.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -2,7 +2,6 @@ name: Bug Report
 description: "Create a bug report to help us improve ZITADEL. Click [here](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#product-management) to see how we process your issue."
 title: "[Bug]: "
 labels: ["bug"]
-type: Bug
 body:
   - type: markdown
     attributes:

.github/ISSUE_TEMPLATE/docs.yaml

@@ -1,7 +1,6 @@
 name: 📄 Documentation
 description: Create an issue for missing or wrong documentation.
 labels: ["docs"]
-type: task
 body:
   - type: markdown
     attributes:

.github/ISSUE_TEMPLATE/improvement.yaml

@@ -1,12 +1,11 @@
 name: 🛠️ Improvement
 description: "Create an new issue for an improvment in ZITADEL"
-labels: ["enhancement"]
-type: enhancement
+labels: ["improvement"]
 body:
   - type: markdown
     attributes:
       value: |
-        Thanks for taking the time to fill out this proposal / feature reqeust
+        Thanks for taking the time to fill out this improvement request
   - type: checkboxes
     id: preflight
     attributes:

.github/ISSUE_TEMPLATE/proposal.yaml

@@ -0,0 +1,44 @@
+name: 💡 Proposal / Feature request
+description: "Create an issue for a feature request/proposal."
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this proposal / feature reqeust
+  - type: checkboxes
+    id: preflight
+    attributes:
+      label: Preflight Checklist
+      options:
+      - label:
+          I could not find a solution in the existing issues, docs, nor discussions
+        required: true
+      - label:
+          I have joined the [ZITADEL chat](https://zitadel.com/chat)
+  - type: textarea
+    id: problem
+    attributes:
+      label: Describe your problem
+      description: Please describe your problem this proposal / feature is supposed to solve.
+      placeholder: Describe the problem you have.
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe your ideal solution
+      description: Which solution do you propose?
+      placeholder: As a [type of user], I want [some goal] so that [some reason].
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Which version of the OIDC Library are you using.
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Please add any other infos that could be useful.

.github/workflows/release.yml

@@ -14,11 +14,11 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
-        go: ['1.23', '1.24']
+        go: ['1.21', '1.22', '1.23']
     name: Go ${{ matrix.go }} test
     steps:
       - uses: actions/checkout@v4
@@ -27,12 +27,12 @@ jobs:
         with:
           go-version: ${{ matrix.go }}
       - run: go test -race -v -coverprofile=profile.cov -coverpkg=./pkg/... ./pkg/...
-      - uses: codecov/codecov-action@v5.4.3
+      - uses: codecov/codecov-action@v5.3.1
         with:
           file: ./profile.cov
           name: codecov-go
   release:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-20.04
     needs: [test]
     if: ${{ github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/next' }}
     env:

README.md

@@ -156,9 +156,10 @@ Versions that also build are marked with :warning:.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| <1.23   | :x:                |
+| <1.21   | :x:                |
+| 1.21    | :warning:          |
+| 1.22    | :white_check_mark: |
 | 1.23    | :white_check_mark: |
-| 1.24    | :white_check_mark: |
 
 ## Why another library
 

example/client/api/api.go

@@ -13,8 +13,8 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rs"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 const (

example/client/app/app.go

@@ -14,10 +14,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/zitadel/logging"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 var (

example/client/device/device.go

@@ -45,8 +45,8 @@ import (
 
 	"github.com/sirupsen/logrus"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 )
 
 var (

example/client/github/github.go

@@ -10,10 +10,10 @@ import (
 	"golang.org/x/oauth2"
 	githubOAuth "golang.org/x/oauth2/github"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp/cli"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/client/rp/cli"
+	"github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 var (

example/client/service/service.go

@@ -13,7 +13,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/profile"
+	"github.com/zitadel/oidc/v3/pkg/client/profile"
 )
 
 var client = http.DefaultClient

example/server/dynamic/login.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 const (

example/server/dynamic/op.go

@@ -10,8 +10,8 @@ import (
 	"github.com/go-chi/chi/v5"
 	"golang.org/x/text/language"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 const (

example/server/exampleop/device.go

@@ -8,10 +8,10 @@ import (
 	"net/http"
 	"net/url"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/go-chi/chi/v5"
 	"github.com/gorilla/securecookie"
 	"github.com/sirupsen/logrus"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 type deviceAuthenticate interface {

example/server/exampleop/login.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"net/http"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/go-chi/chi/v5"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 type login struct {

example/server/exampleop/op.go

@@ -12,7 +12,7 @@ import (
 	"github.com/zitadel/logging"
 	"golang.org/x/text/language"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 const (

example/server/main.go

@@ -6,9 +6,9 @@ import (
 	"net/http"
 	"os"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/config"
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/exampleop"
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	"github.com/zitadel/oidc/v3/example/server/config"
+	"github.com/zitadel/oidc/v3/example/server/exampleop"
+	"github.com/zitadel/oidc/v3/example/server/storage"
 )
 
 func getUserStore(cfg *config.Config) (storage.UserStore, error) {

example/server/storage/client.go

@@ -3,8 +3,8 @@ package storage
 import (
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 var (

example/server/storage/oidc.go

@@ -6,8 +6,8 @@ import (
 
 	"golang.org/x/text/language"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 const (
@@ -164,15 +164,6 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
 	}
 }
 
-type AuthRequestWithSessionState struct {
-	*AuthRequest
-	SessionState string
-}
-
-func (a *AuthRequestWithSessionState) GetSessionState() string {
-	return a.SessionState
-}
-
 type OIDCCodeChallenge struct {
 	Challenge string
 	Method    string

example/server/storage/storage.go

@@ -14,8 +14,8 @@ import (
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // serviceKey1 is a public key which will be used for the JWT Profile Authorization Grant

example/server/storage/storage_dynamic.go

@@ -6,8 +6,8 @@ import (
 
 	jose "github.com/go-jose/go-jose/v4"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 type multiStorage struct {

go.mod

@@ -1,13 +1,11 @@
-module git.christmann.info/LARA/zitadel-oidc/v3
+module github.com/zitadel/oidc/v3
 
-go 1.23.7
-
-toolchain go1.24.1
+go 1.21
 
 require (
 	github.com/bmatcuk/doublestar/v4 v4.8.1
 	github.com/go-chi/chi/v5 v5.2.1
-	github.com/go-jose/go-jose/v4 v4.0.5
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/golang/mock v1.6.0
 	github.com/google/go-github/v31 v31.0.0
 	github.com/google/uuid v1.6.0
@@ -18,11 +16,11 @@ require (
 	github.com/rs/cors v1.11.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
-	github.com/zitadel/logging v0.6.2
-	github.com/zitadel/schema v1.3.1
+	github.com/zitadel/logging v0.6.1
+	github.com/zitadel/schema v1.3.0
 	go.opentelemetry.io/otel v1.29.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/text v0.26.0
+	golang.org/x/oauth2 v0.26.0
+	golang.org/x/text v0.22.0
 )
 
 require (
@@ -33,8 +31,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -5,8 +5,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -50,10 +50,10 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/zitadel/logging v0.6.2 h1:MW2kDDR0ieQynPZ0KIZPrh9ote2WkxfBif5QoARDQcU=
-github.com/zitadel/logging v0.6.2/go.mod h1:z6VWLWUkJpnNVDSLzrPSQSQyttysKZ6bCRongw0ROK4=
-github.com/zitadel/schema v1.3.1 h1:QT3kwiRIRXXLVAs6gCK/u044WmUVh6IlbLXUsn6yRQU=
-github.com/zitadel/schema v1.3.1/go.mod h1:071u7D2LQacy1HAN+YnMd/mx1qVE2isb0Mjeqg46xnU=
+github.com/zitadel/logging v0.6.1 h1:Vyzk1rl9Kq9RCevcpX6ujUaTYFX43aa4LkvV1TvUk+Y=
+github.com/zitadel/logging v0.6.1/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow=
+github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0=
+github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc=
 go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
 go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
 go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
@@ -62,19 +62,19 @@ go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt3
 go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -83,13 +83,13 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
@@ -101,8 +101,8 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/testutil/gen/gen.go

@@ -8,8 +8,8 @@ import (
 	"fmt"
 	"os"
 
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 var custom = map[string]any{

internal/testutil/token.go

@@ -8,9 +8,9 @@ import (
 	"errors"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/muhlemmer/gu"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // KeySet implements oidc.Keys

pkg/client/client.go

@@ -15,9 +15,9 @@ import (
 	"go.opentelemetry.io/otel"
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/crypto"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 var (

pkg/client/client_test.go

@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func TestDiscover(t *testing.T) {

pkg/client/integration_test.go

@@ -23,14 +23,14 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/exampleop"
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/tokenexchange"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/example/server/exampleop"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/client/rs"
+	"github.com/zitadel/oidc/v3/pkg/client/tokenexchange"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 var Logger = slog.New(

pkg/client/jwt_profile.go

@@ -6,8 +6,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // JWTProfileExchange handles the oauth2 jwt profile exchange

pkg/client/profile/jwt_profile.go

@@ -8,8 +8,8 @@ import (
 	jose "github.com/go-jose/go-jose/v4"
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type TokenSource interface {

pkg/client/rp/cli/cli.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"net/http"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 const (

pkg/client/rp/delegation.go

@@ -1,7 +1,7 @@
 package rp
 
 import (
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc/grants/tokenexchange"
+	"github.com/zitadel/oidc/v3/pkg/oidc/grants/tokenexchange"
 )
 
 // DelegationTokenRequest is an implementation of TokenExchangeRequest

pkg/client/rp/device.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func newDeviceClientCredentialsRequest(scopes []string, rp RelyingParty) (*oidc.ClientCredentialsRequest, error) {

pkg/client/rp/jwks.go

@@ -9,9 +9,9 @@ import (
 
 	jose "github.com/go-jose/go-jose/v4"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKeySet)) oidc.KeySet {

pkg/client/rp/relying_party.go

@@ -14,10 +14,10 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/zitadel/logging"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 const (

pkg/client/rp/relying_party_test.go

@@ -5,10 +5,10 @@ import (
 	"testing"
 	"time"
 
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"golang.org/x/oauth2"
 )
 

pkg/client/rp/tockenexchange.go

@@ -5,7 +5,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc/grants/tokenexchange"
+	"github.com/zitadel/oidc/v3/pkg/oidc/grants/tokenexchange"
 )
 
 // TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`

pkg/client/rp/userinfo_example_test.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type UserInfo struct {

pkg/client/rp/verifier.go

@@ -6,8 +6,8 @@ import (
 
 	jose "github.com/go-jose/go-jose/v4"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // VerifyTokens implement the Token Response Validation as defined in OIDC specification

pkg/client/rp/verifier_test.go

@@ -5,11 +5,11 @@ import (
 	"testing"
 	"time"
 
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func TestVerifyTokens(t *testing.T) {

pkg/client/rp/verifier_tokens_example_test.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"fmt"
 
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // MyCustomClaims extends the TokenClaims base,

pkg/client/rs/introspect_example_test.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rs"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type IntrospectionResponse struct {

pkg/client/rs/resource_server.go

@@ -6,9 +6,9 @@ import (
 	"net/http"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type ResourceServer interface {

pkg/client/rs/resource_server_test.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func TestNewResourceServer(t *testing.T) {

pkg/client/tokenexchange/tokenexchange.go

@@ -6,10 +6,10 @@ import (
 	"net/http"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-jose/go-jose/v4"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type TokenExchanger interface {

pkg/crypto/key_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 
-	zcrypto "git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	zcrypto "github.com/zitadel/oidc/v3/pkg/crypto"
 )
 
 func TestBytesToPrivateKey(t *testing.T) {

pkg/http/http.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 var DefaultHTTPClient = &http.Client{

pkg/oidc/code_challenge.go

@@ -3,7 +3,7 @@ package oidc
 import (
 	"crypto/sha256"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	"github.com/zitadel/oidc/v3/pkg/crypto"
 )
 
 const (

pkg/oidc/error.go

@@ -133,7 +133,6 @@ type Error struct {
 	ErrorType        errorType `json:"error" schema:"error"`
 	Description      string    `json:"error_description,omitempty" schema:"error_description,omitempty"`
 	State            string    `json:"state,omitempty" schema:"state,omitempty"`
-	SessionState     string    `json:"session_state,omitempty" schema:"session_state,omitempty"`
 	redirectDisabled bool      `schema:"-"`
 	returnParent     bool      `schema:"-"`
 }
@@ -143,13 +142,11 @@ func (e *Error) MarshalJSON() ([]byte, error) {
 		Error            errorType `json:"error"`
 		ErrorDescription string    `json:"error_description,omitempty"`
 		State            string    `json:"state,omitempty"`
-		SessionState     string    `json:"session_state,omitempty"`
 		Parent           string    `json:"parent,omitempty"`
 	}{
 		Error:            e.ErrorType,
 		ErrorDescription: e.Description,
 		State:            e.State,
-		SessionState:     e.SessionState,
 	}
 	if e.returnParent {
 		m.Parent = e.Parent.Error()
@@ -179,8 +176,7 @@ func (e *Error) Is(target error) bool {
 	}
 	return e.ErrorType == t.ErrorType &&
 		(e.Description == t.Description || t.Description == "") &&
-		(e.State == t.State || t.State == "") &&
-		(e.SessionState == t.SessionState || t.SessionState == "")
+		(e.State == t.State || t.State == "")
 }
 
 func (e *Error) WithParent(err error) *Error {
@@ -246,9 +242,6 @@ func (e *Error) LogValue() slog.Value {
 	if e.State != "" {
 		attrs = append(attrs, slog.String("state", e.State))
 	}
-	if e.SessionState != "" {
-		attrs = append(attrs, slog.String("session_state", e.SessionState))
-	}
 	if e.redirectDisabled {
 		attrs = append(attrs, slog.Bool("redirect_disabled", e.redirectDisabled))
 	}

pkg/oidc/session.go

@@ -1,12 +1,10 @@
 package oidc
 
 // EndSessionRequest for the RP-Initiated Logout according to:
-// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
+//https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 type EndSessionRequest struct {
-	IdTokenHint           string  `schema:"id_token_hint"`
-	LogoutHint            string  `schema:"logout_hint"`
-	ClientID              string  `schema:"client_id"`
-	PostLogoutRedirectURI string  `schema:"post_logout_redirect_uri"`
-	State                 string  `schema:"state"`
-	UILocales             Locales `schema:"ui_locales"`
+	IdTokenHint           string `schema:"id_token_hint"`
+	ClientID              string `schema:"client_id"`
+	PostLogoutRedirectURI string `schema:"post_logout_redirect_uri"`
+	State                 string `schema:"state"`
 }

pkg/oidc/token.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/muhlemmer/gu"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	"github.com/zitadel/oidc/v3/pkg/crypto"
 )
 
 const (

pkg/oidc/types.go

@@ -3,7 +3,6 @@ package oidc
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"reflect"
 	"strings"
@@ -35,17 +34,6 @@ func (a *Audience) UnmarshalJSON(text []byte) error {
 	return nil
 }
 
-func (a *Audience) MarshalJSON() ([]byte, error) {
-	len := len(*a)
-	if len > 1 {
-		return json.Marshal(*a)
-	} else if len == 1 {
-		return json.Marshal((*a)[0])
-	}
-
-	return nil, errors.New("aud is empty")
-}
-
 type Display string
 
 func (d *Display) UnmarshalText(text []byte) error {
@@ -89,25 +77,16 @@ func (l *Locale) MarshalJSON() ([]byte, error) {
 }
 
 // UnmarshalJSON implements json.Unmarshaler.
-// When [language.ValueError] is encountered, the containing tag will be set
+// All unmarshal errors for are ignored.
+// When an error is encountered, the containing tag will be set
 // to an empty value (language "und") and no error will be returned.
 // This state can be checked with the `l.Tag().IsRoot()` method.
 func (l *Locale) UnmarshalJSON(data []byte) error {
-	if len(data) == 0 || string(data) == "\"\"" {
-		return nil
-	}
 	err := json.Unmarshal(data, &l.tag)
-	if err == nil {
-		return nil
-	}
-
-	// catch "well-formed but unknown" errors
-	var target language.ValueError
-	if errors.As(err, &target) {
+	if err != nil {
 		l.tag = language.Tag{}
-		return nil
 	}
-	return err
+	return nil
 }
 
 type Locales []language.Tag
@@ -126,14 +105,6 @@ func ParseLocales(locales []string) Locales {
 	return out
 }
 
-func (l Locales) String() string {
-	tags := make([]string, len(l))
-	for i, tag := range l {
-		tags[i] = tag.String()
-	}
-	return strings.Join(tags, " ")
-}
-
 // UnmarshalText implements the [encoding.TextUnmarshaler] interface.
 // It decodes an unquoted space seperated string into Locales.
 // Undefined language tags in the input are ignored and ommited from
@@ -250,9 +221,6 @@ func NewEncoder() *schema.Encoder {
 	e.RegisterEncoder(SpaceDelimitedArray{}, func(value reflect.Value) string {
 		return value.Interface().(SpaceDelimitedArray).String()
 	})
-	e.RegisterEncoder(Locales{}, func(value reflect.Value) string {
-		return value.Interface().(Locales).String()
-	})
 	return e
 }
 

pkg/oidc/types_test.go

@@ -217,30 +217,6 @@ func TestLocale_UnmarshalJSON(t *testing.T) {
 		want    dst
 		wantErr bool
 	}{
-		{
-			name:    "value not present",
-			input:   `{}`,
-			wantErr: false,
-			want: dst{
-				Locale: nil,
-			},
-		},
-		{
-			name:    "null",
-			input:   `{"locale": null}`,
-			wantErr: false,
-			want: dst{
-				Locale: nil,
-			},
-		},
-		{
-			name:    "empty, ignored",
-			input:   `{"locale": ""}`,
-			wantErr: false,
-			want: dst{
-				Locale: &Locale{},
-			},
-		},
 		{
 			name:  "afrikaans, ok",
 			input: `{"locale": "af"}`,
@@ -256,22 +232,23 @@ func TestLocale_UnmarshalJSON(t *testing.T) {
 			},
 		},
 		{
-			name:    "bad form, error",
-			input:   `{"locale": "g!!!!!"}`,
-			wantErr: true,
+			name:  "bad form, error",
+			input: `{"locale": "g!!!!!"}`,
+			want: dst{
+				Locale: &Locale{},
+			},
 		},
 	}
+
 	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var got dst
-			err := json.Unmarshal([]byte(tt.input), &got)
-			if tt.wantErr {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			assert.Equal(t, tt.want, got)
-		})
+		var got dst
+		err := json.Unmarshal([]byte(tt.input), &got)
+		if tt.wantErr {
+			require.Error(t, err)
+			return
+		}
+		require.NoError(t, err)
+		assert.Equal(t, tt.want, got)
 	}
 }
 

pkg/oidc/verifier_parse_test.go

@@ -5,10 +5,10 @@ import (
 	"encoding/json"
 	"testing"
 
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 func TestParseToken(t *testing.T) {

pkg/op/auth_request.go

@@ -15,9 +15,9 @@ import (
 	"strings"
 	"time"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/bmatcuk/doublestar/v4"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type AuthRequest interface {
@@ -38,13 +38,6 @@ type AuthRequest interface {
 	Done() bool
 }
 
-// AuthRequestSessionState should be implemented if [OpenID Connect Session Management](https://openid.net/specs/openid-connect-session-1_0.html) is supported
-type AuthRequestSessionState interface {
-	// GetSessionState returns session_state.
-	// session_state is related to OpenID Connect Session Management.
-	GetSessionState() string
-}
-
 type Authorizer interface {
 	Storage() Storage
 	Decoder() httphelper.Decoder
@@ -62,12 +55,6 @@ type AuthorizeValidator interface {
 	ValidateAuthRequest(context.Context, *oidc.AuthRequest, Storage, *IDTokenHintVerifier) (string, error)
 }
 
-type CodeResponseType struct {
-	Code         string `schema:"code"`
-	State        string `schema:"state,omitempty"`
-	SessionState string `schema:"session_state,omitempty"`
-}
-
 func authorizeHandler(authorizer Authorizer) func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		Authorize(w, r, authorizer)
@@ -116,8 +103,8 @@ func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 		}
 		return ValidateAuthRequestClient(ctx, authReq, client, verifier)
 	}
-	if validator, ok := authorizer.(AuthorizeValidator); ok {
-		validation = validator.ValidateAuthRequest
+	if validater, ok := authorizer.(AuthorizeValidator); ok {
+		validation = validater.ValidateAuthRequest
 	}
 	userID, err := validation(ctx, authReq, authorizer.Storage(), authorizer.IDTokenHintVerifier(ctx))
 	if err != nil {
@@ -483,70 +470,41 @@ func AuthResponse(authReq AuthRequest, authorizer Authorizer, w http.ResponseWri
 	AuthResponseToken(w, r, authReq, authorizer, client)
 }
 
-// AuthResponseCode handles the creation of a successful authentication response using an authorization code
+// AuthResponseCode creates the successful code authentication response
 func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer) {
 	ctx, span := tracer.Start(r.Context(), "AuthResponseCode")
-	defer span.End()
 	r = r.WithContext(ctx)
+	defer span.End()
 
-	var err error
-	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
-		err = handleFormPostResponse(w, r, authReq, authorizer)
-	} else {
-		err = handleRedirectResponse(w, r, authReq, authorizer)
-	}
-
+	code, err := CreateAuthRequestCode(r.Context(), authReq, authorizer.Storage(), authorizer.Crypto())
 	if err != nil {
 		AuthRequestError(w, r, authReq, err, authorizer)
+		return
+	}
+	codeResponse := struct {
+		Code  string `schema:"code"`
+		State string `schema:"state,omitempty"`
+	}{
+		Code:  code,
+		State: authReq.GetState(),
 	}
-}
 
-// handleFormPostResponse processes the authentication response using form post method
-func handleFormPostResponse(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer) error {
-	codeResponse, err := BuildAuthResponseCodeResponsePayload(r.Context(), authReq, authorizer)
+	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
+		err := AuthResponseFormPost(w, authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
+		if err != nil {
+			AuthRequestError(w, r, authReq, err, authorizer)
+			return
+		}
+
+		return
+	}
+
+	callback, err := AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), &codeResponse, authorizer.Encoder())
 	if err != nil {
-		return err
+		AuthRequestError(w, r, authReq, err, authorizer)
+		return
 	}
-	return AuthResponseFormPost(w, authReq.GetRedirectURI(), codeResponse, authorizer.Encoder())
-}
-
-// handleRedirectResponse processes the authentication response using the redirect method
-func handleRedirectResponse(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer) error {
-	callbackURL, err := BuildAuthResponseCallbackURL(r.Context(), authReq, authorizer)
-	if err != nil {
-		return err
-	}
-	http.Redirect(w, r, callbackURL, http.StatusFound)
-	return nil
-}
-
-// BuildAuthResponseCodeResponsePayload generates the authorization code response payload for the authentication request
-func BuildAuthResponseCodeResponsePayload(ctx context.Context, authReq AuthRequest, authorizer Authorizer) (*CodeResponseType, error) {
-	code, err := CreateAuthRequestCode(ctx, authReq, authorizer.Storage(), authorizer.Crypto())
-	if err != nil {
-		return nil, err
-	}
-
-	sessionState := ""
-	if authRequestSessionState, ok := authReq.(AuthRequestSessionState); ok {
-		sessionState = authRequestSessionState.GetSessionState()
-	}
-
-	return &CodeResponseType{
-		Code:         code,
-		State:        authReq.GetState(),
-		SessionState: sessionState,
-	}, nil
-}
-
-// BuildAuthResponseCallbackURL generates the callback URL for a successful authorization code response
-func BuildAuthResponseCallbackURL(ctx context.Context, authReq AuthRequest, authorizer Authorizer) (string, error) {
-	codeResponse, err := BuildAuthResponseCodeResponsePayload(ctx, authReq, authorizer)
-	if err != nil {
-		return "", err
-	}
-
-	return AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), codeResponse, authorizer.Encoder())
+	http.Redirect(w, r, callback, http.StatusFound)
 }
 
 // AuthResponseToken creates the successful token(s) authentication response

pkg/op/auth_request_test.go

@@ -11,15 +11,15 @@ import (
 	"reflect"
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
-	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op/mock"
 	"github.com/zitadel/schema"
 )
 
@@ -1090,34 +1090,6 @@ func TestAuthResponseCode(t *testing.T) {
 				wantBody:           "",
 			},
 		},
-		{
-			name: "success with state and session_state",
-			args: args{
-				authReq: &storage.AuthRequestWithSessionState{
-					AuthRequest: &storage.AuthRequest{
-						ID:            "id1",
-						TransferState: "state1",
-					},
-					SessionState: "session_state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantCode:           http.StatusFound,
-				wantLocationHeader: "/auth/callback/?code=id1&session_state=session_state1&state=state1",
-				wantBody:           "",
-			},
-		},
 		{
 			name: "success without state", // reproduce issue #415
 			args: args{
@@ -1225,133 +1197,6 @@ func Test_parseAuthorizeCallbackRequest(t *testing.T) {
 	}
 }
 
-func TestBuildAuthResponseCodeResponsePayload(t *testing.T) {
-	type args struct {
-		authReq    op.AuthRequest
-		authorizer func(*testing.T) op.Authorizer
-	}
-	type res struct {
-		wantCode         string
-		wantState        string
-		wantSessionState string
-		wantErr          bool
-	}
-	tests := []struct {
-		name string
-		args args
-		res  res
-	}{
-		{
-			name: "create code error",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID: "id1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{
-						returnErr: io.ErrClosedPipe,
-					})
-					return authorizer
-				},
-			},
-			res: res{
-				wantErr: true,
-			},
-		},
-		{
-			name: "success with state",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:            "id1",
-					TransferState: "state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					return authorizer
-				},
-			},
-			res: res{
-				wantCode:  "id1",
-				wantState: "state1",
-			},
-		},
-		{
-			name: "success without state",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:            "id1",
-					TransferState: "",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					return authorizer
-				},
-			},
-			res: res{
-				wantCode:  "id1",
-				wantState: "",
-			},
-		},
-		{
-			name: "success with session_state",
-			args: args{
-				authReq: &storage.AuthRequestWithSessionState{
-					AuthRequest: &storage.AuthRequest{
-						ID:            "id1",
-						TransferState: "state1",
-					},
-					SessionState: "session_state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					return authorizer
-				},
-			},
-			res: res{
-				wantCode:         "id1",
-				wantState:        "state1",
-				wantSessionState: "session_state1",
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := op.BuildAuthResponseCodeResponsePayload(context.Background(), tt.args.authReq, tt.args.authorizer(t))
-			if tt.res.wantErr {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			assert.Equal(t, tt.res.wantCode, got.Code)
-			assert.Equal(t, tt.res.wantState, got.State)
-			assert.Equal(t, tt.res.wantSessionState, got.SessionState)
-		})
-	}
-}
-
 func TestValidateAuthReqIDTokenHint(t *testing.T) {
 	token, _ := tu.ValidIDToken()
 	tests := []struct {
@@ -1382,231 +1227,3 @@ func TestValidateAuthReqIDTokenHint(t *testing.T) {
 		})
 	}
 }
-
-func TestBuildAuthResponseCallbackURL(t *testing.T) {
-	type args struct {
-		authReq    op.AuthRequest
-		authorizer func(*testing.T) op.Authorizer
-	}
-	type res struct {
-		wantURL string
-		wantErr bool
-	}
-	tests := []struct {
-		name string
-		args args
-		res  res
-	}{
-		{
-			name: "error when generating code response",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID: "id1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{
-						returnErr: io.ErrClosedPipe,
-					})
-					return authorizer
-				},
-			},
-			res: res{
-				wantErr: true,
-			},
-		},
-		{
-			name: "error when generating callback URL",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:          "id1",
-					CallbackURI: "://invalid-url",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantErr: true,
-			},
-		},
-		{
-			name: "success with state",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:            "id1",
-					CallbackURI:   "https://example.com/callback",
-					TransferState: "state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantURL: "https://example.com/callback?code=id1&state=state1",
-				wantErr: false,
-			},
-		},
-		{
-			name: "success without state",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:          "id1",
-					CallbackURI: "https://example.com/callback",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantURL: "https://example.com/callback?code=id1",
-				wantErr: false,
-			},
-		},
-		{
-			name: "success with session_state",
-			args: args{
-				authReq: &storage.AuthRequestWithSessionState{
-					AuthRequest: &storage.AuthRequest{
-						ID:            "id1",
-						CallbackURI:   "https://example.com/callback",
-						TransferState: "state1",
-					},
-					SessionState: "session_state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantURL: "https://example.com/callback?code=id1&session_state=session_state1&state=state1",
-				wantErr: false,
-			},
-		},
-		{
-			name: "success with existing query parameters",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:            "id1",
-					CallbackURI:   "https://example.com/callback?param=value",
-					TransferState: "state1",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantURL: "https://example.com/callback?param=value&code=id1&state=state1",
-				wantErr: false,
-			},
-		},
-		{
-			name: "success with fragment response mode",
-			args: args{
-				authReq: &storage.AuthRequest{
-					ID:            "id1",
-					CallbackURI:   "https://example.com/callback",
-					TransferState: "state1",
-					ResponseMode:  "fragment",
-				},
-				authorizer: func(t *testing.T) op.Authorizer {
-					ctrl := gomock.NewController(t)
-					storage := mock.NewMockStorage(ctrl)
-					storage.EXPECT().SaveAuthCode(gomock.Any(), "id1", "id1")
-
-					authorizer := mock.NewMockAuthorizer(ctrl)
-					authorizer.EXPECT().Storage().Return(storage)
-					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
-					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
-					return authorizer
-				},
-			},
-			res: res{
-				wantURL: "https://example.com/callback#code=id1&state=state1",
-				wantErr: false,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := op.BuildAuthResponseCallbackURL(context.Background(), tt.args.authReq, tt.args.authorizer(t))
-			if tt.res.wantErr {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			if tt.res.wantURL != "" {
-				// Parse the URLs to compare components instead of direct string comparison
-				expectedURL, err := url.Parse(tt.res.wantURL)
-				require.NoError(t, err)
-				actualURL, err := url.Parse(got)
-				require.NoError(t, err)
-
-				// Compare the base parts (scheme, host, path)
-				assert.Equal(t, expectedURL.Scheme, actualURL.Scheme)
-				assert.Equal(t, expectedURL.Host, actualURL.Host)
-				assert.Equal(t, expectedURL.Path, actualURL.Path)
-
-				// Compare the fragment if any
-				assert.Equal(t, expectedURL.Fragment, actualURL.Fragment)
-
-				// For query parameters, compare them independently of order
-				expectedQuery := expectedURL.Query()
-				actualQuery := actualURL.Query()
-
-				assert.Equal(t, len(expectedQuery), len(actualQuery), "Query parameter count does not match")
-
-				for key, expectedValues := range expectedQuery {
-					actualValues, exists := actualQuery[key]
-					assert.True(t, exists, "Expected query parameter %s not found", key)
-					assert.ElementsMatch(t, expectedValues, actualValues, "Values for parameter %s don't match", key)
-				}
-			}
-		})
-	}
-}

pkg/op/client.go

@@ -7,8 +7,8 @@ import (
 	"net/url"
 	"time"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 //go:generate go get github.com/dmarkham/enumer

pkg/op/client_test.go

@@ -10,13 +10,13 @@ import (
 	"strings"
 	"testing"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op/mock"
 	"github.com/zitadel/schema"
 )
 

pkg/op/config.go

@@ -30,7 +30,6 @@ type Configuration interface {
 	EndSessionEndpoint() *Endpoint
 	KeysEndpoint() *Endpoint
 	DeviceAuthorizationEndpoint() *Endpoint
-	CheckSessionIframe() *Endpoint
 
 	AuthMethodPostSupported() bool
 	CodeMethodS256Supported() bool

pkg/op/crypto.go

@@ -1,7 +1,7 @@
 package op
 
 import (
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	"github.com/zitadel/oidc/v3/pkg/crypto"
 )
 
 type Crypto interface {

pkg/op/device.go

@@ -13,8 +13,8 @@ import (
 	"strings"
 	"time"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type DeviceAuthorizationConfig struct {
@@ -91,7 +91,10 @@ func createDeviceAuthorization(ctx context.Context, req *oidc.DeviceAuthorizatio
 	}
 	config := o.DeviceAuthorization()
 
-	deviceCode, _ := NewDeviceCode(RecommendedDeviceCodeBytes)
+	deviceCode, err := NewDeviceCode(RecommendedDeviceCodeBytes)
+	if err != nil {
+		return nil, NewStatusError(err, http.StatusInternalServerError)
+	}
 	userCode, err := NewUserCode([]rune(config.UserCode.CharSet), config.UserCode.CharAmount, config.UserCode.DashInterval)
 	if err != nil {
 		return nil, NewStatusError(err, http.StatusInternalServerError)
@@ -160,14 +163,11 @@ func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuth
 // results in a 22 character base64 encoded string.
 const RecommendedDeviceCodeBytes = 16
 
-// NewDeviceCode generates a new cryptographically secure device code as a base64 encoded string.
-// The length of the string is nBytes * 4 / 3.
-// An error is never returned.
-//
-// TODO(v4): change return type to string alone.
 func NewDeviceCode(nBytes int) (string, error) {
 	bytes := make([]byte, nBytes)
-	rand.Read(bytes)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", fmt.Errorf("%w getting entropy for device code", err)
+	}
 	return base64.RawURLEncoding.EncodeToString(bytes), nil
 }
 

pkg/op/device_test.go

@@ -13,12 +13,12 @@ import (
 	"testing"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func Test_deviceAuthorizationHandler(t *testing.T) {
@@ -145,11 +145,21 @@ func runWithRandReader(r io.Reader, f func()) {
 }
 
 func TestNewDeviceCode(t *testing.T) {
-	for i := 1; i <= 32; i++ {
-		got, err := op.NewDeviceCode(i)
-		require.NoError(t, err)
-		assert.Len(t, got, base64.RawURLEncoding.EncodedLen(i))
-	}
+	t.Run("reader error", func(t *testing.T) {
+		runWithRandReader(errReader{}, func() {
+			_, err := op.NewDeviceCode(16)
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("different lengths, rand reader", func(t *testing.T) {
+		for i := 1; i <= 32; i++ {
+			got, err := op.NewDeviceCode(i)
+			require.NoError(t, err)
+			assert.Len(t, got, base64.RawURLEncoding.EncodedLen(i))
+		}
+	})
+
 }
 
 func TestNewUserCode(t *testing.T) {

pkg/op/discovery.go

@@ -6,8 +6,8 @@ import (
 
 	jose "github.com/go-jose/go-jose/v4"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type DiscoverStorage interface {
@@ -45,7 +45,6 @@ func CreateDiscoveryConfig(ctx context.Context, config Configuration, storage Di
 		EndSessionEndpoint:                         config.EndSessionEndpoint().Absolute(issuer),
 		JwksURI:                                    config.KeysEndpoint().Absolute(issuer),
 		DeviceAuthorizationEndpoint:                config.DeviceAuthorizationEndpoint().Absolute(issuer),
-		CheckSessionIframe:                         config.CheckSessionIframe().Absolute(issuer),
 		ScopesSupported:                            Scopes(config),
 		ResponseTypesSupported:                     ResponseTypes(config),
 		GrantTypesSupported:                        GrantTypes(config),

pkg/op/discovery_test.go

@@ -11,9 +11,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op/mock"
 )
 
 func TestDiscover(t *testing.T) {

pkg/op/endpoint_test.go

@@ -3,8 +3,8 @@ package op_test
 import (
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func TestEndpoint_Path(t *testing.T) {

pkg/op/error.go

@@ -7,8 +7,8 @@ import (
 	"log/slog"
 	"net/http"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type ErrAuthRequest interface {
@@ -46,12 +46,6 @@ func AuthRequestError(w http.ResponseWriter, r *http.Request, authReq ErrAuthReq
 		return
 	}
 	e.State = authReq.GetState()
-	var sessionState string
-	authRequestSessionState, ok := authReq.(AuthRequestSessionState)
-	if ok {
-		sessionState = authRequestSessionState.GetSessionState()
-	}
-	e.SessionState = sessionState
 	var responseMode oidc.ResponseMode
 	if rm, ok := authReq.(interface{ GetResponseMode() oidc.ResponseMode }); ok {
 		responseMode = rm.GetResponseMode()
@@ -98,12 +92,6 @@ func TryErrorRedirect(ctx context.Context, authReq ErrAuthRequest, parent error,
 	}
 
 	e.State = authReq.GetState()
-	var sessionState string
-	authRequestSessionState, ok := authReq.(AuthRequestSessionState)
-	if ok {
-		sessionState = authRequestSessionState.GetSessionState()
-	}
-	e.SessionState = sessionState
 	var responseMode oidc.ResponseMode
 	if rm, ok := authReq.(interface{ GetResponseMode() oidc.ResponseMode }); ok {
 		responseMode = rm.GetResponseMode()

pkg/op/error_test.go

@@ -11,9 +11,9 @@ import (
 	"strings"
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )
 

pkg/op/keys.go

@@ -6,7 +6,7 @@ import (
 
 	jose "github.com/go-jose/go-jose/v4"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 )
 
 type KeyProvider interface {

pkg/op/keys_test.go

@@ -11,9 +11,9 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/op/mock"
 )
 
 func TestKeys(t *testing.T) {

pkg/op/mock/authorizer.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Authorizer)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Authorizer)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -9,9 +9,9 @@ import (
 	slog "log/slog"
 	reflect "reflect"
 
-	http "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	http "github.com/zitadel/oidc/v3/pkg/http"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // MockAuthorizer is a mock of Authorizer interface.

pkg/op/mock/authorizer.mock.impl.go

@@ -8,8 +8,8 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/zitadel/schema"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func NewAuthorizer(t *testing.T) op.Authorizer {

pkg/op/mock/client.go

@@ -5,8 +5,8 @@ import (
 
 	"github.com/golang/mock/gomock"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func NewClient(t *testing.T) op.Client {

pkg/op/mock/client.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Client)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Client)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -8,9 +8,9 @@ import (
 	reflect "reflect"
 	time "time"
 
-	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // MockClient is a mock of Client interface.

pkg/op/mock/configuration.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Configuration)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Configuration)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -8,8 +8,8 @@ import (
 	http "net/http"
 	reflect "reflect"
 
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 	language "golang.org/x/text/language"
 )
 
@@ -106,20 +106,6 @@ func (mr *MockConfigurationMockRecorder) BackChannelLogoutSupported() *gomock.Ca
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BackChannelLogoutSupported", reflect.TypeOf((*MockConfiguration)(nil).BackChannelLogoutSupported))
 }
 
-// CheckSessionIframe mocks base method.
-func (m *MockConfiguration) CheckSessionIframe() *op.Endpoint {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CheckSessionIframe")
-	ret0, _ := ret[0].(*op.Endpoint)
-	return ret0
-}
-
-// CheckSessionIframe indicates an expected call of CheckSessionIframe.
-func (mr *MockConfigurationMockRecorder) CheckSessionIframe() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckSessionIframe", reflect.TypeOf((*MockConfiguration)(nil).CheckSessionIframe))
-}
-
 // CodeMethodS256Supported mocks base method.
 func (m *MockConfiguration) CodeMethodS256Supported() bool {
 	m.ctrl.T.Helper()

pkg/op/mock/discovery.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: DiscoverStorage)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: DiscoverStorage)
 
 // Package mock is a generated GoMock package.
 package mock

pkg/op/mock/generate.go

@@ -1,11 +1,11 @@
 package mock
 
 //go:generate go install github.com/golang/mock/mockgen@v1.6.0
-//go:generate mockgen -package mock -destination ./storage.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Storage
-//go:generate mockgen -package mock -destination ./authorizer.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Authorizer
-//go:generate mockgen -package mock -destination ./client.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Client
-//go:generate mockgen -package mock -destination ./glob.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op HasRedirectGlobs
-//go:generate mockgen -package mock -destination ./configuration.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Configuration
-//go:generate mockgen -package mock -destination ./discovery.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op DiscoverStorage
-//go:generate mockgen -package mock -destination ./signer.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op SigningKey,Key
-//go:generate mockgen -package mock -destination ./key.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op KeyProvider
+//go:generate mockgen -package mock -destination ./storage.mock.go github.com/zitadel/oidc/v3/pkg/op Storage
+//go:generate mockgen -package mock -destination ./authorizer.mock.go github.com/zitadel/oidc/v3/pkg/op Authorizer
+//go:generate mockgen -package mock -destination ./client.mock.go github.com/zitadel/oidc/v3/pkg/op Client
+//go:generate mockgen -package mock -destination ./glob.mock.go github.com/zitadel/oidc/v3/pkg/op HasRedirectGlobs
+//go:generate mockgen -package mock -destination ./configuration.mock.go github.com/zitadel/oidc/v3/pkg/op Configuration
+//go:generate mockgen -package mock -destination ./discovery.mock.go github.com/zitadel/oidc/v3/pkg/op DiscoverStorage
+//go:generate mockgen -package mock -destination ./signer.mock.go github.com/zitadel/oidc/v3/pkg/op SigningKey,Key
+//go:generate mockgen -package mock -destination ./key.mock.go github.com/zitadel/oidc/v3/pkg/op KeyProvider

pkg/op/mock/glob.go

@@ -3,9 +3,9 @@ package mock
 import (
 	"testing"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func NewHasRedirectGlobs(t *testing.T) op.HasRedirectGlobs {

pkg/op/mock/glob.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: HasRedirectGlobs)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: HasRedirectGlobs)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -8,9 +8,9 @@ import (
 	reflect "reflect"
 	time "time"
 
-	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // MockHasRedirectGlobs is a mock of HasRedirectGlobs interface.

pkg/op/mock/key.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: KeyProvider)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: KeyProvider)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -8,8 +8,8 @@ import (
 	context "context"
 	reflect "reflect"
 
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // MockKeyProvider is a mock of KeyProvider interface.

pkg/op/mock/signer.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: SigningKey,Key)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: SigningKey,Key)
 
 // Package mock is a generated GoMock package.
 package mock

pkg/op/mock/storage.mock.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Storage)
+// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Storage)
 
 // Package mock is a generated GoMock package.
 package mock
@@ -9,10 +9,10 @@ import (
 	reflect "reflect"
 	time "time"
 
-	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	jose "github.com/go-jose/go-jose/v4"
 	gomock "github.com/golang/mock/gomock"
+	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
+	op "github.com/zitadel/oidc/v3/pkg/op"
 )
 
 // MockStorage is a mock of Storage interface.

pkg/op/mock/storage.mock.impl.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/golang/mock/gomock"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func NewStorage(t *testing.T) op.Storage {

pkg/op/op.go

@@ -14,8 +14,8 @@ import (
 	"go.opentelemetry.io/otel"
 	"golang.org/x/text/language"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 const (
@@ -339,10 +339,6 @@ func (o *Provider) DeviceAuthorizationEndpoint() *Endpoint {
 	return o.endpoints.DeviceAuthorization
 }
 
-func (o *Provider) CheckSessionIframe() *Endpoint {
-	return o.endpoints.CheckSessionIframe
-}
-
 func (o *Provider) KeysEndpoint() *Endpoint {
 	return o.endpoints.JwksURI
 }

pkg/op/op_test.go

@@ -11,12 +11,12 @@ import (
 	"testing"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 	"golang.org/x/text/language"
 )
 

pkg/op/probes.go

@@ -5,7 +5,7 @@ import (
 	"errors"
 	"net/http"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 )
 
 type ProbesFn func(context.Context) error

pkg/op/server.go

@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"net/url"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/muhlemmer/gu"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // Server describes the interface that needs to be implemented to serve

pkg/op/server_http.go

@@ -6,11 +6,11 @@ import (
 	"net/http"
 	"net/url"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-chi/chi/v5"
 	"github.com/rs/cors"
 	"github.com/zitadel/logging"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )
 

pkg/op/server_http_routes_test.go

@@ -14,9 +14,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )
 
 func jwtProfile() (string, error) {

pkg/op/server_http_test.go

@@ -14,11 +14,11 @@ import (
 	"testing"
 	"time"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )
 

pkg/op/server_legacy.go

@@ -6,8 +6,8 @@ import (
 	"net/http"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-chi/chi/v5"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // ExtendedLegacyServer allows embedding [LegacyServer] in a struct,

pkg/op/session.go

@@ -8,8 +8,8 @@ import (
 	"net/url"
 	"path"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type SessionEnder interface {
@@ -73,8 +73,6 @@ func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest,
 
 	session := &EndSessionRequest{
 		RedirectURI: ender.DefaultLogoutRedirectURI(),
-		LogoutHint:  req.LogoutHint,
-		UILocales:   req.UILocales,
 	}
 	if req.IdTokenHint != "" {
 		claims, err := VerifyIDTokenHint[*oidc.IDTokenClaims](ctx, req.IdTokenHint, ender.IDTokenHintVerifier(ctx))

pkg/op/storage.go

@@ -6,9 +6,8 @@ import (
 	"time"
 
 	jose "github.com/go-jose/go-jose/v4"
-	"golang.org/x/text/language"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type AuthStorage interface {
@@ -145,12 +144,6 @@ type CanSetUserinfoFromRequest interface {
 	SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, request IDTokenRequest, scopes []string) error
 }
 
-// CanGetPrivateClaimsFromRequest is an optional additional interface that may be implemented by
-// implementors of Storage. It allows setting the jwt token claims based on the request.
-type CanGetPrivateClaimsFromRequest interface {
-	GetPrivateClaimsFromRequest(ctx context.Context, request TokenRequest, restrictedScopes []string) (map[string]any, error)
-}
-
 // Storage is a required parameter for NewOpenIDProvider(). In addition to the
 // embedded interfaces below, if the passed Storage implements ClientCredentialsStorage
 // then the grant type "client_credentials" will be supported. In that case, the access
@@ -171,8 +164,6 @@ type EndSessionRequest struct {
 	ClientID          string
 	IDTokenHintClaims *oidc.IDTokenClaims
 	RedirectURI       string
-	LogoutHint        string
-	UILocales         []language.Tag
 }
 
 var ErrDuplicateUserCode = errors.New("user code already exists")

pkg/op/token.go

@@ -5,8 +5,8 @@ import (
 	"slices"
 	"time"
 
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/crypto"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 type TokenCreator interface {
@@ -147,11 +147,7 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
 				tokenExchangeRequest,
 			)
 		} else {
-			if fromRequest, ok := storage.(CanGetPrivateClaimsFromRequest); ok {
-				privateClaims, err = fromRequest.GetPrivateClaimsFromRequest(ctx, tokenRequest, removeUserinfoScopes(restrictedScopes))
-			} else {
-				privateClaims, err = storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))
-			}
+			privateClaims, err = storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))
 		}
 
 		if err != nil {

pkg/op/token_client_credentials.go

@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"net/url"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including

pkg/op/token_code.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"
 
-	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
-	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
 
 // CodeExchange handles the OAuth 2.0 authorization_code grant, including