chore(deps): bump softprops/action-gh-release from 2 to 3

Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2 to 3.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/v2...v3)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/nightly.yml

@@ -19,7 +19,7 @@ jobs:
           REPO: ${{ github.event.repository.name }}
 
       - name: Create release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           prerelease: true
           tag_name: nightly
@@ -459,7 +459,7 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*
           tag_name: nightly

.github/workflows/release.yml

@@ -426,6 +426,6 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*

frontend/bun.lock

@@ -19,7 +19,6 @@
         "i18next": "^26.0.3",
         "i18next-browser-languagedetector": "^8.2.1",
         "i18next-resources-to-backend": "^1.2.1",
-        "input-otp": "^1.4.2",
         "lucide-react": "^1.7.0",
         "next-themes": "^0.4.6",
         "radix-ui": "^1.4.3",
@@ -623,8 +622,6 @@
 
     "inline-style-parser": ["inline-style-parser@0.2.4", "", {}, "sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q=="],
 
-    "input-otp": ["input-otp@1.4.2", "", { "peerDependencies": { "react": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc", "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc" } }, "sha512-l3jWwYNvrEa6NTCt7BECfCm48GvwuZzkoeG3gBL2w4CHeOXW3eKFmf9UNYkNfYc3mxMrthMnxjIE07MT0zLBQA=="],
-
     "is-alphabetical": ["is-alphabetical@2.0.1", "", {}, "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ=="],
 
     "is-alphanumerical": ["is-alphanumerical@2.0.1", "", { "dependencies": { "is-alphabetical": "^2.0.0", "is-decimal": "^2.0.0" } }, "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw=="],

frontend/package.json

@@ -25,7 +25,6 @@
     "i18next": "^26.0.3",
     "i18next-browser-languagedetector": "^8.2.1",
     "i18next-resources-to-backend": "^1.2.1",
-    "input-otp": "^1.4.2",
     "lucide-react": "^1.7.0",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",

frontend/src/components/auth/totp-form.tsx

@@ -1,14 +1,10 @@
 import { Form, FormControl, FormField, FormItem } from "../ui/form";
-import {
+import { Input } from "../ui/input";
-  InputOTP,
-  InputOTPGroup,
-  InputOTPSeparator,
-  InputOTPSlot,
-} from "../ui/input-otp";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { useForm } from "react-hook-form";
 import { totpSchema, TotpSchema } from "@/schemas/totp-schema";
 import { useTranslation } from "react-i18next";
+import { useRef } from "react";
 import z from "zod";
 
 interface Props {
@@ -19,6 +15,7 @@ interface Props {
 export const TotpForm = (props: Props) => {
   const { formId, onSubmit } = props;
   const { t } = useTranslation();
+  const autoSubmittedRef = useRef(false);
 
   z.config({
     customError: (iss) =>
@@ -29,14 +26,19 @@ export const TotpForm = (props: Props) => {
     resolver: zodResolver(totpSchema),
   });
 
-  const handleChange = (value: string) => {
+  const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
-    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
+    const value = e.target.value.replace(/\D/g, "").slice(0, 6);
-
+    form.setValue("code", value, { shouldDirty: true, shouldValidate: false });
-    if (value.length === 6) {
+    if (value.length === 6 && !autoSubmittedRef.current) {
-      onSubmit({ code: value });
+      autoSubmittedRef.current = true;
+      form.handleSubmit(onSubmit)();
+      return;
     }
+    autoSubmittedRef.current = false;
   };
 
+  // Note: This is not the best UX, ideally we would want https://github.com/guilhermerodz/input-otp
+  // but some password managers cannot autofill the inputs (see #92) so, simple input it is
   return (
     <Form {...form}>
       <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -46,25 +48,17 @@ export const TotpForm = (props: Props) => {
           render={({ field }) => (
             <FormItem>
               <FormControl>
-                <InputOTP
+                <Input
-                  maxLength={6}
                   {...field}
+                  type="text"
+                  inputMode="numeric"
                   autoComplete="one-time-code"
                   autoFocus
+                  maxLength={6}
+                  placeholder="XXXXXX"
                   onChange={handleChange}
-                >
+                  className="text-center"
-                  <InputOTPGroup>
+                />
-                    <InputOTPSlot index={0} />
-                    <InputOTPSlot index={1} />
-                    <InputOTPSlot index={2} />
-                  </InputOTPGroup>
-                  <InputOTPSeparator />
-                  <InputOTPGroup>
-                    <InputOTPSlot index={3} />
-                    <InputOTPSlot index={4} />
-                    <InputOTPSlot index={5} />
-                  </InputOTPGroup>
-                </InputOTP>
               </FormControl>
             </FormItem>
           )}

frontend/src/components/ui/input-otp.tsx

@@ -1,75 +0,0 @@
-import * as React from "react";
-import { OTPInput, OTPInputContext } from "input-otp";
-import { MinusIcon } from "lucide-react";
-
-import { cn } from "@/lib/utils";
-
-function InputOTP({
-  className,
-  containerClassName,
-  ...props
-}: React.ComponentProps<typeof OTPInput> & {
-  containerClassName?: string;
-}) {
-  return (
-    <OTPInput
-      data-slot="input-otp"
-      containerClassName={cn(
-        "flex items-center gap-2 has-disabled:opacity-50",
-        containerClassName,
-      )}
-      className={cn("disabled:cursor-not-allowed", className)}
-      {...props}
-    />
-  );
-}
-
-function InputOTPGroup({ className, ...props }: React.ComponentProps<"div">) {
-  return (
-    <div
-      data-slot="input-otp-group"
-      className={cn("flex items-center", className)}
-      {...props}
-    />
-  );
-}
-
-function InputOTPSlot({
-  index,
-  className,
-  ...props
-}: React.ComponentProps<"div"> & {
-  index: number;
-}) {
-  const inputOTPContext = React.useContext(OTPInputContext);
-  const { char, hasFakeCaret, isActive } = inputOTPContext?.slots[index] ?? {};
-
-  return (
-    <div
-      data-slot="input-otp-slot"
-      data-active={isActive}
-      className={cn(
-        "data-[active=true]:border-ring data-[active=true]:ring-ring/50 data-[active=true]:aria-invalid:ring-destructive/20 dark:data-[active=true]:aria-invalid:ring-destructive/40 aria-invalid:border-destructive data-[active=true]:aria-invalid:border-destructive dark:bg-input/30 border-input relative flex h-9 w-9 items-center justify-center border-y border-r text-sm shadow-xs transition-all outline-none first:rounded-l-md first:border-l last:rounded-r-md data-[active=true]:z-10 data-[active=true]:ring-[3px]",
-        className,
-      )}
-      {...props}
-    >
-      {char}
-      {hasFakeCaret && (
-        <div className="pointer-events-none absolute inset-0 flex items-center justify-center">
-          <div className="animate-caret-blink bg-foreground h-4 w-px duration-1000" />
-        </div>
-      )}
-    </div>
-  );
-}
-
-function InputOTPSeparator({ ...props }: React.ComponentProps<"div">) {
-  return (
-    <div data-slot="input-otp-separator" role="separator" {...props}>
-      <MinusIcon />
-    </div>
-  );
-}
-
-export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };

frontend/src/lib/hooks/oidc.ts

@@ -11,6 +11,33 @@ export const oidcParamsSchema = z.object({
   code_challenge_method: z.string().optional(),
 });
 
+function b64urlDecode(s: string): string {
+  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
+  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
+}
+
+function decodeRequestObject(jwt: string): Record<string, string> {
+  try {
+    // Must have exactly 3 parts: header, payload, signature
+    const parts = jwt.split(".");
+    if (parts.length !== 3) return {};
+
+    // Header must specify "alg": "none" and signature must be empty string
+    const header = JSON.parse(b64urlDecode(parts[0]));
+    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
+
+    const payload = JSON.parse(b64urlDecode(parts[1]));
+    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
+    const result: Record<string, string> = {};
+    for (const [k, v] of Object.entries(payload)) {
+      if (typeof v === "string") result[k] = v;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+
 export const useOIDCParams = (
   params: URLSearchParams,
 ): {
@@ -20,6 +47,15 @@ export const useOIDCParams = (
   compiled: string;
 } => {
   const obj = Object.fromEntries(params.entries());
+
+  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
+  // and merge claims over top-level params (JWT claims take precedence)
+  const requestJwt = params.get("request");
+  if (requestJwt) {
+    const claims = decodeRequestObject(requestJwt);
+    Object.assign(obj, claims);
+  }
+
   const parsed = oidcParamsSchema.safeParse(obj);
 
   if (parsed.success) {

frontend/src/pages/totp-page.tsx

@@ -74,7 +74,7 @@ export const TotpPage = () => {
         <CardTitle className="text-xl">{t("totpTitle")}</CardTitle>
         <CardDescription>{t("totpSubtitle")}</CardDescription>
       </CardHeader>
-      <CardContent className="flex flex-col items-center">
+      <CardContent>
         <TotpForm
           formId={formId}
           onSubmit={(values) => totpMutation.mutate(values)}

internal/controller/proxy_controller.go

@@ -131,14 +131,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		if !controller.useBrowserResponse(proxyCtx) {
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-
 		queries, err := query.Values(config.UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -146,11 +138,22 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.handleError(c, proxyCtx)
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+
+		if !controller.useBrowserResponse(proxyCtx) {
+			c.Header("x-tinyauth-location", redirectURL)
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 		return
 	}
 
@@ -175,21 +178,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		if !userAllowed {
 			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
 
-			if !controller.useBrowserResponse(proxyCtx) {
-				c.JSON(403, gin.H{
-					"status":  403,
-					"message": "Forbidden",
-				})
-				return
-			}
-
 			queries, err := query.Values(config.UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
 
 			if err != nil {
 				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+				controller.handleError(c, proxyCtx)
 				return
 			}
 
@@ -199,7 +194,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				queries.Set("username", userContext.Username)
 			}
 
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+
+			if !controller.useBrowserResponse(proxyCtx) {
+				c.Header("x-tinyauth-location", redirectURL)
+				c.JSON(403, gin.H{
+					"status":  403,
+					"message": "Forbidden",
+				})
+				return
+			}
+
+			c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 			return
 		}
 
@@ -215,14 +221,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			if !groupOK {
 				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
 
-				if !controller.useBrowserResponse(proxyCtx) {
-					c.JSON(403, gin.H{
-						"status":  403,
-						"message": "Forbidden",
-					})
-					return
-				}
-
 				queries, err := query.Values(config.UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
@@ -230,7 +228,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 				if err != nil {
 					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-					c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+					controller.handleError(c, proxyCtx)
 					return
 				}
 
@@ -240,7 +238,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					queries.Set("username", userContext.Username)
 				}
 
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+
+				if !controller.useBrowserResponse(proxyCtx) {
+					c.Header("x-tinyauth-location", redirectURL)
+					c.JSON(403, gin.H{
+						"status":  403,
+						"message": "Forbidden",
+					})
+					return
+				}
+
+				c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 				return
 			}
 		}
@@ -266,7 +275,20 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
+	queries, err := query.Values(config.RedirectQuery{
+		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
+	})
+
+	if err != nil {
+		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+		controller.handleError(c, proxyCtx)
+		return
+	}
+
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())
+
 	if !controller.useBrowserResponse(proxyCtx) {
+		c.Header("x-tinyauth-location", redirectURL)
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -274,17 +296,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	queries, err := query.Values(config.RedirectQuery{
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
-		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
-	})
-
-	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
-		return
-	}
-
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode()))
 }
 
 func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
@@ -306,7 +318,10 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
 }
 
 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
+	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)
+
 	if !controller.useBrowserResponse(proxyCtx) {
+		c.Header("x-tinyauth-location", redirectURL)
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -314,7 +329,7 @@ func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyCon
 		return
 	}
 
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 
 func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {

internal/controller/proxy_controller_test.go

@@ -116,8 +116,7 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "https://tinyauth.example.com/login?redirect_uri=")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
-				assert.Contains(t, location, "https%3A%2F%2Ftest.example.com%2F")
 			},
 		},
 		{
@@ -129,6 +128,8 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
+				location := recorder.Header().Get("x-tinyauth-location")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 			},
 		},
 		{
@@ -142,8 +143,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "https://tinyauth.example.com/login?redirect_uri=")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
-				assert.Contains(t, location, "https%3A%2F%2Ftest.example.com%2Fhello")
 			},
 		},
 		{
@@ -159,8 +159,7 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "https://tinyauth.example.com/login?redirect_uri=")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
-				assert.Contains(t, location, "https%3A%2F%2Ftest.example.com%2F")
 			},
 		},
 		{
@@ -174,6 +173,8 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
+				location := recorder.Header().Get("x-tinyauth-location")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 			},
 		},
 		{
@@ -189,8 +190,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "https://tinyauth.example.com/login?redirect_uri=")
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
-				assert.Contains(t, location, "https%3A%2F%2Ftest.example.com%2Fhello")
 			},
 		},
 		{

internal/controller/well_known_controller.go

@@ -9,19 +9,21 @@ import (
 )
 
 type OpenIDConnectConfiguration struct {
-	Issuer                            string   `json:"issuer"`
+	Issuer                                 string   `json:"issuer"`
-	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
-	TokenEndpoint                     string   `json:"token_endpoint"`
+	TokenEndpoint                          string   `json:"token_endpoint"`
-	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
-	JwksUri                           string   `json:"jwks_uri"`
+	JwksUri                                string   `json:"jwks_uri"`
-	ScopesSupported                   []string `json:"scopes_supported"`
+	ScopesSupported                        []string `json:"scopes_supported"`
-	ResponseTypesSupported            []string `json:"response_types_supported"`
+	ResponseTypesSupported                 []string `json:"response_types_supported"`
-	GrantTypesSupported               []string `json:"grant_types_supported"`
+	GrantTypesSupported                    []string `json:"grant_types_supported"`
-	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	SubjectTypesSupported                  []string `json:"subject_types_supported"`
-	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	IDTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
-	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported"`
-	ClaimsSupported                   []string `json:"claims_supported"`
+	ClaimsSupported                        []string `json:"claims_supported"`
-	ServiceDocumentation              string   `json:"service_documentation"`
+	ServiceDocumentation                   string   `json:"service_documentation"`
+	RequestParameterSupported              bool     `json:"request_parameter_supported"`
+	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
 type WellKnownControllerConfig struct{}
@@ -48,19 +50,21 @@ func (controller *WellKnownController) SetupRoutes() {
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
-		Issuer:                            issuer,
+		Issuer:                                 issuer,
-		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
+		AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", issuer),
-		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
+		TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", issuer),
-		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
+		UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", issuer),
-		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
+		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", issuer),
-		ScopesSupported:                   service.SupportedScopes,
+		ScopesSupported:                        service.SupportedScopes,
-		ResponseTypesSupported:            service.SupportedResponseTypes,
+		ResponseTypesSupported:                 service.SupportedResponseTypes,
-		GrantTypesSupported:               service.SupportedGrantTypes,
+		GrantTypesSupported:                    service.SupportedGrantTypes,
-		SubjectTypesSupported:             []string{"pairwise"},
+		SubjectTypesSupported:                  []string{"pairwise"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
+		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
+		RequestParameterSupported:              true,
+		RequestObjectSigningAlgValuesSupported: []string{"none"},
 	})
 }
 

internal/controller/well_known_controller_test.go

@@ -56,19 +56,21 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)
 
 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                            oidcServiceCfg.Issuer,
+					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
-					ScopesSupported:                   service.SupportedScopes,
+					ScopesSupported:                        service.SupportedScopes,
-					ResponseTypesSupported:            service.SupportedResponseTypes,
+					ResponseTypesSupported:                 service.SupportedResponseTypes,
-					GrantTypesSupported:               service.SupportedGrantTypes,
+					GrantTypesSupported:                    service.SupportedGrantTypes,
-					SubjectTypesSupported:             []string{"pairwise"},
+					SubjectTypesSupported:                  []string{"pairwise"},
-					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
+					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
+					RequestParameterSupported:              true,
+					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 
 				assert.Equal(t, expected, res)