tinyauth/internal/controller/oidc_controller.go at ef157ae9ba3a23ccd5c09a8a291c5f4ba016d81d

mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-12-31 04:22:28 +00:00

Files

Olivier Dumont ef157ae9ba Fix critical security issue: verify JWT signature in access token validation

The validateAccessToken method was only decoding the JWT payload without
verifying the signature, allowing attackers to forge tokens. This fix:

- Adds ValidateAccessToken method to OIDCService that properly verifies
  JWT signature using RSA public key
- Validates issuer, expiration, and required claims
- Updates controller to use the secure validation method
- Removes insecure manual JWT parsing code

2025-12-30 12:36:30 +01:00

12 KiB

Raw Blame History

View Raw

12 KiB Raw Blame History

12 KiB

Raw Blame History