barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-12-31 04:22:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ad12110fbf4cf2b05ba667bcd742e4403ae2881b
tinyauth/internal/service
History
Olivier Dumont ad12110fbf Replace SHA256 with HKDF for key derivation and fix scope validation 
Security improvements:

1. HKDF key derivation:
   - Replace raw sha256.Sum256() with proper HKDF (HMAC-based KDF)
   - Uses domain-separated label 'oidc-aes-256-key-v1' for key derivation
   - Applied to both encryptPrivateKey and decryptPrivateKey
   - Provides better security properties than raw hash

2. Scope validation fix:
   - Only add 'openid' scope if it's both requested AND in client's
     allowedScopes
   - Prevents bypassing client scope restrictions
   - Respects configured allowedScopes

Both changes improve security posture while maintaining backward
compatibility.
2025-12-30 13:37:43 +01:00
..
access_controls_service.go
refactor: use proper module name (#542)
2025-12-26 17:53:24 +02:00
auth_service.go
feat: forward sub from oidc providers (#543)
2025-12-26 19:02:51 +02:00
database_service.go
refactor: use proper module name (#542)
2025-12-26 17:53:24 +02:00
docker_service.go
refactor: use proper module name (#542)
2025-12-26 17:53:24 +02:00
generic_oauth_service.go
refactor: use proper module name (#542)
2025-12-26 17:53:24 +02:00
github_oauth_service.go
feat: forward sub from oidc providers (#543)
2025-12-26 19:02:51 +02:00
google_oauth_service.go
feat: forward sub from oidc providers (#543)
2025-12-26 19:02:51 +02:00
ldap_service.go
refactor: don't export non-needed fields (#336)
2025-09-02 01:27:55 +03:00
oauth_broker_service.go
refactor: use proper module name (#542)
2025-12-26 17:53:24 +02:00
oidc_service.go
Replace SHA256 with HKDF for key derivation and fix scope validation
2025-12-30 13:37:43 +01:00