Olivier Dumont ad12110fbf Replace SHA256 with HKDF for key derivation and fix scope validation ...

Security improvements:

1. HKDF key derivation:
   - Replace raw sha256.Sum256() with proper HKDF (HMAC-based KDF)
   - Uses domain-separated label 'oidc-aes-256-key-v1' for key derivation
   - Applied to both encryptPrivateKey and decryptPrivateKey
   - Provides better security properties than raw hash

2. Scope validation fix:
   - Only add 'openid' scope if it's both requested AND in client's
     allowedScopes
   - Prevents bypassing client scope restrictions
   - Respects configured allowedScopes

Both changes improve security posture while maintaining backward
compatibility.

2025-12-30 13:37:43 +01:00

..

assets

CRITICAL: Add replay protection for authorization codes

2025-12-30 13:00:19 +01:00

bootstrap

Add OIDC provider functionality with validation setup

2025-12-30 12:17:55 +01:00

config

Add OIDC provider functionality with validation setup

2025-12-30 12:17:55 +01:00

controller

Remove insecure query parameter fallback for client credentials

2025-12-30 12:40:55 +01:00

middleware

feat: forward sub from oidc providers (#543)

2025-12-26 19:02:51 +02:00

model

CRITICAL: Add replay protection for authorization codes

2025-12-30 13:00:19 +01:00

service

Replace SHA256 with HKDF for key derivation and fix scope validation

2025-12-30 13:37:43 +01:00

utils

Add OIDC provider functionality with validation setup

2025-12-30 12:17:55 +01:00