(err, repository.ErrNotFound) {
+		entry, ok = actions.Get(codeHash)
-			return repository.OidcCode{}, ErrCodeNotFound
+
-		}
+		if !ok {
-		return repository.OidcCode{}, err
+			return
 		}
-	if time.Now().Unix() > oidcCode.ExpiresAt {
+		if entry.ClientID != clientId {
-		err = service.queries.DeleteOidcCode(c, codeHash)
+			ok = false
-		if err != nil {
+			return
 			return repository.OidcCode{}, err
 		}
 		err = service.DeleteUserinfo(c, oidcCode.Sub)
 		if err != nil {
 			return repository.OidcCode{}, err
 		}
 		return repository.OidcCode{}, ErrCodeExpired
 		}
-	if oidcCode.ClientID != clientId {
+		// Since the code can only be used once, we delete it from the cache after retrieving it
-		return repository.OidcCode{}, ErrInvalidClient
+		actions.Delete(codeHash)
 	})
 	if !ok {
 		return nil, false
 	}
-	return oidcCode, nil
+	return &entry, true
 }
-func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
+func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user UserinfoResponse, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
@@ -521,17 +557,11 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 	return token, nil
 }
-func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OIDCClientConfig, codeEntry repository.OidcCode) (TokenResponse, error) {
+func (service *OIDCService) GenerateAccessToken(ctx context.Context, client model.OIDCClientConfig, codeEntry AuthorizeCodeEntry) (*TokenResponse, error) {
-	user, err := service.GetUserinfo(c, codeEntry.Sub)
+	idToken, err := service.generateIDToken(client, codeEntry.Userinfo, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	idToken, err := service.generateIDToken(client, user, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -551,56 +581,68 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OID
 		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
-	_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
+	var userInfoJson []byte
-		Sub:                   codeEntry.Sub,
+
 	userInfoJson, err = json.Marshal(codeEntry.Userinfo)
 	if err != nil {
 		return nil, err
 	}
 	_, err = service.queries.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 		Sub:                   codeEntry.Userinfo.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(refreshToken),
 		ClientID:              client.ClientID,
 		Scope:                 codeEntry.Scope,
 		ClientID:              client.ClientID,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
-		CodeHash:              codeEntry.CodeHash,
+		UserinfoJson:          string(userInfoJson),
 	})
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
-	return tokenResponse, nil
+	return &tokenResponse, nil
 }
-func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string, reqClientId string) (TokenResponse, error) {
+func (service *OIDCService) RefreshAccessToken(ctx context.Context, refreshToken string, clientId string) (*TokenResponse, error) {
-	entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken))
+	entry, err := service.queries.GetOIDCSessionByRefreshTokenHash(ctx, service.Hash(refreshToken))
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return TokenResponse{}, ErrTokenNotFound
+			return nil, ErrTokenNotFound
 		}
-		return TokenResponse{}, err
+		return nil, err
 	}
 	if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-		return TokenResponse{}, ErrTokenExpired
+		return nil, ErrTokenExpired
 	}
 	// Ensure the client ID in the request matches the client ID in the token
-	if entry.ClientID != reqClientId {
+	if entry.ClientID != clientId {
-		return TokenResponse{}, ErrInvalidClient
+		return nil, ErrInvalidClient
 	}
-	user, err := service.GetUserinfo(c, entry.Sub)
+	// we need to unmarshal the userinfo from the database to include it in the new ID token,
 	// since the ID token includes user claims for better compatibility with existing apps
 	var userInfo UserinfoResponse
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userInfo)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	idToken, err := service.generateIDToken(model.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, user, entry.Scope, entry.Nonce)
+	}, userInfo, entry.Scope, entry.Nonce)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -618,71 +660,54 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
-	_, err = service.queries.UpdateOidcTokenByRefreshToken(c, repository.UpdateOidcTokenByRefreshTokenParams{
+	_, err = service.queries.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
 		Sub:                   entry.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(newRefreshToken),
 		Scope:                 entry.Scope,
 		ClientID:              entry.ClientID,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
-		RefreshTokenHash_2:    service.Hash(refreshToken), // that's the selector, it's not stored in the db
+		Nonce:                 entry.Nonce,
 		UserinfoJson:          entry.UserinfoJson,
 	})
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
-	return tokenResponse, nil
+	return &tokenResponse, nil
 }
-func (service *OIDCService) DeleteCodeEntry(c *gin.Context, codeHash string) error {
+func (service *OIDCService) GetSessionByToken(ctx context.Context, tokenHash string) (*repository.OidcSession, error) {
-	return service.queries.DeleteOidcCode(c, codeHash)
+	entry, err := service.queries.GetOIDCSessionByAccessTokenHash(ctx, tokenHash)
 }
 func (service *OIDCService) DeleteUserinfo(c *gin.Context, sub string) error {
 	return service.queries.DeleteOidcUserInfo(c, sub)
 }
 func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error {
 	return service.queries.DeleteOidcToken(c, tokenHash)
 }
 func (service *OIDCService) DeleteTokenByCodeHash(c *gin.Context, codeHash string) error {
 	return service.queries.DeleteOidcTokenByCodeHash(c, codeHash)
 }
 func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
 	entry, err := service.queries.GetOidcToken(c, tokenHash)
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return repository.OidcToken{}, ErrTokenNotFound
+			return nil, ErrTokenNotFound
 		}
-		return repository.OidcToken{}, err
+		return nil, err
 	}
 	if entry.TokenExpiresAt < time.Now().Unix() {
-		// If refresh token is expired, delete the token and userinfo since there is no way for the client to access anything anymore
+		// If refresh token is expired, delete the session
 		// since there is no way for the client to access anything anymore
 		if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-			err := service.DeleteToken(c, tokenHash)
+			// Deletes by sub
 			err := service.queries.DeleteOIDCSessionBySub(ctx, entry.Sub)
 			if err != nil {
-				return repository.OidcToken{}, err
+				return nil, err
 			}
-			err = service.DeleteUserinfo(c, entry.Sub)
+			return nil, ErrTokenExpired
 			if err != nil {
 				return repository.OidcToken{}, err
 		}
-		}
+		return nil, ErrTokenExpired
 		return repository.OidcToken{}, ErrTokenExpired
 	}
-	return entry, nil
+	return &entry, nil
 }
-func (service *OIDCService) GetUserinfo(c *gin.Context, sub string) (repository.OidcUserinfo, error) {
+func (service *OIDCService) CompileUserinfo(user UserinfoResponse, scope string) UserinfoResponse {
-	return service.queries.GetOidcUserInfo(c, sub)
+	scopes := strings.Split(scope, " ")
 }
 func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope string) UserinfoResponse {
 	scopes := strings.Split(scope, ",") // split by comma since it's a db entry
 	userInfo := UserinfoResponse{
 		Sub:       user.Sub,
 		UpdatedAt: user.UpdatedAt,
@@ -710,11 +735,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	}
 	if slices.Contains(scopes, "groups") {
-		if user.Groups != "" {
+		userInfo.Groups = user.Groups
 			userInfo.Groups = strings.Split(user.Groups, ",")
 		} else {
 			userInfo.Groups = []string{}
 		}
 	}
 	if slices.Contains(scopes, "phone") {
@@ -724,10 +745,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	}
 	if slices.Contains(scopes, "address") {
-		var addr model.AddressClaim
+		userInfo.Address = user.Address
 		if err := json.Unmarshal([]byte(user.Address), &addr); err == nil {
 			userInfo.Address = &addr
 		}
 	}
 	return userInfo
@@ -740,25 +758,16 @@ func (service *OIDCService) Hash(token string) string {
 }
 func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) error {
-	err := service.queries.DeleteOidcCodeBySub(ctx, sub)
+	err := service.queries.DeleteOIDCSessionBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcTokenBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcUserInfo(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	return nil
 }
 // Cleanup routine - Resource heavy due to the linked tables
 func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
-	ticker := time.NewTicker(time.Duration(30) * time.Minute)
+	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 	for {
@@ -768,46 +777,14 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			currentTime := time.Now().Unix()
-			// For the OIDC tokens, if they are expired we delete the userinfo and codes
+			// Limitation of sqlc, meaning we need to specify a timestamp for both token and refresh token expiry
-			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+			err := service.queries.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
 				TokenExpiresAt:        currentTime,
 				RefreshTokenExpiresAt: currentTime,
 			})
 			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired tokens")
+				service.log.App.Warn().Err(err).Msg("Failed to delete expired OIDC sessions")
 			}
 			for _, expiredToken := range expiredTokens {
 				err := service.DeleteOldSession(ctx, expiredToken.Sub)
 				if err != nil {
 					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
 				}
 			}
 			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
 			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
 			if err != nil {
 				service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
 			}
 			for _, expiredCode := range expiredCodes {
 				token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
 				if err != nil {
 					if !errors.Is(err, repository.ErrNotFound) {
 						service.log.App.Warn().Err(err).Msg("Failed to get token by sub for expired code")
 					}
 					continue
 				}
 				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
 					err := service.DeleteOldSession(ctx, expiredCode.Sub)
 					if err != nil {
 						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
 					}
 				}
 			}
 			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
@@ -851,3 +828,31 @@ func (service *OIDCService) hashAndEncodePKCE(codeVerifier string) string {
 	hasher.Write([]byte(codeVerifier))
 	return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil))
 }
 // WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes.
 // We will just create a uuid out of the username and client name which remains stable,
 // but if username or client name changes then sub changes too.
 func (service *OIDCService) CreateSub(userContext model.UserContext, clientId string) string {
 	return utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), clientId))
 }
 func (service *OIDCService) IsCodeUsed(codeHash string) (string, bool) {
 	entry, ok := service.caches.usedCode.Get(codeHash)
 	if !ok {
 		return "", false
 	}
 	return entry.Sub, true
 }
 func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 	entry := UsedCodeEntry{
 		Sub: sub,
 	}
 	service.caches.usedCode.Set(codeHash, entry, 2*time.Minute)
 }
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
@@ -2,7 +2,6 @@ package service_test
 import (
 	"context"
 	"encoding/json"
 	"testing"
 	"github.com/steveiliop56/ding"
@@ -10,28 +9,17 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
-func newTestUser() repository.OidcUserinfo {
+func newTestUser() service.UserinfoResponse {
-	addr := model.AddressClaim{
+	return service.UserinfoResponse{
 		Formatted:     "123 Main St",
 		StreetAddress: "123 Main St",
 		Locality:      "Springfield",
 		Region:        "IL",
 		PostalCode:    "62701",
 		Country:       "US",
 	}
 	addrJSON, _ := json.Marshal(addr)
 	return repository.OidcUserinfo{
 		Sub:               "test-sub",
 		Name:              "Test User",
 		PreferredUsername: "testuser",
 		Email:             "test@example.com",
-		Groups:            "admins,users",
+		Groups:            []string{"admins", "users"},
 		UpdatedAt:         1234567890,
 		GivenName:         "Test",
 		FamilyName:        "User",
@@ -45,7 +33,14 @@ func newTestUser() repository.OidcUserinfo {
 		Zoneinfo:          "America/Chicago",
 		Locale:            "en-US",
 		PhoneNumber:       "+15555550100",
-		Address:           string(addrJSON),
+		Address: &model.AddressClaim{
 			Formatted:     "123 Main St",
 			StreetAddress: "123 Main St",
 			Locality:      "Springfield",
 			Region:        "IL",
 			PostalCode:    "62701",
 			Country:       "US",
 		},
 	}
 }
@@ -77,7 +72,7 @@ func TestCompileUserinfo(t *testing.T) {
 	type testCase struct {
 		description string
-		mutate      func(u *repository.OidcUserinfo)
+		mutate      func(u *service.UserinfoResponse)
 		scope       string
 		run         func(t *testing.T, info service.UserinfoResponse)
 	}
@@ -98,7 +93,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "profile scope returns all profile fields",
-			scope:       "openid,profile",
+			scope:       "openid profile",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "testuser", info.PreferredUsername)
@@ -118,7 +113,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email and email_verified true when email present",
-			scope:       "openid,email",
+			scope:       "openid email",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.True(t, info.EmailVerified)
@@ -127,8 +122,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email_verified false when email absent",
-			scope:       "openid,email",
+			scope:       "openid email",
-			mutate:      func(u *repository.OidcUserinfo) { u.Email = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.Email = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Empty(t, info.Email)
 				assert.False(t, info.EmailVerified)
@@ -136,7 +131,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "phone scope sets phone_number_verified true when phone present",
-			scope:       "openid,phone",
+			scope:       "openid phone",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
 				require.NotNil(t, info.PhoneNumberVerified)
@@ -145,8 +140,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "phone scope sets phone_number_verified false when phone absent",
-			scope:       "openid,phone",
+			scope:       "openid phone",
-			mutate:      func(u *repository.OidcUserinfo) { u.PhoneNumber = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.PhoneNumber = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.False(t, *info.PhoneNumberVerified)
@@ -154,7 +149,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "address scope returns parsed address",
-			scope:       "openid,address",
+			scope:       "openid address",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.Address)
 				assert.Equal(t, "123 Main St", info.Address.Formatted)
@@ -165,32 +160,16 @@ func TestCompileUserinfo(t *testing.T) {
 				assert.Equal(t, "US", info.Address.Country)
 			},
 		},
 		{
 			description: "address scope with invalid JSON omits address",
 			scope:       "openid,address",
 			mutate:      func(u *repository.OidcUserinfo) { u.Address = "not-valid-json" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Nil(t, info.Address)
 			},
 		},
 		{
 			description: "groups scope returns split groups",
-			scope:       "openid,groups",
+			scope:       "openid groups",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{"admins", "users"}, info.Groups)
 			},
 		},
 		{
 			description: "groups scope returns empty slice when no groups",
 			scope:       "openid,groups",
 			mutate:      func(u *repository.OidcUserinfo) { u.Groups = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{}, info.Groups)
 			},
 		},
 		{
 			description: "all scopes return all fields",
-			scope:       "openid,profile,email,phone,address,groups",
+			scope:       "openid profile email phone address groups",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "test@example.com", info.Email)
@@ -21,7 +21,6 @@ type TailscaleWhoisResponse struct {
 	LoginName   string
 	DisplayName string
 	NodeName    string
 	Tags        []string
 }
 type TailscaleService struct {
@@ -115,14 +114,22 @@ func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleW
 		return nil, fmt.Errorf("failed to get client whois: %w", err)
 	}
 	if who.Node.IsTagged() {
 		ts.log.App.Debug().Msgf("Skipping whois for tagged node %s", who.Node.Name)
 		return nil, nil
 	}
 	uid := strings.TrimPrefix(who.UserProfile.ID.String(), "userid:")
 	res := TailscaleWhoisResponse{
-		UserID:      who.UserProfile.ID.String(),
+		UserID:      uid,
 		LoginName:   who.UserProfile.LoginName,
 		DisplayName: who.UserProfile.DisplayName,
 		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
 		Tags:        who.Node.Tags,
 	}
 	ts.log.App.Debug().Interface("res", res).Msg("tailscale")
 	return &res, nil
 }
@@ -1,46 +1,17 @@
-- name: CreateOidcCode :one
+-- name: GetOIDCSessionBySub :one
-INSERT INTO "oidc_codes" (
+SELECT * FROM "oidc_sessions"
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = $1;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = $1;
-- name: GetOidcCodeBySub :one
+-- name: GetOIDCSessionByAccessTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "sub" = $1
+WHERE "access_token_hash" = $1;
 RETURNING *;
-- name: DeleteOidcCode :exec
+-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "code_hash" = $1;
+WHERE "refresh_token_hash" = $1;
-- name: DeleteOidcCodeBySub :exec
+-- name: CreateOIDCSession :one
-DELETE FROM "oidc_codes"
+INSERT INTO "oidc_sessions" (
 WHERE "sub" = $1;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -48,86 +19,30 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
 RETURNING *;
-- name: UpdateOidcTokenByRefreshToken :one
+-- name: DeleteOIDCSessionBySub :exec
-UPDATE "oidc_tokens" SET
+DELETE FROM "oidc_sessions"
 WHERE "sub" = $1;
 -- name: DeleteExpiredOIDCSessions :exec
 DELETE FROM "oidc_sessions"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2;
 -- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = $1,
    "refresh_token_hash" = $2,
-    "token_expires_at"         = $3,
+    "scope" = $3,
-    "refresh_token_expires_at" = $4
+    "client_id" = $4,
-WHERE "refresh_token_hash" = $5
+    "token_expires_at" = $5,
-RETURNING *;
+    "refresh_token_expires_at" = $6,
-
+    "nonce" = $7,
-- name: GetOidcToken :one
+    "userinfo_json" = $8
-SELECT * FROM "oidc_tokens"
+WHERE "sub" = $9
 WHERE "access_token_hash" = $1;
 -- name: GetOidcTokenByRefreshToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = $1;
 -- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = $1;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = $1;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING *;
 -- name: GetOidcUserInfo :one
 SELECT * FROM "oidc_userinfo"
 WHERE "sub" = $1;
 -- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = $1;
 -- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING *;
 -- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING *;
@@ -1,44 +1,11 @@
-CREATE TABLE IF NOT EXISTS "oidc_codes" (
+CREATE TABLE IF NOT EXISTS "oidc_sessions" (
-    "sub"            TEXT   NOT NULL UNIQUE,
+    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
+    "access_token_hash" TEXT NOT NULL UNIQUE,
-    "scope"          TEXT   NOT NULL,
+    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
-    "nonce"                    TEXT   NOT NULL DEFAULT ''
+    "nonce" TEXT NOT NULL DEFAULT '',
-);
+    "userinfo_json" TEXT NOT NULL
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -1,46 +1,17 @@
-- name: CreateOidcCode :one
+-- name: GetOIDCSessionBySub :one
-INSERT INTO "oidc_codes" (
+SELECT * FROM "oidc_sessions"
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = ?;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = ?;
-- name: GetOidcCodeBySub :one
+-- name: GetOIDCSessionByAccessTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "sub" = ?
+WHERE "access_token_hash" = ?;
 RETURNING *;
-- name: DeleteOidcCode :exec
+-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "code_hash" = ?;
+WHERE "refresh_token_hash" = ?;
-- name: DeleteOidcCodeBySub :exec
+-- name: CreateOIDCSession :one
-DELETE FROM "oidc_codes"
+INSERT INTO "oidc_sessions" (
 WHERE "sub" = ?;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -48,86 +19,30 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
-- name: UpdateOidcTokenByRefreshToken :one
+-- name: DeleteOIDCSessionBySub :exec
-UPDATE "oidc_tokens" SET
+DELETE FROM "oidc_sessions"
 WHERE "sub" = ?;
 -- name: DeleteExpiredOIDCSessions :exec
 DELETE FROM "oidc_sessions"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?;
 -- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?
+    "refresh_token_expires_at" = ?,
-WHERE "refresh_token_hash" = ?
+    "nonce" = ?,
-RETURNING *;
+    "userinfo_json" = ?
-
+WHERE "sub" = ?
 -- name: GetOidcToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: GetOidcTokenByRefreshToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 -- name: GetOidcUserInfo :one
 SELECT * FROM "oidc_userinfo"
 WHERE "sub" = ?;
 -- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?;
 -- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING *;
 -- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING *;
@@ -1,44 +1,11 @@
-CREATE TABLE IF NOT EXISTS "oidc_codes" (
+CREATE TABLE IF NOT EXISTS "oidc_sessions" (
-    "sub" TEXT NOT NULL UNIQUE,
+    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "access_token_hash" TEXT NOT NULL UNIQUE,
-    "scope" TEXT NOT NULL,
+    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
-    "nonce" TEXT DEFAULT ""
+    "nonce" TEXT NOT NULL DEFAULT "",
-);
+    "userinfo_json" TEXT NOT NULL
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
    "name"                  TEXT    NOT NULL,
    "preferred_username"    TEXT    NOT NULL,
    "email"                 TEXT    NOT NULL,
    "groups"                TEXT    NOT NULL,
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
@@ -22,11 +22,7 @@ sql:
            go_type: "string"
          - column: "sessions.ldap_groups"
            go_type: "string"
-          - column: "oidc_codes.nonce"
+          - column: "oidc_sessions.nonce"
            go_type: "string"
          - column: "oidc_tokens.nonce"
            go_type: "string"
          - column: "oidc_codes.code_challenge"
            go_type: "string"
  - engine: "postgresql"
    queries: "sql/postgres/*_queries.sql"
Author	SHA1	Message	Date
Stavros	6ff7e111b8	fix: fix typo in get code entry	2026-06-02 12:46:27 +03:00
Stavros	b636e6ff57	fix: use withlock for get oidc code entry	2026-06-02 12:14:10 +03:00
Stavros	b3c152fa1c	chore: rabbit comments	2026-06-01 15:47:19 +03:00
Stavros	5caee887de	fix: ensure no oidc code reuse	2026-06-01 12:22:49 +03:00
Stavros	b5770ef305	fix: add memory back in the db bootstrap	2026-06-01 12:10:59 +03:00
Stavros	1c4ca8f436	chore: differentiate oauth userinfo from oidc userinfo	2026-06-01 12:02:11 +03:00
Stavros	a72300484b	tests: fix oidc service tests	2026-06-01 12:00:50 +03:00
Stavros	4fe5de241b	chore: fix memory store	2026-06-01 11:55:47 +03:00
Stavros	83ed9ece57	feat: add db cleanup routine back	2026-06-01 11:47:17 +03:00
Stavros	faa3156672	Merge branch 'main' into refactor/oidc-store	2026-05-31 20:11:37 +03:00
Stavros	695feca71c	refactor: rework oidc session storage	2026-05-31 20:10:53 +03:00
Stavros	dac844595d	refactor: use new cache store in services (#912 )	2026-05-31 18:55:06 +03:00
Stavros	82d21c3b28	Merge branch 'refactor/service-cache' into refactor/oidc-codes	2026-05-31 18:34:52 +03:00
Stavros	fe8463890a	fix: fix bugs in cache order	2026-05-31 18:29:14 +03:00
Stavros	940ba6dff7	fix: don't allow tagged devices in tailscale integration	2026-05-31 12:42:00 +03:00
Stavros	ac9689dc9b	tests: add cache store tests	2026-05-30 15:18:23 +03:00
Stavros	3e5757cfc9	fix: fix race conditions	2026-05-30 15:04:53 +03:00
Stavros	ed94490efd	refactor: use new cache store in auth service	2026-05-29 23:33:35 +03:00