replace github url

add function to marshal aud into a string if the array has a len of 1, to comply with rfc
remove actions
2025-06-20 09:45:28 +02:00 · 2025-06-20 09:39:40 +02:00 · 2025-06-20 08:56:29 +02:00 · 2025-06-20 08:44:27 +02:00 · 2025-06-17 14:32:55 +02:00 · 2025-06-17 11:17:14 +02:00
111 changed files with 253 additions and 310 deletions
--- a/.forgejo.bak/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.forgejo.bak/ISSUE_TEMPLATE/bug_report.yaml
@ -2,6 +2,7 @@ name: Bug Report
 description: "Create a bug report to help us improve ZITADEL. Click [here](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#product-management) to see how we process your issue."
 title: "[Bug]: "
 labels: ["bug"]
+type: Bug
 body:
  - type: markdown
    attributes:
--- a/.forgejo.bak/ISSUE_TEMPLATE/config.yml
+++ b/.forgejo.bak/ISSUE_TEMPLATE/config.yml
--- a/.forgejo.bak/ISSUE_TEMPLATE/docs.yaml
+++ b/.forgejo.bak/ISSUE_TEMPLATE/docs.yaml
@ -1,6 +1,7 @@
 name: 📄 Documentation
 description: Create an issue for missing or wrong documentation.
 labels: ["docs"]
+type: task
 body:
  - type: markdown
    attributes:
--- a/.forgejo.bak/ISSUE_TEMPLATE/enhancement.yaml
+++ b/.forgejo.bak/ISSUE_TEMPLATE/enhancement.yaml
@ -1,11 +1,12 @@
 name: 🛠️ Improvement
 description: "Create an new issue for an improvment in ZITADEL"
-labels: ["improvement"]
+labels: ["enhancement"]
+type: enhancement
 body:
  - type: markdown
    attributes:
      value: |
-        Thanks for taking the time to fill out this improvement request
+        Thanks for taking the time to fill out this proposal / feature reqeust
  - type: checkboxes
    id: preflight
    attributes:
--- a/.forgejo.bak/dependabot.yml
+++ b/.forgejo.bak/dependabot.yml
--- a/.forgejo.bak/pull_request_template.md
+++ b/.forgejo.bak/pull_request_template.md
--- a/.forgejo.bak/workflows/codeql-analysis.yml
+++ b/.forgejo.bak/workflows/codeql-analysis.yml
--- a/.forgejo.bak/workflows/issue.yml
+++ b/.forgejo.bak/workflows/issue.yml
--- a/.forgejo.bak/workflows/release.yml
+++ b/.forgejo.bak/workflows/release.yml
--- a/.github/ISSUE_TEMPLATE/proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/proposal.yaml
@ -1,44 +0,0 @@
-name: 💡 Proposal / Feature request
-description: "Create an issue for a feature request/proposal."
-labels: ["enhancement"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this proposal / feature reqeust
-  - type: checkboxes
-    id: preflight
-    attributes:
-      label: Preflight Checklist
-      options:
-      - label:
-          I could not find a solution in the existing issues, docs, nor discussions
-        required: true
-      - label:
-          I have joined the [ZITADEL chat](https://zitadel.com/chat)
-  - type: textarea
-    id: problem
-    attributes:
-      label: Describe your problem
-      description: Please describe your problem this proposal / feature is supposed to solve.
-      placeholder: Describe the problem you have.
-    validations:
-      required: true
-  - type: textarea
-    id: solution
-    attributes:
-      label: Describe your ideal solution
-      description: Which solution do you propose?
-      placeholder: As a [type of user], I want [some goal] so that [some reason].
-    validations:
-      required: true
-  - type: input
-    id: version
-    attributes:
-      label: Version
-      description: Which version of the OIDC Library are you using.
-  - type: textarea
-    id: additional
-    attributes:
-      label: Additional Context
-      description: Please add any other infos that could be useful.
--- a/example/client/api/api.go
+++ b/example/client/api/api.go
@ -13,8 +13,8 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"

-	"github.com/zitadel/oidc/v3/pkg/client/rs"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 const (
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@ -7,7 +7,6 @@ import (
 	"log/slog"
 	"net/http"
 	"os"
-	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@ -15,10 +14,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 var (
@ -35,14 +34,6 @@ func main() {
 	scopes := strings.Split(os.Getenv("SCOPES"), " ")
 	responseMode := os.Getenv("RESPONSE_MODE")

-	var pkce bool
-	if pkceEnv, ok := os.LookupEnv("PKCE"); ok {
-		var err error
-		pkce, err = strconv.ParseBool(pkceEnv)
-		if err != nil {
-			logrus.Fatalf("error parsing PKCE %s", err.Error())
-		}
-	}
 	redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath)
 	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())

@ -73,9 +64,6 @@ func main() {
 	if keyPath != "" {
 		options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath)))
 	}
-	if pkce {
-		options = append(options, rp.WithPKCE(cookieHandler))
-	}

 	// One can add a logger to the context,
 	// pre-defining log attributes as required.
--- a/example/client/device/device.go
+++ b/example/client/device/device.go
@ -45,8 +45,8 @@ import (

 	"github.com/sirupsen/logrus"

-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
 )

 var (
--- a/example/client/github/github.go
+++ b/example/client/github/github.go
@ -10,10 +10,10 @@ import (
 	"golang.org/x/oauth2"
 	githubOAuth "golang.org/x/oauth2/github"

-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	"github.com/zitadel/oidc/v3/pkg/client/rp/cli"
-	"github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp/cli"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 var (
--- a/example/client/service/service.go
+++ b/example/client/service/service.go
@ -13,7 +13,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/pkg/client/profile"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/profile"
 )

 var client = http.DefaultClient
--- a/example/server/dynamic/login.go
+++ b/example/server/dynamic/login.go
@ -8,7 +8,7 @@ import (

 	"github.com/go-chi/chi/v5"

-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 const (
--- a/example/server/dynamic/op.go
+++ b/example/server/dynamic/op.go
@ -10,8 +10,8 @@ import (
 	"github.com/go-chi/chi/v5"
 	"golang.org/x/text/language"

-	"github.com/zitadel/oidc/v3/example/server/storage"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 const (
--- a/example/server/exampleop/device.go
+++ b/example/server/exampleop/device.go
@ -8,10 +8,10 @@ import (
 	"net/http"
 	"net/url"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/go-chi/chi/v5"
 	"github.com/gorilla/securecookie"
 	"github.com/sirupsen/logrus"
-	"github.com/zitadel/oidc/v3/pkg/op"
 )

 type deviceAuthenticate interface {
--- a/example/server/exampleop/login.go
+++ b/example/server/exampleop/login.go
@ -5,8 +5,8 @@ import (
 	"fmt"
 	"net/http"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/go-chi/chi/v5"
-	"github.com/zitadel/oidc/v3/pkg/op"
 )

 type login struct {
--- a/example/server/exampleop/op.go
+++ b/example/server/exampleop/op.go
@ -12,7 +12,7 @@ import (
 	"github.com/zitadel/logging"
 	"golang.org/x/text/language"

-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 const (
--- a/example/server/exampleop/templates/login.html
+++ b/example/server/exampleop/templates/login.html
@ -25,5 +25,5 @@
            <button type="submit">Login</button>
        </form>
    </body>
-</html>
-{{- end }}
+</html>`
+{{- end }}
--- a/example/server/main.go
+++ b/example/server/main.go
@ -6,9 +6,9 @@ import (
 	"net/http"
 	"os"

-	"github.com/zitadel/oidc/v3/example/server/config"
-	"github.com/zitadel/oidc/v3/example/server/exampleop"
-	"github.com/zitadel/oidc/v3/example/server/storage"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/config"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/exampleop"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
 )

 func getUserStore(cfg *config.Config) (storage.UserStore, error) {
--- a/example/server/storage/client.go
+++ b/example/server/storage/client.go
@ -3,8 +3,8 @@ package storage
 import (
 	"time"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 var (
--- a/example/server/storage/oidc.go
+++ b/example/server/storage/oidc.go
@ -6,8 +6,8 @@ import (

 	"golang.org/x/text/language"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 const (
@ -18,7 +18,7 @@ const (
 	// CustomClaim is an example for how to return custom claims with this library
 	CustomClaim = "custom_claim"

-	// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchange
+	// CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchage
 	CustomScopeImpersonatePrefix = "custom_scope:impersonate:"
 )

@ -143,14 +143,6 @@ func MaxAgeToInternal(maxAge *uint) *time.Duration {
 }

 func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest {
-	var codeChallenge *OIDCCodeChallenge
-	if authReq.CodeChallenge != "" {
-		codeChallenge = &OIDCCodeChallenge{
-			Challenge: authReq.CodeChallenge,
-			Method:    string(authReq.CodeChallengeMethod),
-		}
-	}
-
 	return &AuthRequest{
 		CreationDate:  time.Now(),
 		ApplicationID: authReq.ClientID,
@ -165,7 +157,10 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
 		ResponseType:  authReq.ResponseType,
 		ResponseMode:  authReq.ResponseMode,
 		Nonce:         authReq.Nonce,
-		CodeChallenge: codeChallenge,
+		CodeChallenge: &OIDCCodeChallenge{
+			Challenge: authReq.CodeChallenge,
+			Method:    string(authReq.CodeChallengeMethod),
+		},
 	}
 }

--- a/example/server/storage/storage.go
+++ b/example/server/storage/storage.go
@ -14,8 +14,8 @@ import (
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 // serviceKey1 is a public key which will be used for the JWT Profile Authorization Grant
--- a/example/server/storage/storage_dynamic.go
+++ b/example/server/storage/storage_dynamic.go
@ -6,8 +6,8 @@ import (

 	jose "github.com/go-jose/go-jose/v4"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 type multiStorage struct {
--- a/go.mod
+++ b/go.mod
@ -1,4 +1,4 @@
-module github.com/zitadel/oidc/v3
+module git.christmann.info/LARA/zitadel-oidc/v3

 go 1.23.7

@ -22,7 +22,7 @@ require (
 	github.com/zitadel/schema v1.3.1
 	go.opentelemetry.io/otel v1.29.0
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/text v0.25.0
+	golang.org/x/text v0.26.0
 )

 require (
--- a/go.sum
+++ b/go.sum
@ -88,8 +88,8 @@ golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
--- a/internal/testutil/gen/gen.go
+++ b/internal/testutil/gen/gen.go
@ -8,8 +8,8 @@ import (
 	"fmt"
 	"os"

-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 var custom = map[string]any{
--- a/internal/testutil/token.go
+++ b/internal/testutil/token.go
@ -8,9 +8,9 @@ import (
 	"errors"
 	"time"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/muhlemmer/gu"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 // KeySet implements oidc.Keys
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@ -15,9 +15,9 @@ import (
 	"go.opentelemetry.io/otel"
 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/pkg/crypto"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 var (
--- a/pkg/client/client_test.go
+++ b/pkg/client/client_test.go
@ -5,9 +5,9 @@ import (
 	"net/http"
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 func TestDiscover(t *testing.T) {
--- a/pkg/client/integration_test.go
+++ b/pkg/client/integration_test.go
@ -23,14 +23,14 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/example/server/exampleop"
-	"github.com/zitadel/oidc/v3/example/server/storage"
-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	"github.com/zitadel/oidc/v3/pkg/client/rs"
-	"github.com/zitadel/oidc/v3/pkg/client/tokenexchange"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/exampleop"
+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/tokenexchange"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 var Logger = slog.New(
--- a/pkg/client/jwt_profile.go
+++ b/pkg/client/jwt_profile.go
@ -6,8 +6,8 @@ import (

 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 // JWTProfileExchange handles the oauth2 jwt profile exchange
--- a/pkg/client/profile/jwt_profile.go
+++ b/pkg/client/profile/jwt_profile.go
@ -8,8 +8,8 @@ import (
 	jose "github.com/go-jose/go-jose/v4"
 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type TokenSource interface {
--- a/pkg/client/rp/cli/cli.go
+++ b/pkg/client/rp/cli/cli.go
@ -4,9 +4,9 @@ import (
 	"context"
 	"net/http"

-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 const (
--- a/pkg/client/rp/delegation.go
+++ b/pkg/client/rp/delegation.go
@ -1,7 +1,7 @@
 package rp

 import (
-	"github.com/zitadel/oidc/v3/pkg/oidc/grants/tokenexchange"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc/grants/tokenexchange"
 )

 // DelegationTokenRequest is an implementation of TokenExchangeRequest
--- a/pkg/client/rp/device.go
+++ b/pkg/client/rp/device.go
@ -5,8 +5,8 @@ import (
 	"fmt"
 	"time"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 func newDeviceClientCredentialsRequest(scopes []string, rp RelyingParty) (*oidc.ClientCredentialsRequest, error) {
--- a/pkg/client/rp/jwks.go
+++ b/pkg/client/rp/jwks.go
@ -9,9 +9,9 @@ import (

 	jose "github.com/go-jose/go-jose/v4"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 func NewRemoteKeySet(client *http.Client, jwksURL string, opts ...func(*remoteKeySet)) oidc.KeySet {
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@ -14,10 +14,10 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v3/pkg/client"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 const (
--- a/pkg/client/rp/relying_party_test.go
+++ b/pkg/client/rp/relying_party_test.go
@ -5,10 +5,10 @@ import (
 	"testing"
 	"time"

+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"golang.org/x/oauth2"
 )

--- a/pkg/client/rp/tockenexchange.go
+++ b/pkg/client/rp/tockenexchange.go
@ -5,7 +5,7 @@ import (

 	"golang.org/x/oauth2"

-	"github.com/zitadel/oidc/v3/pkg/oidc/grants/tokenexchange"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc/grants/tokenexchange"
 )

 // TokenExchangeRP extends the `RelyingParty` interface for the *draft* oauth2 `Token Exchange`
--- a/pkg/client/rp/userinfo_example_test.go
+++ b/pkg/client/rp/userinfo_example_test.go
@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"

-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type UserInfo struct {
--- a/pkg/client/rp/verifier.go
+++ b/pkg/client/rp/verifier.go
@ -6,8 +6,8 @@ import (

 	jose "github.com/go-jose/go-jose/v4"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 // VerifyTokens implement the Token Response Validation as defined in OIDC specification
--- a/pkg/client/rp/verifier_test.go
+++ b/pkg/client/rp/verifier_test.go
@ -5,11 +5,11 @@ import (
 	"testing"
 	"time"

+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 func TestVerifyTokens(t *testing.T) {
--- a/pkg/client/rp/verifier_tokens_example_test.go
+++ b/pkg/client/rp/verifier_tokens_example_test.go
@ -4,9 +4,9 @@ import (
 	"context"
 	"fmt"

-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rp"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 // MyCustomClaims extends the TokenClaims base,
--- a/pkg/client/rs/introspect_example_test.go
+++ b/pkg/client/rs/introspect_example_test.go
@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"

-	"github.com/zitadel/oidc/v3/pkg/client/rs"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client/rs"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type IntrospectionResponse struct {
--- a/pkg/client/rs/resource_server.go
+++ b/pkg/client/rs/resource_server.go
@ -6,9 +6,9 @@ import (
 	"net/http"
 	"time"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type ResourceServer interface {
--- a/pkg/client/rs/resource_server_test.go
+++ b/pkg/client/rs/resource_server_test.go
@ -4,9 +4,9 @@ import (
 	"context"
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 func TestNewResourceServer(t *testing.T) {
--- a/pkg/client/tokenexchange/tokenexchange.go
+++ b/pkg/client/tokenexchange/tokenexchange.go
@ -6,10 +6,10 @@ import (
 	"net/http"
 	"time"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-jose/go-jose/v4"
-	"github.com/zitadel/oidc/v3/pkg/client"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 type TokenExchanger interface {
--- a/pkg/crypto/key_test.go
+++ b/pkg/crypto/key_test.go
@ -10,7 +10,7 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"

-	zcrypto "github.com/zitadel/oidc/v3/pkg/crypto"
+	zcrypto "git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
 )

 func TestBytesToPrivateKey(t *testing.T) {
--- a/pkg/http/http.go
+++ b/pkg/http/http.go
@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 var DefaultHTTPClient = &http.Client{
--- a/pkg/oidc/code_challenge.go
+++ b/pkg/oidc/code_challenge.go
@ -3,7 +3,7 @@ package oidc
 import (
 	"crypto/sha256"

-	"github.com/zitadel/oidc/v3/pkg/crypto"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
 )

 const (
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -10,7 +10,7 @@ import (

 	"github.com/muhlemmer/gu"

-	"github.com/zitadel/oidc/v3/pkg/crypto"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
 )

 const (
--- a/pkg/oidc/types.go
+++ b/pkg/oidc/types.go
@ -35,6 +35,17 @@ func (a *Audience) UnmarshalJSON(text []byte) error {
 	return nil
 }

+func (a *Audience) MarshalJSON() ([]byte, error) {
+	len := len(*a)
+	if len > 1 {
+		return json.Marshal(*a)
+	} else if len == 1 {
+		return json.Marshal((*a)[0])
+	}
+
+	return nil, errors.New("aud is empty")
+}
+
 type Display string

 func (d *Display) UnmarshalText(text []byte) error {
--- a/pkg/oidc/verifier_parse_test.go
+++ b/pkg/oidc/verifier_parse_test.go
@ -5,10 +5,10 @@ import (
 	"encoding/json"
 	"testing"

+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 func TestParseToken(t *testing.T) {
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@ -15,9 +15,9 @@ import (
 	"strings"
 	"time"

+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/bmatcuk/doublestar/v4"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 type AuthRequest interface {
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@ -11,15 +11,15 @@ import (
 	"reflect"
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	tu "git.christmann.info/LARA/zitadel-oidc/v3/internal/testutil"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/example/server/storage"
-	tu "github.com/zitadel/oidc/v3/internal/testutil"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
-	"github.com/zitadel/oidc/v3/pkg/op/mock"
 	"github.com/zitadel/schema"
 )

--- a/pkg/op/client.go
+++ b/pkg/op/client.go
@ -7,8 +7,8 @@ import (
 	"net/url"
 	"time"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 //go:generate go get github.com/dmarkham/enumer
--- a/pkg/op/client_test.go
+++ b/pkg/op/client_test.go
@ -10,13 +10,13 @@ import (
 	"strings"
 	"testing"

+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
-	"github.com/zitadel/oidc/v3/pkg/op/mock"
 	"github.com/zitadel/schema"
 )

--- a/pkg/op/crypto.go
+++ b/pkg/op/crypto.go
@ -1,7 +1,7 @@
 package op

 import (
-	"github.com/zitadel/oidc/v3/pkg/crypto"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
 )

 type Crypto interface {
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@ -13,8 +13,8 @@ import (
 	"strings"
 	"time"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type DeviceAuthorizationConfig struct {
--- a/pkg/op/device_test.go
+++ b/pkg/op/device_test.go
@ -13,12 +13,12 @@ import (
 	"testing"
 	"time"

+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/example/server/storage"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
 )

 func Test_deviceAuthorizationHandler(t *testing.T) {
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -6,8 +6,8 @@ import (

 	jose "github.com/go-jose/go-jose/v4"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type DiscoverStorage interface {
--- a/pkg/op/discovery_test.go
+++ b/pkg/op/discovery_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
-	"github.com/zitadel/oidc/v3/pkg/op/mock"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 )

 func TestDiscover(t *testing.T) {
--- a/pkg/op/endpoint_test.go
+++ b/pkg/op/endpoint_test.go
@ -3,8 +3,8 @@ package op_test
 import (
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/pkg/op"
 )

 func TestEndpoint_Path(t *testing.T) {
--- a/pkg/op/error.go
+++ b/pkg/op/error.go
@ -7,8 +7,8 @@ import (
 	"log/slog"
 	"net/http"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type ErrAuthRequest interface {
--- a/pkg/op/error_test.go
+++ b/pkg/op/error_test.go
@ -11,9 +11,9 @@ import (
 	"strings"
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )

--- a/pkg/op/keys.go
+++ b/pkg/op/keys.go
@ -6,7 +6,7 @@ import (

 	jose "github.com/go-jose/go-jose/v4"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
 )

 type KeyProvider interface {
--- a/pkg/op/keys_test.go
+++ b/pkg/op/keys_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
-	"github.com/zitadel/oidc/v3/pkg/op/mock"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op/mock"
 )

 func TestKeys(t *testing.T) {
--- a/pkg/op/mock/authorizer.mock.go
+++ b/pkg/op/mock/authorizer.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Authorizer)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Authorizer)

 // Package mock is a generated GoMock package.
 package mock
@ -9,9 +9,9 @@ import (
 	slog "log/slog"
 	reflect "reflect"

+	http "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	http "github.com/zitadel/oidc/v3/pkg/http"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 // MockAuthorizer is a mock of Authorizer interface.
--- a/pkg/op/mock/authorizer.mock.impl.go
+++ b/pkg/op/mock/authorizer.mock.impl.go
@ -8,8 +8,8 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/zitadel/schema"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 func NewAuthorizer(t *testing.T) op.Authorizer {
--- a/pkg/op/mock/client.go
+++ b/pkg/op/mock/client.go
@ -5,8 +5,8 @@ import (

 	"github.com/golang/mock/gomock"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 func NewClient(t *testing.T) op.Client {
--- a/pkg/op/mock/client.mock.go
+++ b/pkg/op/mock/client.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Client)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Client)

 // Package mock is a generated GoMock package.
 package mock
@ -8,9 +8,9 @@ import (
 	reflect "reflect"
 	time "time"

+	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 // MockClient is a mock of Client interface.
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Configuration)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Configuration)

 // Package mock is a generated GoMock package.
 package mock
@ -8,8 +8,8 @@ import (
 	http "net/http"
 	reflect "reflect"

+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 	language "golang.org/x/text/language"
 )

--- a/pkg/op/mock/discovery.mock.go
+++ b/pkg/op/mock/discovery.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: DiscoverStorage)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: DiscoverStorage)

 // Package mock is a generated GoMock package.
 package mock
--- a/pkg/op/mock/generate.go
+++ b/pkg/op/mock/generate.go
@ -1,11 +1,11 @@
 package mock

 //go:generate go install github.com/golang/mock/mockgen@v1.6.0
-//go:generate mockgen -package mock -destination ./storage.mock.go github.com/zitadel/oidc/v3/pkg/op Storage
-//go:generate mockgen -package mock -destination ./authorizer.mock.go github.com/zitadel/oidc/v3/pkg/op Authorizer
-//go:generate mockgen -package mock -destination ./client.mock.go github.com/zitadel/oidc/v3/pkg/op Client
-//go:generate mockgen -package mock -destination ./glob.mock.go github.com/zitadel/oidc/v3/pkg/op HasRedirectGlobs
-//go:generate mockgen -package mock -destination ./configuration.mock.go github.com/zitadel/oidc/v3/pkg/op Configuration
-//go:generate mockgen -package mock -destination ./discovery.mock.go github.com/zitadel/oidc/v3/pkg/op DiscoverStorage
-//go:generate mockgen -package mock -destination ./signer.mock.go github.com/zitadel/oidc/v3/pkg/op SigningKey,Key
-//go:generate mockgen -package mock -destination ./key.mock.go github.com/zitadel/oidc/v3/pkg/op KeyProvider
+//go:generate mockgen -package mock -destination ./storage.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Storage
+//go:generate mockgen -package mock -destination ./authorizer.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Authorizer
+//go:generate mockgen -package mock -destination ./client.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Client
+//go:generate mockgen -package mock -destination ./glob.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op HasRedirectGlobs
+//go:generate mockgen -package mock -destination ./configuration.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op Configuration
+//go:generate mockgen -package mock -destination ./discovery.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op DiscoverStorage
+//go:generate mockgen -package mock -destination ./signer.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op SigningKey,Key
+//go:generate mockgen -package mock -destination ./key.mock.go git.christmann.info/LARA/zitadel-oidc/v3/pkg/op KeyProvider
--- a/pkg/op/mock/glob.go
+++ b/pkg/op/mock/glob.go
@ -3,9 +3,9 @@ package mock
 import (
 	"testing"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 func NewHasRedirectGlobs(t *testing.T) op.HasRedirectGlobs {
--- a/pkg/op/mock/glob.mock.go
+++ b/pkg/op/mock/glob.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: HasRedirectGlobs)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: HasRedirectGlobs)

 // Package mock is a generated GoMock package.
 package mock
@ -8,9 +8,9 @@ import (
 	reflect "reflect"
 	time "time"

+	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 // MockHasRedirectGlobs is a mock of HasRedirectGlobs interface.
--- a/pkg/op/mock/key.mock.go
+++ b/pkg/op/mock/key.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: KeyProvider)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: KeyProvider)

 // Package mock is a generated GoMock package.
 package mock
@ -8,8 +8,8 @@ import (
 	context "context"
 	reflect "reflect"

+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	gomock "github.com/golang/mock/gomock"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 // MockKeyProvider is a mock of KeyProvider interface.
--- a/pkg/op/mock/signer.mock.go
+++ b/pkg/op/mock/signer.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: SigningKey,Key)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: SigningKey,Key)

 // Package mock is a generated GoMock package.
 package mock
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/zitadel/oidc/v3/pkg/op (interfaces: Storage)
+// Source: git.christmann.info/LARA/zitadel-oidc/v3/pkg/op (interfaces: Storage)

 // Package mock is a generated GoMock package.
 package mock
@ -9,10 +9,10 @@ import (
 	reflect "reflect"
 	time "time"

+	oidc "git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	op "git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	jose "github.com/go-jose/go-jose/v4"
 	gomock "github.com/golang/mock/gomock"
-	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
-	op "github.com/zitadel/oidc/v3/pkg/op"
 )

 // MockStorage is a mock of Storage interface.
--- a/pkg/op/mock/storage.mock.impl.go
+++ b/pkg/op/mock/storage.mock.impl.go
@ -8,8 +8,8 @@ import (

 	"github.com/golang/mock/gomock"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 func NewStorage(t *testing.T) op.Storage {
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -14,8 +14,8 @@ import (
 	"go.opentelemetry.io/otel"
 	"golang.org/x/text/language"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 const (
--- a/pkg/op/op_test.go
+++ b/pkg/op/op_test.go
@ -11,12 +11,12 @@ import (
 	"testing"
 	"time"

+	"git.christmann.info/LARA/zitadel-oidc/v3/example/server/storage"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v3/example/server/storage"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
 	"golang.org/x/text/language"
 )

@ -102,7 +102,6 @@ func TestRoutes(t *testing.T) {
 	authReq, err := storage.CreateAuthRequest(ctx, oidcAuthReq, "id1")
 	require.NoError(t, err)
 	storage.AuthRequestDone(authReq.GetID())
-	storage.SaveAuthCode(ctx, authReq.GetID(), "123")

 	accessToken, refreshToken, _, err := op.CreateAccessToken(ctx, authReq, op.AccessTokenTypeBearer, testProvider, client, "")
 	require.NoError(t, err)
--- a/pkg/op/probes.go
+++ b/pkg/op/probes.go
@ -5,7 +5,7 @@ import (
 	"errors"
 	"net/http"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
 )

 type ProbesFn func(context.Context) error
--- a/pkg/op/server.go
+++ b/pkg/op/server.go
@ -5,9 +5,9 @@ import (
 	"net/http"
 	"net/url"

+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/muhlemmer/gu"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 // Server describes the interface that needs to be implemented to serve
--- a/pkg/op/server_http.go
+++ b/pkg/op/server_http.go
@ -6,11 +6,11 @@ import (
 	"net/http"
 	"net/url"

+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-chi/chi/v5"
 	"github.com/rs/cors"
 	"github.com/zitadel/logging"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )

--- a/pkg/op/server_http_routes_test.go
+++ b/pkg/op/server_http_routes_test.go
@ -14,9 +14,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/zitadel/oidc/v3/pkg/client"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"github.com/zitadel/oidc/v3/pkg/op"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/client"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/op"
 )

 func jwtProfile() (string, error) {
@ -130,7 +130,7 @@ func TestServerRoutes(t *testing.T) {
 				"client_id":     client.GetID(),
 				"client_secret": "secret",
 				"redirect_uri":  "https://example.com",
-				"code":          "abc",
+				"code":          "123",
 			},
 			wantCode: http.StatusBadRequest,
 			json:     `{"error":"invalid_grant", "error_description":"invalid code"}`,
--- a/pkg/op/server_http_test.go
+++ b/pkg/op/server_http_test.go
@ -14,11 +14,11 @@ import (
 	"testing"
 	"time"

+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/schema"
 )

--- a/pkg/op/server_legacy.go
+++ b/pkg/op/server_legacy.go
@ -6,8 +6,8 @@ import (
 	"net/http"
 	"time"

+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 	"github.com/go-chi/chi/v5"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 // ExtendedLegacyServer allows embedding [LegacyServer] in a struct,
--- a/pkg/op/session.go
+++ b/pkg/op/session.go
@ -8,8 +8,8 @@ import (
 	"net/url"
 	"path"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type SessionEnder interface {
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -8,7 +8,7 @@ import (
 	jose "github.com/go-jose/go-jose/v4"
 	"golang.org/x/text/language"

-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type AuthStorage interface {
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@ -5,8 +5,8 @@ import (
 	"slices"
 	"time"

-	"github.com/zitadel/oidc/v3/pkg/crypto"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/crypto"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type TokenCreator interface {
--- a/pkg/op/token_client_credentials.go
+++ b/pkg/op/token_client_credentials.go
@ -5,8 +5,8 @@ import (
 	"net/http"
 	"net/url"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 // ClientCredentialsExchange handles the OAuth 2.0 client_credentials grant, including
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 // CodeExchange handles the OAuth 2.0 authorization_code grant, including
@ -74,17 +74,6 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	ctx, span := tracer.Start(ctx, "AuthorizeCodeClient")
 	defer span.End()

-	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	codeChallenge := request.GetCodeChallenge()
-	err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
 		if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
@ -94,9 +83,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 		if err != nil {
 			return nil, nil, err
 		}
+		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 		return request, client, err
 	}
-
 	client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
 	if err != nil {
 		return nil, nil, oidc.ErrInvalidClient().WithParent(err)
@ -105,10 +94,12 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 		return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client")
 	}
 	if client.AuthMethod() == oidc.AuthMethodNone {
-		if codeChallenge == nil {
-			return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required")
+		request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
+		if err != nil {
+			return nil, nil, err
 		}
-		return request, client, nil
+		err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
+		return request, client, err
 	}
 	if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
 		return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
@ -117,7 +108,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
 	if err != nil {
 		return nil, nil, err
 	}
-
+	request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
 	return request, client, err
 }

--- a/pkg/op/token_exchange.go
+++ b/pkg/op/token_exchange.go
@ -7,8 +7,8 @@ import (
 	"strings"
 	"time"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type TokenExchangeRequest interface {
--- a/pkg/op/token_intospection.go
+++ b/pkg/op/token_intospection.go
@ -5,8 +5,8 @@ import (
 	"errors"
 	"net/http"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type Introspector interface {
--- a/pkg/op/token_jwt_profile.go
+++ b/pkg/op/token_jwt_profile.go
@ -5,8 +5,8 @@ import (
 	"net/http"
 	"time"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type JWTAuthorizationGrantExchanger interface {
--- a/pkg/op/token_refresh.go
+++ b/pkg/op/token_refresh.go
@ -7,8 +7,8 @@ import (
 	"slices"
 	"time"

-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	httphelper "git.christmann.info/LARA/zitadel-oidc/v3/pkg/http"
+	"git.christmann.info/LARA/zitadel-oidc/v3/pkg/oidc"
 )

 type RefreshTokenRequest interface {
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
ORZ (Paul Orzel)	653b807f5d	replace github url	2025-06-20 09:45:28 +02:00
ORZ (Paul Orzel)	29d69ca2e0	add function to marshal aud into a string if the array has a len of 1, to comply with rfc	2025-06-20 09:39:40 +02:00
ORZ (Paul Orzel)	53c4d07b45	remove actions	2025-06-20 08:56:29 +02:00
ORZ (Paul Orzel)	154fbe6420	Revert "feat(op): always verify code challenge when available (#721 )" Some checks failed Code scanning - action / CodeQL-Build (push) Failing after 2m48s Details Release / Go 1.23 test (push) Has been cancelled Details Release / Go 1.24 test (push) Has been cancelled Details Release / release (push) Has been cancelled Details Breaks OIDC for some not yet updated applications, that we use. This reverts commit `c51628ea27`.	2025-06-20 08:44:27 +02:00
Fabienne Bühler	d6e37fa741	Merge pull request #758 from zitadel/hifabienne-patch-1 chore: update issue templates	2025-06-17 14:32:55 +02:00
Fabienne Bühler	8e1e5174fd	Delete .github/ISSUE_TEMPLATE/proposal.yaml	2025-06-17 11:17:14 +02:00
Fabienne Bühler	5618487a88	Update and rename improvement.yaml to enhancement.yaml	2025-06-17 11:16:34 +02:00
Fabienne Bühler	187878de63	update docs issue template, add type	2025-06-17 11:15:26 +02:00
Fabienne Bühler	e127c66db2	chore: update issue templates	2025-06-17 11:14:09 +02:00
dependabot[bot]	e1415ef2f3	chore(deps): bump golang.org/x/text from 0.25.0 to 0.26.0 (#755 ) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.25.0 to 0.26.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.25.0...v0.26.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-10 09:50:55 +02:00