feat: ensure public key pairs with private key in oidc service

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -1,89 +0,0 @@
-name: Bug Report
-description: Create a report to help us improve this project
-title: "[BUG]"
-labels: bug
-assignees:
-- steveiliop56
-
-body:
-- type: markdown
-  attributes:
-    value: |
-      Thanks for reporting a bug! Please provide detailed information below.
-
-- type: textarea
-  id: description
-  attributes:
-    label: Describe the Bug
-    description: "A clear and concise description of what the bug is."
-  validations:
-    required: true
-
-- type: textarea
-  id: reproduce
-  attributes:
-    label: How to Reproduce
-    description: Steps to reproduce the behavior.
-    value: |
-      1. Go to '...'
-      2. Click on '....'
-      3. Scroll down to '....'
-      4. See error
-  validations:
-    required: false
-
-- type: textarea
-  id: expected
-  attributes:
-    label: Expected Behavior
-    description: "A clear and concise description of what you expected to happen."
-  validations:
-    required: true
-
-- type: textarea
-  id: context
-  attributes:
-    label: "Additional Context"
-    description: "If applicable add screenshots to help explain your problem."
-  validations:
-    required: false
-
-- type: textarea
-  id: logs
-  attributes:
-    label: "Logs"
-    description: "Please include the Tinyauth logs, make sure to not include sensitive info."
-  validations:
-    required: false
-
-- type: input
-  id: os
-  attributes:
-    label: Operating System
-    placeholder: "e.g. iOS, android, windows, linux, etc"
-
-- type: input
-  id: browser
-  attributes:
-    label: Browser
-    placeholder: "e.g. chrome, firefox, safari, edge, etc"
-
-- type: input
-  id: tinyauth
-  attributes:
-    label: Tinyauth Version
-    placeholder: "e.g. v5.0.0"
-
-- type: input
-  id: docker
-  attributes:
-    label: Docker Version (if applicable)
-    placeholder: "e.g. 27.3.1"
-
-- type: checkboxes
-  id: not-llm
-  attributes:
-    label: Human Written Confirmation
-    options:
-      - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
-        required: true

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,89 @@
+name: Bug Report
+description: Create a report to help us improve this project
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please provide detailed information below.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the Bug
+      description: "A clear and concise description of what the bug is."
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How to Reproduce
+      description: Steps to reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: false
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: "A clear and concise description of what you expected to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: "Additional Context"
+      description: "If applicable add screenshots to help explain your problem."
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: "Logs"
+      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating System
+      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser
+      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
+
+  - type: input
+    id: tinyauth
+    attributes:
+      label: Tinyauth Version
+      placeholder: "e.g. v5.0.0"
+
+  - type: input
+    id: docker
+    attributes:
+      label: Docker Version (if applicable)
+      placeholder: "e.g. 27.3.1"
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -1,4 +1,4 @@
-blank_issues_enabled: false
+blank_issues_enabled: true
 contact_links:
   - name: Tinyauth Community Support on Discord
     url: https://discord.gg/eHzVaCzRRd

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -1,52 +0,0 @@
-name: Feature request
-about: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-- steveiliop56
-
-body:
-- type: markdown
-  attributes:
-    value: |
-      Thanks for suggesting a feature! Please provide detailed information below.
-
-- type: textarea
-  id: problem
-  attributes:
-    label: Is your feature request related to a problem? Please describe.
-    description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
-  validations:
-    required: false
-
-- type: textarea
-  id: solution
-  attributes:
-    label: Describe the solution you'd like.
-    description: "A clear and concise description of what you want to happen."
-  validations:
-    required: true
-
-- type: textarea
-  id: alternatives
-  attributes:
-    label: Describe alternatives you've considered.
-    description: "A clear and concise description of any alternative solutions or features you've considered."
-  validations:
-    required: false
-
-- type: textarea
-  id: context
-  attributes:
-    label: Additional context
-    description: "Add any other context or screenshots about the feature request here."
-  validations:
-    required: false
-
-- type: checkboxes
-  id: not-llm
-  attributes:
-    label: Human Written Confirmation
-    options:
-      - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
-        required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,52 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please provide detailed information below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like.
+      description: "A clear and concise description of what you want to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered.
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
+          required: true

internal/service/oidc_service.go

@@ -121,7 +121,7 @@ type OIDCService struct {
 
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
+	publicKey  *rsa.PublicKey
 	issuer     string
 }
 
@@ -239,6 +239,16 @@ func NewOIDCService(
 		}
 	}
 
+	rPublicKey, ok := publicKey.(*rsa.PublicKey)
+
+	if !ok {
+		return nil, fmt.Errorf("public key is not an rsa public key")
+	}
+
+	if rPublicKey.N.Cmp(privateKey.N) != 0 || rPublicKey.E != privateKey.E {
+		return nil, fmt.Errorf("public key does not pair with private key")
+	}
+
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
 
@@ -271,7 +281,7 @@ func NewOIDCService(
 
 		clients:    clients,
 		privateKey: privateKey,
-		publicKey:  publicKey,
+		publicKey:  rPublicKey,
 		issuer:     issuer,
 	}
 
@@ -296,7 +306,7 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 	if !ok {
 		return errors.New("access_denied")
 	}
-	
+
 	// Redirect URI to verify that it's trusted
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
@@ -455,7 +465,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return "", errors.New("failed to marshal public key")
@@ -813,7 +823,7 @@ func (service *OIDCService) cleanupRoutine() {
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
@@ -822,13 +832,13 @@ func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher.Write(der)
 
 	jwk := jose.JSONWebKey{
-		Key:       service.privateKey,
+		Key:       service.publicKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 
-	return jwk.Public().MarshalJSON()
+	return jwk.MarshalJSON()
 }
 
 func (service *OIDCService) ValidatePKCE(codeChallenge string, codeVerifier string) bool {