fix(refresh): coalesce refresh-token grants + bound goroutines + cache hot path (target v0.8.27) (#131)

* fix(refresh): wire RefreshCoordinator into the live refresh path

The RefreshCoordinator existed but was never instantiated. The actual
refresh path used only session.refreshMutex, which is per-SessionData
instance - and SessionData is pulled from a sync.Pool per request -
so concurrent requests sharing a refresh token had ZERO coordination.

Symptom: when access_token expired (e.g. 5min Zitadel default), every
in-flight request from a polling client (Grafana panels) entered the
refresh path simultaneously and POSTed the same refresh_token to the
IdP. With refresh-token rotation enabled (Zitadel/Authentik default),
only one grant succeeded; the rest got invalid_grant and each cleared
the entire session. Subsequent requests then thrashed in re-auth loops.

This commit:
- adds refreshCoordinator field on TraefikOidc
- instantiates it in NewWithContext with DefaultRefreshCoordinatorConfig
- shuts it down in Close() under shutdownOnce
- routes refreshToken() through the coordinator via coordinatedTokenRefresh,
  which collapses concurrent grants to a single upstream call per
  refresh_token hash
- exports refreshCoordinatorSessionID for both internal hashing and the
  middleware-level wireup so dedup keys stay aligned

Behavioural notes:
- nil-coordinator fallback preserves existing tests that build TraefikOidc
  literals without going through the constructor
- followers receive the same TokenResponse/error as the leader, so no
  per-instance code paths change
- existing TestGetNewTokenWithRefreshToken_Concurrency still passes
  because it hits GetNewTokenWithRefreshToken directly, below the
  coordinator boundary

Tests:
- refresh_coordinator_wireup_test.go: 50 concurrent refreshes coalesce
  to <=2 upstream calls; distinct tokens still run in parallel; nil
  coordinator falls back cleanly

* perf(cache): bound L1 backfill goroutines in HybridBackend

Get() and GetMany() previously spawned a goroutine per L2 hit to write
the value through to L1. Under sustained polling traffic (e.g. a Grafana
dashboard refreshing every 30s with N panels) this minted thousands of
goroutines, each running in Yaegi - directly contributing to the
~1000% CPU spike that pairs with the refresh-token herd.

Replace the per-hit goroutines with a single l1BackfillWorker fed by
l1BackfillBuffer, mirroring the existing asyncWriteBuffer/asyncWriteWorker
pattern for L2 writes. Buffer overflow drops the backfill (counted via
l1BackfillDrops) - a dropped backfill just means the next L2 hit for
that key re-queues it, which is safe.

Tests:
- TestHybridBackend_L1BackfillBounded: 1000 distinct L2 hits keep
  goroutine count within +20 of baseline (pre-fix it grew by ~1000)
- TestHybridBackend_L1BackfillFullDrops: drops are accounted for when
  the buffer is saturated and the worker is stopped

* feat(refresh): implement isRefreshTokenExpired heuristic

Replace the placeholder `return false` with a real check based on the
issued_at timestamp that SetRefreshToken already stamps into the session.
Gated by a new MaxRefreshTokenAgeSeconds config field (default 21600 =
6h, matching the existing comment). 0 disables the check.

This wires the previously-dead refreshTokenExpired branch in middleware.go,
which short-circuits AJAX requests with a 401 instead of letting them
hammer the IdP for a refresh token that's almost certainly stale - the
classic Grafana-after-long-pause failure mode.

Behaviour:
- maxRefreshTokenAge=0 disables the check (preserves prior behaviour)
- legacy sessions without issued_at still attempt one refresh; the IdP
  remains the source of truth on first try
- nil-receiver and nil-session guards keep test code that builds
  TraefikOidc literals safe

Tests:
- TestIsRefreshTokenExpired_DisabledWhenAgeZero
- TestIsRefreshTokenExpired_LegacySessionWithoutTimestamp
- TestIsRefreshTokenExpired_WithinWindow
- TestIsRefreshTokenExpired_BeyondWindow
- TestIsRefreshTokenExpired_NilGuards

* perf(token): skip parseJWT on cache hit in VerifyToken

The token cache fast-return existed but ran AFTER parseJWT, so every
validation paid for base64 + JSON unmarshal even on a hit. Under bursty
traffic (e.g. 10+ concurrent panel requests on every Grafana dashboard
refresh, each calling validateStandardTokens which verifies BOTH the
access token and the ID token), this is two redundant parses per
request multiplied by the panel count.

Move the cache lookup ahead of parseJWT. On a hit the function returns
nil immediately. On a miss the original flow runs unchanged.

Also nil-guard t.tokenCache to keep partial-literal test instances safe
(matches the same pattern we already use for tokenBlacklist).

Tests:
- TestVerifyToken_CacheHitSkipsParse: cache pre-populated with claims
  for a token whose body would fail parseJWT - returns nil iff the
  fast-path bypasses the parse
- TestVerifyToken_CacheMissStillParses: a syntactically valid but
  unsigned token still errors past parseJWT on cache miss

* feat(refresh): cross-replica refresh-grant dedup via shared cache

The in-process RefreshCoordinator added in 9f96d8c already collapses
concurrent refresh-token grants on a single Traefik replica. With the
plugin's existing Redis (Dragonfly) cache infrastructure available, we
can extend that dedup across replicas: if pod A refreshes a token at
T+0 and pod B receives a request for the same session at T+1, pod B
should reuse pod A's result rather than POSTing the now-rotated refresh
token to the IdP.

Implementation:
- Add a refreshResultCache to UniversalCacheManager (memory-only when
  Redis is disabled, Redis-backed in production via the existing
  hybrid/Redis-only mode selection)
- Expose it through CacheManager.GetSharedRefreshResultCache and on the
  TraefikOidc struct as refreshResultCache (CacheInterface)
- Inside the closure passed to RefreshCoordinator.CoordinateRefresh,
  consult the cache first; on hit return immediately, on miss exchange
  with the IdP and populate the cache for peers
- 5s TTL: long enough for siblings to observe, short enough that a
  rotated refresh token cannot be re-supplied after the IdP has moved on
- Errors are intentionally NOT cached - peers must always be able to
  retry on their own

Pragmatic choice: optimistic cache rather than a hard distributed lock.
- A hard lock (SET NX + poll) doubles Redis RTT and risks dead-locks
  if a Traefik pod dies mid-grant.
- The user's BGP+Local externalTrafficPolicy already pins ingress for
  a session to one node in steady state, so cross-pod racing is rare.
- This optimistic path catches the rare failover case without adding
  failure modes.

Tests:
- TestCoordinatedTokenRefresh_CrossReplicaCacheHit: pre-populated cache
  short-circuits the upstream call entirely (0 IdP calls)
- TestCoordinatedTokenRefresh_PopulatesCrossReplicaCache: leader stores
  a successful result for peers to find
- TestCoordinatedTokenRefresh_ErrorIsNotCached: invalid_grant must not
  poison the dedup cache - peers must retry independently

.gitignore

@@ -1,3 +1,4 @@
 docker/
 .claude/*.out
 *.test
+.leann/

.golangci.yml

@@ -14,21 +14,22 @@ linters:
     - gosec
     - misspell
     - noctx
-    - nolintlint
     - prealloc
     - revive
     - rowserrcheck
     - sqlclosecheck
     - unconvert
     - unparam
-    - whitespace
   disable:
     - exhaustive
     - funlen
     - gocognit
+    - gocyclo           # Disabled: OAuth/OIDC flows are inherently complex
+    - goprintffuncname  # Disabled: naming convention is project-specific
     - lll
     - mnd
     - testpackage
+    - whitespace        # Disabled: style preference about newlines
     - wsl
   settings:
     dupl:
@@ -47,29 +48,13 @@ linters:
         - fmt.Fprintln
     goconst:
       min-len: 3
-      min-occurrences: 10  # Increased to reduce noise for standard OAuth2/OIDC strings
+      min-occurrences: 15  # Increased to reduce noise for standard OAuth2/OIDC strings and common patterns like "true"
       ignore-tests: true
     gocritic:
-      # Using default enabled checks in v2
-      enabled-checks:
-        - appendCombine
-        - boolExprSimplify
-        - builtinShadow
-        - commentedOutCode
-        - emptyFallthrough
-        - equalFold
-        - hexLiteral
-        - indexAlloc
-        - initClause
-        - methodExprCall
-        - nestingReduce
-        - rangeExprCopy
-        - rangeValCopy
-        - stringXbytes
-        - typeAssertChain
-        - typeUnparen
-        - unlabelStmt
-        - yodaStyleExpr
+      # Disable style-only checks that add noise
+      disabled-checks:
+        - ifElseChain      # Style preference, switch not always clearer
+        - elseif           # Style preference
     gocyclo:
       min-complexity: 30  # OAuth/OIDC flows are inherently complex; set higher for Yaegi compatibility
     gosec:
@@ -106,23 +91,23 @@ linters:
         - name: error-return
         - name: error-strings
         - name: error-naming
-        - name: exported
-        - name: if-return
+        # - name: exported  # Disabled: too noisy, not all exported functions need comments
+        # - name: if-return  # Disabled: style preference
         - name: increment-decrement
-        - name: var-naming
-        - name: var-declaration
-        - name: package-comments
+        # - name: var-naming  # Disabled: too strict for legacy code (IP vs Ip)
+        # - name: var-declaration  # Disabled: explicit zero values can be clearer
+        # - name: package-comments  # Disabled: handled by other tools
         - name: range
         - name: receiver-naming
         - name: time-naming
         - name: unexported-return
-        - name: indent-error-flow
+        # - name: indent-error-flow  # Disabled: style preference
         - name: errorf
-        - name: empty-block
+        # - name: empty-block  # Disabled: sometimes empty blocks are intentional
         - name: superfluous-else
-        - name: unused-parameter
+        # - name: unused-parameter  # Disabled: test callbacks and interface implementations often have required unused params
         - name: unreachable-code
-        - name: redefines-builtin-id
+        # - name: redefines-builtin-id  # Disabled: min/max helpers are common before Go 1.21
     unparam:
       check-exported: false
     staticcheck:
@@ -132,8 +117,15 @@ linters:
         - -QF1003  # Tagged switch - style preference, may affect Yaegi
         - -QF1007  # Merge conditional assignment - style preference
         - -QF1008  # Remove embedded field - may break Yaegi compatibility
+        - -QF1011  # Omit type from declaration - style preference
         - -QF1012  # Use fmt.Fprintf - style preference
+        - -SA9003  # Empty branch - sometimes intentional for future work
+        - -ST1000  # Package comment format - not required for all packages
         - -ST1003  # Package name format - allowed for test packages
+        - -ST1016  # Receiver name consistency - legacy code
+        - -ST1020  # Comment format for methods - style preference
+        - -ST1021  # Comment format for types - style preference
+        - -ST1023  # Omit type from declaration - style preference
   exclusions:
     generated: lax
     rules:
@@ -144,18 +136,43 @@ linters:
           - goconst
           - gocyclo
           - gosec
+          - govet
+          - ineffassign
           - noctx
           - prealloc
           - unparam
+          - revive
+          - gocritic
         path: _test\.go
       - linters:
           - dupl
           - gocyclo
+          - govet
+          - noctx
+          - prealloc
+          - unparam
+          - revive
+          - gocritic
         path: test.*\.go
       - linters:
           - gocritic
           - unused
+          - errcheck
+          - revive
         path: mocks.*\.go
+      - linters:
+          - errcheck
+          - revive
+          - gocritic
+          - govet
+          - unparam
+        path: internal/testutil/
+      - linters:
+          - govet
+          - unparam
+          - noctx
+          - prealloc
+        path: integration/
       - linters:
           - gosec
         text: 'G404:'

SECURITY_FIX.md

@@ -0,0 +1,49 @@
+# Security Fix: Integer Overflow Protection in Cache Serialization
+
+## Summary
+
+Fixed **High severity** integer overflow vulnerability identified by GitHub Advanced Security in PR #117.
+
+## Vulnerability
+
+**Locations**: `universal_cache.go` lines 789 and 811
+- `result := make([]byte, len(bytes)+1)` - Raw bytes path
+- `result := make([]byte, len(jsonData)+1)` - JSON encoding path
+
+**Risk**: Potential integer overflow when allocating memory for very large cache entries.
+
+## Fix Applied
+
+1. **Added size limit constant**:
+   ```go
+   maxCacheEntrySize = 64 * 1024 * 1024 // 64 MiB
+   ```
+
+2. **Size validation before allocation**:
+   - Validates entry size doesn't exceed limit
+   - Validates adding marker byte won't overflow
+   - Returns descriptive error messages
+
+3. **Comprehensive test coverage**:
+   - Oversized byte slices (>64 MiB)
+   - Exact max size edge case
+   - Safe sizes (normal operation)
+   - Large JSON data structures
+
+## Verification
+
+✅ All tests pass with race detection
+✅ No security issues (golangci-lint, gosec)
+✅ 76.3% test coverage maintained
+
+## Impact
+
+- No breaking changes
+- Negligible performance overhead
+- Prevents potential buffer overflows
+- Predictable memory usage
+
+---
+
+**Date**: January 8, 2026
+**Severity**: High → Resolved

auth_flow.go

@@ -4,8 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-
-	"github.com/google/uuid"
+	"time"
 )
 
 // validateRedirectCount checks if redirect limit is exceeded and handles the error
@@ -77,7 +76,12 @@ func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req
 		return
 	}
 
-	csrfToken := uuid.NewString()
+	csrfToken, err := newUUIDv4()
+	if err != nil {
+		t.logger.Errorf("Failed to generate CSRF token: %v", err)
+		http.Error(rw, "Failed to generate CSRF token", http.StatusInternalServerError)
+		return
+	}
 	nonce, err := generateNonce()
 	if err != nil {
 		t.logger.Errorf("Failed to generate nonce: %v", err)
@@ -334,9 +338,54 @@ func (t *TraefikOidc) isAjaxRequest(req *http.Request) bool {
 		strings.Contains(accept, "application/json")
 }
 
-// isRefreshTokenExpired checks if refresh token is likely expired (older than 6 hours)
-func (t *TraefikOidc) isRefreshTokenExpired(session *SessionData) bool {
-	// This is a heuristic check - actual implementation would depend on
-	// the specific provider and token metadata
-	return false // Placeholder implementation
+// isNonNavigationRequest reports whether the request is a browser
+// sub-resource (script, image, stylesheet, fetch, serviceWorker) rather than
+// a top-level HTML navigation. Non-navigation requests MUST NOT trigger an
+// OIDC redirect flow: several sub-resource loads happening in parallel would
+// each call defaultInitiateAuthentication, each overwriting the session's
+// CSRF/nonce, breaking the eventual callback (issue #129).
+//
+// Detection prefers Sec-Fetch-Mode, which all modern browsers send
+// (Chrome/Edge/Firefox/Safari). For older or non-browser clients we fall
+// back to Accept: if Accept is present and does not list text/html, treat
+// it as a sub-resource. An empty/missing Accept is assumed to be navigation
+// (safer to redirect than 401 on an ambiguous request).
+func (t *TraefikOidc) isNonNavigationRequest(req *http.Request) bool {
+	if mode := req.Header.Get("Sec-Fetch-Mode"); mode != "" {
+		return mode != "navigate"
+	}
+	accept := req.Header.Get("Accept")
+	if accept == "" || accept == "*/*" {
+		return false
+	}
+	return !strings.Contains(accept, "text/html")
+}
+
+// isRefreshTokenExpired checks whether the stored refresh token is likely
+// past its useful lifetime, using the cookie-side issued_at timestamp set by
+// SetRefreshToken. IdPs do not expose RT TTL on the wire, so this is a
+// conservative heuristic gated by t.maxRefreshTokenAge (default 6h, set via
+// MaxRefreshTokenAgeSeconds; 0 disables the check).
+//
+// The point of this check is to short-circuit the refresh path BEFORE the
+// thundering herd hits the IdP for a token the provider has almost certainly
+// revoked. Together with the RefreshCoordinator wireup, it keeps Grafana-
+// style polling clients from looping on invalid_grant after a long pause.
+func (t *TraefikOidc) isRefreshTokenExpired(session *SessionData) bool {
+	if t == nil || session == nil {
+		return false
+	}
+	if t.maxRefreshTokenAge <= 0 {
+		return false
+	}
+
+	issuedAt := session.GetRefreshTokenIssuedAt()
+	if issuedAt.IsZero() {
+		// No timestamp recorded (legacy session pre-dating the issued_at
+		// field). Don't force a re-auth - attempt refresh once and let the
+		// IdP be the source of truth.
+		return false
+	}
+
+	return time.Since(issuedAt) > t.maxRefreshTokenAge
 }

auth_flow_behaviour_test.go

@@ -305,6 +305,90 @@ func (s *AuthFlowBehaviourSuite) TestIsAjaxRequest() {
 	}
 }
 
+// TestIsNonNavigationRequest verifies browser sub-resource detection used to
+// suppress OIDC redirects on parallel static-asset loads (issue #129).
+func (s *AuthFlowBehaviourSuite) TestIsNonNavigationRequest() {
+	testCases := []struct {
+		headers             map[string]string
+		name                string
+		expectNonNavigation bool
+	}{
+		{
+			name:                "Sec-Fetch-Mode navigate",
+			headers:             map[string]string{"Sec-Fetch-Mode": "navigate"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "Sec-Fetch-Mode no-cors",
+			headers:             map[string]string{"Sec-Fetch-Mode": "no-cors"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Sec-Fetch-Mode cors",
+			headers:             map[string]string{"Sec-Fetch-Mode": "cors"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Sec-Fetch-Mode same-origin (fetch in page)",
+			headers:             map[string]string{"Sec-Fetch-Mode": "same-origin"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept text/html (fallback)",
+			headers:             map[string]string{"Accept": "text/html,application/xhtml+xml"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "Accept image/png (fallback)",
+			headers:             map[string]string{"Accept": "image/png,image/*;q=0.8"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept application/javascript (fallback)",
+			headers:             map[string]string{"Accept": "application/javascript"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept */* treated as navigation",
+			headers:             map[string]string{"Accept": "*/*"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "No Accept header assumed navigation",
+			headers:             map[string]string{},
+			expectNonNavigation: false,
+		},
+		{
+			name: "Sec-Fetch-Mode beats Accept (navigate wins)",
+			headers: map[string]string{
+				"Sec-Fetch-Mode": "navigate",
+				"Accept":         "application/javascript",
+			},
+			expectNonNavigation: false,
+		},
+		{
+			name: "Sec-Fetch-Mode beats Accept (no-cors wins)",
+			headers: map[string]string{
+				"Sec-Fetch-Mode": "no-cors",
+				"Accept":         "text/html",
+			},
+			expectNonNavigation: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		s.Run(tc.name, func() {
+			req := httptest.NewRequest(http.MethodGet, "/_static/asset.js", nil)
+			for key, value := range tc.headers {
+				req.Header.Set(key, value)
+			}
+
+			result := s.tOidc.isNonNavigationRequest(req)
+			s.Equal(tc.expectNonNavigation, result)
+		})
+	}
+}
+
 // TestHandleCallback_MissingState tests callback with missing state parameter
 func (s *AuthFlowBehaviourSuite) TestHandleCallback_MissingState() {
 	sessionManager, err := NewSessionManager(

autocleanup.go

@@ -599,8 +599,9 @@ func GetGlobalTaskMemoryMonitor(logger *Logger) *TaskMemoryMonitor {
 	return globalTaskMemoryMonitor
 }
 
-// NewTaskMemoryMonitor creates a new memory monitor for task registry
-// Deprecated: Use GetGlobalTaskMemoryMonitor instead for singleton behavior
+// NewTaskMemoryMonitor creates a new memory monitor for task registry.
+//
+// Deprecated: Use GetGlobalTaskMemoryMonitor instead for singleton behavior.
 func NewTaskMemoryMonitor(logger *Logger, registry *TaskRegistry) *TaskMemoryMonitor {
 	return GetGlobalTaskMemoryMonitor(logger)
 }
@@ -712,7 +713,7 @@ func (mm *TaskMemoryMonitor) checkForMemoryIssues(stats TaskMemoryStats) {
 
 	// Check for goroutine leaks (arbitrary threshold)
 	if stats.Goroutines > 100 {
-		mm.logger.Infof("High goroutine count detected: %d", stats.Goroutines)
+		mm.logger.Debugf("High goroutine count detected: %d", stats.Goroutines)
 	}
 
 	// Check for heap growth without corresponding GC activity

background_tasks_ultra_test.go

@@ -29,8 +29,9 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		pressure := monitor.GetMemoryPressure()
 		assert.Equal(t, MemoryPressureNone, pressure)
 
-		// Collect stats to populate lastStats
-		monitor.GetCurrentStats()
+		// Explicitly sample to populate lastStats; GetCurrentStats is now a
+		// cached read and no longer forces a runtime.ReadMemStats.
+		monitor.Refresh()
 
 		// Now should return a valid pressure level
 		pressure = monitor.GetMemoryPressure()
@@ -46,11 +47,13 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
-		// Start monitoring should not panic
+		// Start monitoring should not panic. Interval is clamped to the
+		// minimum (30s); we rely on Refresh() when we need a synchronous
+		// sample instead of waiting for a tick.
 		assert.NotPanics(t, func() {
 			ctx := context.Background()
-			monitor.StartMonitoring(ctx, 100*time.Millisecond)
-			time.Sleep(GetTestDuration(50 * time.Millisecond))
+			monitor.StartMonitoring(ctx, 0)
+			monitor.Refresh()
 		})
 
 		// Clean up
@@ -117,6 +120,9 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		// Refresh forces a synchronous sample; GetCurrentStats is a cached
+		// read, so we sample first to guarantee fresh data.
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 		assert.NotNil(t, stats)
 		assert.Greater(t, stats.HeapAllocBytes, uint64(0))
@@ -450,12 +456,12 @@ func TestMemoryMonitorIntegration(t *testing.T) {
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 		defer monitor.StopMonitoring()
 
-		// Start monitoring
+		// Start monitoring. The interval is clamped to the minimum (30s) so
+		// the ticker won't fire during the test; drive the sample manually via
+		// Refresh() instead.
 		ctx := context.Background()
-		monitor.StartMonitoring(ctx, 50*time.Millisecond)
-
-		// Wait for at least one check
-		time.Sleep(GetTestDuration(150 * time.Millisecond))
+		monitor.StartMonitoring(ctx, 0)
+		monitor.Refresh()
 
 		// Get pressure (should be a valid pressure level)
 		pressure := monitor.GetMemoryPressure()
@@ -488,6 +494,7 @@ func TestMemoryStatsCollection(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 
 		assert.NotNil(t, stats)
@@ -501,6 +508,7 @@ func TestMemoryStatsCollection(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 
 		// Should calculate and include pressure level
@@ -521,13 +529,14 @@ func TestMemoryStatsCollection(t *testing.T) {
 		// Allocate some memory
 		_ = make([]byte, 1024*1024) // 1MB
 
-		// Get stats before GC
-		beforeStats := monitor.GetCurrentStats()
+		// Get stats before GC (explicit Refresh so we have a fresh pre-GC
+		// snapshot to compare against, not the constructor baseline).
+		beforeStats := monitor.Refresh()
 
-		// Trigger GC
+		// Trigger GC (internally Refresh()es before and after)
 		monitor.TriggerGC()
 
-		// Get stats after GC
+		// Get stats after GC from cache (TriggerGC already refreshed it)
 		afterStats := monitor.GetCurrentStats()
 
 		// After GC should have different stats

ca_cert_test.go

@@ -0,0 +1,137 @@
+package traefikoidc
+
+import (
+	"encoding/pem"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// testCertPEM returns a valid PEM-encoded certificate harvested from an
+// httptest.NewTLSServer. Using httptest keeps the test free of any
+// handwritten static cert that could expire.
+func testCertPEM(t *testing.T) string {
+	t.Helper()
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}))
+	t.Cleanup(srv.Close)
+
+	cert := srv.Certificate()
+	if cert == nil {
+		t.Fatal("httptest.NewTLSServer did not expose a certificate")
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))
+}
+
+func TestLoadCACertPool_Empty(t *testing.T) {
+	cfg := &Config{}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool when no CA source configured, got %v", pool)
+	}
+}
+
+func TestLoadCACertPool_InlinePEM(t *testing.T) {
+	cfg := &Config{CACertPEM: testCertPEM(t)}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool for valid CACertPEM")
+	}
+}
+
+func TestLoadCACertPool_InlinePEM_Garbage(t *testing.T) {
+	cfg := &Config{CACertPEM: "not a pem"}
+	pool, err := cfg.loadCACertPool()
+	if err == nil {
+		t.Fatal("expected error for garbage CACertPEM, got nil")
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool on error, got %v", pool)
+	}
+	if !strings.Contains(err.Error(), "caCertPEM") {
+		t.Errorf("error should name the failing field, got: %v", err)
+	}
+}
+
+func TestLoadCACertPool_FilePath(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "ca.pem")
+	if err := os.WriteFile(path, []byte(testCertPEM(t)), 0o600); err != nil {
+		t.Fatalf("writing temp PEM: %v", err)
+	}
+
+	cfg := &Config{CACertPath: path}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool for valid CACertPath")
+	}
+}
+
+func TestLoadCACertPool_FilePath_Missing(t *testing.T) {
+	cfg := &Config{CACertPath: "/does/not/exist/ca.pem"}
+	pool, err := cfg.loadCACertPool()
+	if err == nil {
+		t.Fatal("expected error for missing CACertPath, got nil")
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool on error, got %v", pool)
+	}
+}
+
+func TestLoadCACertPool_Combined(t *testing.T) {
+	// Both inline and file sources populated — certificates from both should
+	// be accepted into the same pool.
+	dir := t.TempDir()
+	path := filepath.Join(dir, "ca.pem")
+	if err := os.WriteFile(path, []byte(testCertPEM(t)), 0o600); err != nil {
+		t.Fatalf("writing temp PEM: %v", err)
+	}
+
+	cfg := &Config{CACertPath: path, CACertPEM: testCertPEM(t)}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool when both sources set")
+	}
+}
+
+func TestSharedTransportPool_ConfigKeyDistinguishesCAAndSkipVerify(t *testing.T) {
+	p := GetGlobalTransportPool()
+	cfgSystem := DefaultHTTPClientConfig()
+
+	cfgSkip := DefaultHTTPClientConfig()
+	cfgSkip.InsecureSkipVerify = true
+
+	cfgCustomCA := DefaultHTTPClientConfig()
+	pool, err := (&Config{CACertPEM: testCertPEM(t)}).loadCACertPool()
+	if err != nil {
+		t.Fatalf("loadCACertPool: %v", err)
+	}
+	cfgCustomCA.RootCAs = pool
+
+	keys := map[string]string{
+		"system":   p.configKey(cfgSystem),
+		"skip":     p.configKey(cfgSkip),
+		"customCA": p.configKey(cfgCustomCA),
+	}
+	seen := make(map[string]string, len(keys))
+	for name, key := range keys {
+		if dup, ok := seen[key]; ok {
+			t.Errorf("configKey collision: %s and %s share key %q", name, dup, key)
+		}
+		seen[key] = name
+	}
+}

cache_manager.go

@@ -20,8 +20,9 @@ var (
 	cacheManagerInitOnce       sync.Once
 )
 
-// GetGlobalCacheManager returns a singleton CacheManager instance
-// Deprecated: Use GetGlobalCacheManagerWithConfig instead
+// GetGlobalCacheManager returns a singleton CacheManager instance.
+//
+// Deprecated: Use GetGlobalCacheManagerWithConfig instead.
 func GetGlobalCacheManager(wg *sync.WaitGroup) *CacheManager {
 	return GetGlobalCacheManagerWithConfig(wg, nil)
 }
@@ -104,6 +105,22 @@ func (cm *CacheManager) GetSharedTokenTypeCache() CacheInterface {
 	return &CacheInterfaceWrapper{cache: cm.manager.GetTokenTypeCache(), managed: true}
 }
 
+// GetSharedSessionInvalidationCache returns the shared session invalidation cache
+// for backchannel and front-channel logout (IdP-initiated logout)
+func (cm *CacheManager) GetSharedSessionInvalidationCache() CacheInterface {
+	cm.mu.RLock()
+	defer cm.mu.RUnlock()
+	return &CacheInterfaceWrapper{cache: cm.manager.GetSessionInvalidationCache(), managed: true}
+}
+
+// GetSharedRefreshResultCache returns the short-lived refresh-result cache used
+// by the refresh path to coalesce grants across Traefik replicas via Redis.
+func (cm *CacheManager) GetSharedRefreshResultCache() CacheInterface {
+	cm.mu.RLock()
+	defer cm.mu.RUnlock()
+	return &CacheInterfaceWrapper{cache: cm.manager.GetRefreshResultCache(), managed: true}
+}
+
 // Close gracefully shuts down all cache components
 func (cm *CacheManager) Close() error {
 	cm.mu.Lock()

config_marshalling.go

@@ -7,7 +7,7 @@ import (
 // REDACTED is the placeholder value for sensitive information
 const REDACTED = "[REDACTED]"
 
-// MarshalJSON implements custom JSON marshalling to redact sensitive fields
+// MarshalJSON implements custom JSON marshaling to redact sensitive fields
 // Rewritten without type aliases for yaegi compatibility
 func (c Config) MarshalJSON() ([]byte, error) {
 	// Build a map manually to avoid type alias issues with yaegi
@@ -47,7 +47,7 @@ func (c Config) MarshalJSON() ([]byte, error) {
 	return json.Marshal(result)
 }
 
-// MarshalYAML implements custom YAML marshalling to redact sensitive fields
+// MarshalYAML implements custom YAML marshaling to redact sensitive fields
 // Rewritten without type aliases for yaegi compatibility
 func (c Config) MarshalYAML() (interface{}, error) {
 	// Build a map manually to avoid type alias issues with yaegi

docs/AUTH0_AUDIENCE_GUIDE.md

@@ -25,7 +25,10 @@ The **audience** (`aud`) claim in a JWT identifies the intended recipient of the
 
 ### Why Does This Matter?
 
-Proper audience validation prevents **token confusion attacks** where a token intended for one API is used to access another API.
+Audience validation rejects access tokens whose `aud` claim does not match the
+expected audience, blocking the trivial form of token confusion where a token
+issued for API A is presented to API B. (Defence in depth — pair with
+short-lived tokens, rotation, and per-API client credentials.)
 
 ---
 
@@ -137,8 +140,8 @@ http:
 **Recommended:** `true` for production
 
 **What it does:**
-- When `true`: Rejects sessions if access token audience doesn't match (prevents Scenario 2)
-- When `false`: Logs warnings but allows fallback to ID token (backward compatible)
+- When `true`: On audience mismatch, the middleware does **not** silently fall back to ID-token validation. It tries to refresh the access token first; if no refresh token is present (or refresh fails), the user is re-authenticated.
+- When `false`: Logs warnings and falls back to ID-token validation (backward compatible).
 
 **Example:**
 ```yaml
@@ -349,7 +352,7 @@ When opaque tokens are detected:
 
 **Cache behavior:**
 - Cache key: Token hash
-- TTL: 5 minutes or token expiry (whichever is shorter)
+- TTL: 5 minutes; if the token's `exp` is sooner, the cache entry expires at `exp` instead. Tokens without `exp` use the flat 5-minute TTL.
 - Reduces introspection requests for frequently used tokens
 
 ---

docs/CONFIGURATION.md

@@ -52,7 +52,7 @@ spec:
 | `logoutURL` | string | `callbackURL + "/logout"` | Path for logout requests |
 | `postLogoutRedirectURI` | string | `/` | Redirect URL after logout |
 | `logLevel` | string | `info` | Logging verbosity (`debug`, `info`, `error`) |
-| `forceHTTPS` | bool | `false` | Force HTTPS for redirect URIs |
+| `forceHTTPS` | bool | `true` | Force HTTPS for redirect URIs (set `false` only for plaintext HTTP local dev) |
 | `rateLimit` | int | `100` | Maximum requests per second |
 | `excludedURLs` | []string | none | Paths that bypass authentication |
 | `revocationURL` | string | auto-discovered | Token revocation endpoint |
@@ -62,13 +62,13 @@ spec:
 
 ### TLS Termination at Load Balancer
 
-If running Traefik behind a load balancer (AWS ALB, Google Cloud LB, Azure App Gateway) that terminates TLS:
+`forceHTTPS` defaults to `true`, so redirect URIs always use `https://`. This is
+the correct default behind any TLS-terminating load balancer (AWS ALB, Google
+Cloud LB, Azure App Gateway) — `X-Forwarded-Proto` cannot be trusted (ALB may
+overwrite it).
 
-```yaml
-forceHTTPS: true  # Required for correct redirect URIs
-```
-
-Without this setting, redirect URIs will use `http://` instead of `https://`, causing OAuth callback failures.
+Set `forceHTTPS: false` only when you serve OIDC over plaintext HTTP (local
+dev). Otherwise leave it at default.
 
 ---
 

docs/DCR.md

@@ -0,0 +1,95 @@
+# Dynamic Client Registration (RFC 7591)
+
+The middleware can register itself with an OIDC provider at startup instead of
+using a pre-provisioned `clientID` / `clientSecret`. Useful for multi-tenant
+deployments, self-service integrations, and ephemeral environments.
+
+## How it works
+
+1. Middleware reads `registration_endpoint` from `.well-known/openid-configuration`.
+2. If `clientID` is empty, it `POST`s `clientMetadata` to the registration endpoint.
+3. Returned `client_id` / `client_secret` are cached, optionally persisted.
+4. Subsequent requests use the registered credentials.
+
+For multi-replica deployments, set `storageBackend: redis` so all replicas
+share one client and avoid registration races.
+
+## Configuration
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-dcr
+  namespace: traefik
+spec:
+  plugin:
+    traefikoidc:
+      providerURL: https://your-oidc-provider.com
+      sessionEncryptionKey: your-secure-encryption-key-min-32-chars
+      callbackURL: /oauth2/callback
+      dynamicClientRegistration:
+        enabled: true
+        persistCredentials: true
+        storageBackend: redis        # file | redis | auto
+        initialAccessToken: ""        # optional, for protected endpoints
+        registrationEndpoint: ""      # optional, override discovery
+        credentialsFile: /tmp/oidc-client-credentials.json
+        redisKeyPrefix: "dcr:creds:"
+        clientMetadata:
+          redirect_uris:
+            - https://app.example.com/oauth2/callback
+          client_name: My Application
+          application_type: web
+          grant_types: [authorization_code, refresh_token]
+          response_types: [code]
+          token_endpoint_auth_method: client_secret_basic
+          contacts: [admin@example.com]
+```
+
+## Parameters
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `enabled` | `false` | Enable DCR. |
+| `persistCredentials` | `false` | Save returned credentials for reuse across restarts. |
+| `storageBackend` | `auto` | `file`, `redis`, or `auto` (Redis if available, else file). |
+| `credentialsFile` | `/tmp/oidc-client-credentials.json` | Path for file-backed storage. Mode `0600`. |
+| `redisKeyPrefix` | (none — set explicitly) | Key prefix for Redis-backed storage. The code does not inject a default; if unset, keys have no prefix. `dcr:creds:` is a sensible convention. |
+| `registrationEndpoint` | discovered | Override the discovered endpoint. |
+| `initialAccessToken` | none | Bearer token for protected registration endpoints. |
+| `clientMetadata.redirect_uris` | required | Callback URIs for the OAuth flow. |
+| `clientMetadata.client_name` | none | Human-readable client name. |
+| `clientMetadata.application_type` | `web` | `web` or `native`. |
+| `clientMetadata.grant_types` | `[authorization_code, refresh_token]` | OAuth grant types. |
+| `clientMetadata.response_types` | `[code]` | OAuth response types. |
+| `clientMetadata.token_endpoint_auth_method` | `client_secret_basic` | `client_secret_basic`, `client_secret_post`, or `none`. |
+| `clientMetadata.scope` | none | Space-separated scopes. |
+| `clientMetadata.contacts` | none | Admin email addresses. |
+| `clientMetadata.logo_uri` | none | Logo URL for consent screens. |
+| `clientMetadata.client_uri` | none | Client homepage URL. |
+| `clientMetadata.policy_uri` | none | Privacy policy URL. |
+| `clientMetadata.tos_uri` | none | Terms of service URL. |
+
+## Provider support
+
+The middleware does not gate DCR by provider — if the provider exposes a
+`registration_endpoint` in its discovery document (or you set
+`registrationEndpoint` explicitly), DCR will attempt registration. The table
+below is informational guidance based on each provider's published support.
+
+| Provider | DCR | Notes |
+|----------|-----|-------|
+| Keycloak | Yes | Enable in realm settings. |
+| Auth0 | Yes | Requires Management API token. |
+| Okta | Yes | Enable Dynamic Client Registration in admin console. |
+| Azure AD | Limited | Use App Registration API instead. |
+| Google | No | Manual registration required. |
+| AWS Cognito | No | Manual registration required. |
+
+## Security notes
+
+- Registration endpoints must be HTTPS (loopback excepted for local dev).
+- Use `initialAccessToken` in production to gate registration.
+- File-backed credentials use `0600`; protect the mount path.
+- The plugin marks credentials invalid when within ~5 min of `client_secret_expires_at` but does **not** automatically re-register. If your provider sets a non-zero expiry, schedule manual rotation (delete the credentials file or Redis entry, restart) before that time.

docs/DEVELOPMENT.md

@@ -16,9 +16,8 @@ Guide for local development, testing, and contributing to the Traefik OIDC middl
 
 ## Prerequisites
 
-- **Go 1.23+** for plugin compilation
-- **Docker & Docker Compose** for local testing
-- **OIDC Provider** credentials (Google, Azure, etc.)
+- **Go 1.24+** (matches `go.mod`; CI runs Go 1.24.11)
+- **OIDC Provider** credentials (Google, Azure, etc.) for any end-to-end test against a real provider
 
 ### Required Development Tools
 
@@ -40,110 +39,32 @@ go install golang.org/x/vuln/cmd/govulncheck@latest
 
 ## Local Development Setup
 
-### Docker Compose Environment
-
-The repository includes a Docker Compose setup for testing the plugin locally.
-
-#### 1. Host Configuration
-
-Add to `/etc/hosts`:
+### Build and unit tests
 
 ```bash
-127.0.0.1 hello.localhost
-127.0.0.1 traefik.localhost
+go mod tidy
+go build ./...
+go test ./... -short          # fast loop, < 30 s
+go test -race -timeout=15m ./...
 ```
 
-#### 2. Plugin Configuration
+### Sample plugin configurations
 
-The plugin is loaded using Traefik's **local plugins mode**:
+Working middleware/Traefik configs live in [`examples/`](../examples/):
 
-- Plugin source: Parent directory (`../`)
-- Mount path: `/plugins-local/src/github.com/lukaszraczylo/traefikoidc`
-- Configuration: `experimental.localPlugins` in `traefik.yml`
+- `complete-traefik-config.yaml` — full middleware example
+- `redis-config.yaml` — Redis cache configuration
 
-#### 3. OIDC Provider Setup
+To run the plugin against a real Traefik instance, drop the project on disk
+and load it via `experimental.localPlugins` in your Traefik static config —
+see the [README install section](../README.md#install).
 
-Edit `docker/dynamic.yml` with your provider details:
+### Integration tests
 
-**Google:**
-```yaml
-http:
-  middlewares:
-    oidc-auth:
-      plugin:
-        traefikoidc:
-          providerURL: "https://accounts.google.com"
-          clientID: "your-client-id.apps.googleusercontent.com"
-          clientSecret: "your-google-client-secret"
-          sessionEncryptionKey: "your-32-character-encryption-key"
-          callbackURL: "/oauth2/callback"
-          logoutURL: "/oauth2/logout"
-          scopes:
-            - "openid"
-            - "email"
-            - "profile"
-```
-
-**Azure AD:**
-```yaml
-http:
-  middlewares:
-    oidc-auth:
-      plugin:
-        traefikoidc:
-          providerURL: "https://login.microsoftonline.com/your-tenant-id/v2.0"
-          clientID: "your-azure-client-id"
-          clientSecret: "your-azure-client-secret"
-          sessionEncryptionKey: "your-32-character-encryption-key"
-          callbackURL: "/oauth2/callback"
-          scopes:
-            - "openid"
-            - "email"
-            - "profile"
-```
-
-#### 4. Start Environment
+Integration tests live in `integration/`. Run them explicitly:
 
 ```bash
-cd docker
-docker-compose up -d
-```
-
-#### 5. Test Plugin
-
-- **Protected App**: http://hello.localhost (redirects to OIDC)
-- **Traefik Dashboard**: http://traefik.localhost:8080
-
-### Development Workflow
-
-1. **Edit plugin code** in the project root
-2. **Build and test** (optional syntax check):
-   ```bash
-   go mod tidy
-   go build .
-   go test ./...
-   ```
-3. **Restart Traefik** to reload plugin:
-   ```bash
-   docker-compose restart traefik
-   ```
-4. **Test changes** at http://hello.localhost
-
-### Debugging
-
-**View plugin logs:**
-```bash
-docker-compose logs -f traefik | grep traefikoidc
-```
-
-**Check plugin loading:**
-```bash
-docker-compose logs traefik | grep -i plugin
-```
-
-**Verify plugin directory:**
-```bash
-docker-compose exec traefik ls -la /plugins-local/src/github.com/lukaszraczylo/traefikoidc/
+go test ./integration/... -run Integration -v
 ```
 
 ---
@@ -299,7 +220,7 @@ The repository uses GitHub Actions for comprehensive validation with 20+ paralle
 
 #### Testing (9 suites)
 - Race Detector
-- Coverage (75% threshold)
+- Coverage (70% threshold, enforced in `pr.yaml`)
 - Memory Leaks
 - Integration Tests
 - Regression Tests
@@ -323,13 +244,13 @@ Tests run in parallel for:
 #### Performance & Build (3 checks)
 - Benchmarks
 - Multi-platform Build (linux/darwin x amd64/arm64)
-- Go Version Compatibility (Go 1.23 & 1.24)
+- Go Version Compatibility (currently Go 1.24.11 in CI)
 
 ### Quality Gates
 
 All PRs must pass:
 - All parallel checks
-- 75% test coverage minimum
+- 70% test coverage minimum
 - Zero security vulnerabilities
 - No race conditions
 - No memory leaks

docs/PROVIDERS.md

@@ -23,10 +23,10 @@ Configuration reference for each supported OIDC provider.
 | Provider | OIDC Support | Refresh Tokens | Auto-Detection | ID Tokens |
 |----------|-------------|----------------|----------------|-----------|
 | Google | Full | Yes | `accounts.google.com` | Yes |
-| Azure AD | Full | Yes | `login.microsoftonline.com` | Yes |
+| Azure AD | Full | Yes | `login.microsoftonline.com`, `sts.windows.net` | Yes |
 | Auth0 | Full | Yes | `*.auth0.com` | Yes |
-| Okta | Full | Yes | `*.okta.com` | Yes |
-| Keycloak | Full | Yes | `/auth/realms/` path | Yes |
+| Okta | Full | Yes | `*.okta.com`, `*.oktapreview.com`, `*.okta-emea.com` | Yes |
+| Keycloak | Full | Yes | host containing `keycloak`, or `/realms/` in path (matches both `/auth/realms/` legacy and `/realms/` modern) | Yes |
 | AWS Cognito | Full | Yes | `cognito-idp.*.amazonaws.com` | Yes |
 | GitLab | Full | Yes | `gitlab.com` | Yes |
 | GitHub | OAuth 2.0 Only | No | `github.com` | No |

docs/REDIS.md

@@ -109,11 +109,11 @@ redis:
 | `writeTimeout` | int | `3` | Write timeout (seconds) |
 | `enableTLS` | bool | `false` | Enable TLS for connections |
 | `tlsSkipVerify` | bool | `false` | Skip TLS certificate verification |
-| `enableCircuitBreaker` | bool | `true` | Enable circuit breaker |
-| `circuitBreakerThreshold` | int | `5` | Failures before circuit opens |
-| `circuitBreakerTimeout` | int | `60` | Circuit reset timeout (seconds) |
-| `enableHealthCheck` | bool | `true` | Enable periodic health checks |
-| `healthCheckInterval` | int | `30` | Health check interval (seconds) |
+| `enableCircuitBreaker` | bool | `false` | Wrap the Redis backend with a circuit breaker. **Recommended `true` in production.** |
+| `circuitBreakerThreshold` | int | `5` | Consecutive failures before the circuit opens (only when `enableCircuitBreaker: true`). |
+| `circuitBreakerTimeout` | int | `60` | Seconds the circuit stays open before allowing a probe (only when `enableCircuitBreaker: true`). |
+| `enableHealthCheck` | bool | `false` | Wrap the Redis backend with periodic health checks. **Recommended `true` in production.** |
+| `healthCheckInterval` | int | `30` | Health check interval in seconds (only when `enableHealthCheck: true`). |
 | `hybridL1Size` | int | `500` | Max items in L1 cache (hybrid mode) |
 | `hybridL1MemoryMB` | int64 | `10` | Max memory for L1 cache in MB |
 
@@ -134,13 +134,21 @@ REDIS_READ_TIMEOUT=3
 REDIS_WRITE_TIMEOUT=3
 REDIS_ENABLE_TLS=false
 REDIS_TLS_SKIP_VERIFY=false
+REDIS_HYBRID_L1_SIZE=500
+REDIS_HYBRID_L1_MEMORY_MB=10
 ```
 
+> Resilience fields (`enableCircuitBreaker`, `enableHealthCheck`,
+> `circuitBreakerThreshold`, `circuitBreakerTimeout`, `healthCheckInterval`)
+> have no environment variable fallback — set them in plugin configuration.
+
+Invalid `cacheMode` values are rejected at plugin startup.
+
 ---
 
 ## Cache Modes
 
-### Memory Mode (Default without Redis)
+### Memory Mode (used when Redis is disabled)
 
 ```yaml
 redis:

docs/TESTING.md

@@ -6,8 +6,8 @@ Comprehensive testing infrastructure for traefikoidc.
 
 | Metric | Value |
 |--------|-------|
-| Test files | 99 |
-| Lines of test code | ~65,500 |
+| Test files | 110 |
+| Lines of test code | ~72,000 |
 | Code coverage | 71.0% |
 | Race conditions | None (all pass with `-race`) |
 

docs/index.html

@@ -90,6 +90,7 @@
                         <a href="#configuration" class="text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 font-medium">Configuration</a>
                         <a href="#deployment" class="text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 font-medium">Deployment</a>
                         <a href="#security" class="text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 font-medium">Security</a>
+                        <a href="#logout" class="text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 font-medium">Logout</a>
                     </div>
                     <div class="flex items-center space-x-4">
                         <button id="theme-toggle" class="text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 p-2 min-w-[44px] min-h-[44px] flex items-center justify-center" aria-label="Toggle theme">
@@ -114,6 +115,7 @@
                     <a href="#configuration" class="block px-3 py-3 text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 hover:bg-gray-50 dark:hover:bg-gray-700 rounded font-medium">Configuration</a>
                     <a href="#deployment" class="block px-3 py-3 text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 hover:bg-gray-50 dark:hover:bg-gray-700 rounded font-medium">Deployment</a>
                     <a href="#security" class="block px-3 py-3 text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 hover:bg-gray-50 dark:hover:bg-gray-700 rounded font-medium">Security</a>
+                    <a href="#logout" class="block px-3 py-3 text-gray-600 dark:text-gray-300 hover:text-gray-900 dark:hover:text-gray-100 hover:bg-gray-50 dark:hover:bg-gray-700 rounded font-medium">Logout</a>
                 </div>
             </div>
         </nav>
@@ -1219,6 +1221,71 @@ spec:
             </div>
         </section>
 
+        <!-- IdP-Initiated Logout Section -->
+        <section id="logout" class="py-12 sm:py-16 md:py-20 bg-white dark:bg-gray-900 theme-transition">
+            <div class="max-w-6xl mx-auto px-4 sm:px-6">
+                <div class="text-center mb-8 sm:mb-12">
+                    <h2 class="text-2xl sm:text-3xl md:text-4xl font-bold text-gray-900 dark:text-gray-100 mb-3 sm:mb-4">IdP-Initiated Logout</h2>
+                    <p class="text-base sm:text-lg text-gray-600 dark:text-gray-300 px-4">Support for OIDC Back-Channel and Front-Channel Logout specifications</p>
+                </div>
+                <div class="max-w-4xl mx-auto">
+                    <div class="grid md:grid-cols-2 gap-6 mb-8">
+                        <div class="glass p-6 rounded-xl">
+                            <h3 class="font-semibold text-gray-900 dark:text-gray-100 mb-4 flex items-center">
+                                <i class="fas fa-server mr-2 text-blue-500"></i>
+                                Back-Channel Logout
+                            </h3>
+                            <p class="text-gray-600 dark:text-gray-400 text-sm mb-4">
+                                Server-to-server logout notification. The IdP sends a signed JWT (logout_token) directly to your application when a user logs out.
+                            </p>
+                            <ul class="text-gray-600 dark:text-gray-400 space-y-2 text-sm">
+                                <li>&#8226; Signed JWT logout tokens</li>
+                                <li>&#8226; Session ID (sid) based invalidation</li>
+                                <li>&#8226; Subject (sub) based invalidation</li>
+                                <li>&#8226; Works behind firewalls</li>
+                            </ul>
+                        </div>
+                        <div class="glass p-6 rounded-xl">
+                            <h3 class="font-semibold text-gray-900 dark:text-gray-100 mb-4 flex items-center">
+                                <i class="fas fa-browser mr-2 text-purple-500"></i>
+                                Front-Channel Logout
+                            </h3>
+                            <p class="text-gray-600 dark:text-gray-400 text-sm mb-4">
+                                Browser-based logout via iframe. The IdP embeds an iframe pointing to your logout endpoint during user logout.
+                            </p>
+                            <ul class="text-gray-600 dark:text-gray-400 space-y-2 text-sm">
+                                <li>&#8226; Iframe-based session termination</li>
+                                <li>&#8226; Immediate cookie invalidation</li>
+                                <li>&#8226; Simple GET request handling</li>
+                                <li>&#8226; Issuer validation</li>
+                            </ul>
+                        </div>
+                    </div>
+                    <div class="glass p-6 rounded-xl">
+                        <h3 class="font-semibold text-gray-900 dark:text-gray-100 mb-4">Configuration Example</h3>
+                        <pre class="bg-gray-900 text-gray-100 p-4 rounded-lg overflow-x-auto text-sm"><code>http:
+  middlewares:
+    oidc-auth:
+      plugin:
+        traefikoidc:
+          # ... other OIDC configuration ...
+
+          # Back-Channel Logout (server-to-server)
+          enableBackchannelLogout: true
+          backchannelLogoutURL: "/backchannel-logout"
+
+          # Front-Channel Logout (browser-based)
+          enableFrontchannelLogout: true
+          frontchannelLogoutURL: "/frontchannel-logout"</code></pre>
+                        <p class="text-gray-600 dark:text-gray-400 text-sm mt-4">
+                            Configure your IdP with the full URLs (e.g., <code class="bg-gray-200 dark:bg-gray-700 px-1 rounded">https://your-app.example.com/backchannel-logout</code>). 
+                            When a user logs out from the IdP, all their sessions across your applications will be invalidated.
+                        </p>
+                    </div>
+                </div>
+            </div>
+        </section>
+
         <!-- Why Choose Section -->
         <section class="py-12 sm:py-16 md:py-20 bg-gray-50 dark:bg-gray-800 theme-transition">
             <div class="max-w-6xl mx-auto px-4 sm:px-6">

enhanced_mocks_test.go

@@ -2,6 +2,8 @@ package traefikoidc
 
 import (
 	"context"
+	"crypto"
+	"fmt"
 	"net/http"
 	"sync"
 	"sync/atomic"
@@ -40,6 +42,31 @@ func (m *EnhancedMockJWKCache) GetJWKS(ctx context.Context, jwksURL string, http
 	return m.JWKS, m.Err
 }
 
+func (m *EnhancedMockJWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	jwks, err := m.GetJWKS(ctx, jwksURL, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	if jwks == nil {
+		return nil, fmt.Errorf("JWKS is nil")
+	}
+	for i := range jwks.Keys {
+		k := &jwks.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		default:
+			return nil, fmt.Errorf("unsupported key type: %s", k.Kty)
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (m *EnhancedMockJWKCache) Cleanup() {
 	atomic.AddInt32(&m.CleanupCalls, 1)
 	m.mu.Lock()

error_recovery.go

@@ -954,7 +954,7 @@ func (gd *GracefulDegradation) GetDegradedServices() []string {
 	gd.mutex.RLock()
 	defer gd.mutex.RUnlock()
 
-	var degraded []string
+	degraded := make([]string, 0, len(gd.degradedServices))
 	for serviceName := range gd.degradedServices {
 		degraded = append(degraded, serviceName)
 	}

go.mod

@@ -4,7 +4,6 @@ go 1.24.0
 
 require (
 	github.com/alicebob/miniredis/v2 v2.35.0
-	github.com/google/uuid v1.6.0
 	github.com/gorilla/sessions v1.3.0
 	github.com/redis/go-redis/v9 v9.17.2
 	github.com/stretchr/testify v1.10.0

go.sum

@@ -12,8 +12,6 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.3.0 h1:XYlkq7KcpOB2ZhHBPv5WpjMIxrQosiZanfoy1HLZFzg=

helpers.go

@@ -17,6 +17,21 @@ import (
 	"github.com/lukaszraczylo/traefikoidc/internal/utils"
 )
 
+// newUUIDv4 returns an RFC 4122 v4 UUID string (e.g.
+// "f47ac10b-58cc-4372-a567-0e02b2c3d479") backed by crypto/rand. Used for CSRF
+// tokens and other opaque random identifiers — replaces github.com/google/uuid
+// to keep the plugin stdlib-only on the production path.
+func newUUIDv4() (string, error) {
+	var b [16]byte
+	if _, err := rand.Read(b[:]); err != nil {
+		return "", fmt.Errorf("could not generate UUID: %w", err)
+	}
+	b[6] = (b[6] & 0x0f) | 0x40 // version 4
+	b[8] = (b[8] & 0x3f) | 0x80 // RFC 4122 variant
+	return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",
+		b[0:4], b[4:6], b[6:8], b[8:10], b[10:16]), nil
+}
+
 // generateNonce creates a cryptographically secure random nonce for OIDC flows.
 // The nonce is used to prevent replay attacks and associate client sessions with ID tokens.
 // Returns:
@@ -336,6 +351,7 @@ func createStringMap(keys []string) map[string]struct{} {
 // and redirects to the provider's logout endpoint or configured post-logout URI.
 // It handles potential errors during session retrieval or clearing.
 func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
+	t.logger.Debug("Processing logout request")
 	session, err := t.sessionManager.GetSession(req)
 	if err != nil {
 		t.logger.Errorf("Error getting session: %v", err)

helpers_test.go

@@ -0,0 +1,29 @@
+package traefikoidc
+
+import (
+	"regexp"
+	"testing"
+)
+
+// TestNewUUIDv4 verifies the in-house UUID v4 generator produces RFC 4122
+// compliant identifiers. Locks in the replacement for github.com/google/uuid
+// — a regression here would weaken the CSRF token used in the OIDC flow.
+func TestNewUUIDv4(t *testing.T) {
+	rfc4122v4 := regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$`)
+
+	const samples = 1000
+	seen := make(map[string]struct{}, samples)
+	for i := 0; i < samples; i++ {
+		got, err := newUUIDv4()
+		if err != nil {
+			t.Fatalf("newUUIDv4 failed: %v", err)
+		}
+		if !rfc4122v4.MatchString(got) {
+			t.Fatalf("UUID %q does not match RFC 4122 v4 format", got)
+		}
+		if _, dup := seen[got]; dup {
+			t.Fatalf("duplicate UUID emitted within %d samples: %q", samples, got)
+		}
+		seen[got] = struct{}{}
+	}
+}

http_client_factory.go

@@ -3,6 +3,7 @@ package traefikoidc
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -25,10 +26,16 @@ type HTTPClientConfig struct {
 	Timeout               time.Duration
 	MaxConnsPerHost       int
 	WriteBufferSize       int
-	UseCookieJar          bool
-	ForceHTTP2            bool
-	DisableKeepAlives     bool
-	DisableCompression    bool
+	// RootCAs is an optional certificate pool used for TLS verification.
+	// A nil pool means "use the system trust store" (default behavior).
+	RootCAs *x509.CertPool
+	// InsecureSkipVerify disables TLS certificate verification.
+	// ONLY set this for local development against self-signed certificates.
+	InsecureSkipVerify bool
+	UseCookieJar       bool
+	ForceHTTP2         bool
+	DisableKeepAlives  bool
+	DisableCompression bool
 }
 
 // DefaultHTTPClientConfig returns the default configuration for general use
@@ -203,7 +210,8 @@ func (f *HTTPClientFactory) CreateHTTPClient(config HTTPClientConfig) *http.Clie
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			},
 			PreferServerCipherSuites: true,
-			InsecureSkipVerify:       false, // Always verify certificates
+			RootCAs:                  config.RootCAs,
+			InsecureSkipVerify:       config.InsecureSkipVerify, //nolint:gosec // opt-in, loud warning emitted at plugin startup
 		},
 		ForceAttemptHTTP2:     config.ForceHTTP2,
 		TLSHandshakeTimeout:   config.TLSHandshakeTimeout,

http_client_pool.go

@@ -3,6 +3,7 @@ package traefikoidc
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"net/http"
 	"sync"
@@ -103,7 +104,8 @@ func (p *SharedTransportPool) GetOrCreateTransport(config HTTPClientConfig) *htt
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			},
 			PreferServerCipherSuites: true,
-			InsecureSkipVerify:       false,
+			RootCAs:                  config.RootCAs,
+			InsecureSkipVerify:       config.InsecureSkipVerify, //nolint:gosec // opt-in, loud warning emitted at plugin startup
 		},
 		ForceAttemptHTTP2:     config.ForceHTTP2,
 		TLSHandshakeTimeout:   config.TLSHandshakeTimeout,
@@ -205,8 +207,21 @@ func (p *SharedTransportPool) performCleanup() {
 
 // configKey generates a unique key for a config
 func (p *SharedTransportPool) configKey(config HTTPClientConfig) string {
-	// Simple key based on main parameters
-	return string(rune(config.MaxConnsPerHost)) + string(rune(config.MaxIdleConnsPerHost))
+	// Pool transports by the parameters that change TLS or connection
+	// behavior. RootCAs and InsecureSkipVerify MUST be part of the key:
+	// otherwise a middleware configured with a custom CA would share a
+	// transport with one using the system store, silently bypassing its
+	// CA configuration.
+	skip := "0"
+	if config.InsecureSkipVerify {
+		skip = "1"
+	}
+	return fmt.Sprintf("%d|%d|%p|%s",
+		config.MaxConnsPerHost,
+		config.MaxIdleConnsPerHost,
+		config.RootCAs,
+		skip,
+	)
 }
 
 // Cleanup closes all transports and stops the cleanup goroutine

input_validation.go

@@ -10,6 +10,14 @@ import (
 	"unicode/utf8"
 )
 
+// Pre-compiled regex patterns for validation (const patterns should use MustCompile)
+var (
+	emailRegexPattern    = regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
+	urlRegexPattern      = regexp.MustCompile(`^https?://[a-zA-Z0-9.-]+(?:\.[a-zA-Z]{2,})?(?::[0-9]+)?(?:/[^\s]*)?$`)
+	tokenRegexPattern    = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
+	usernameRegexPattern = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+)
+
 // InputValidator provides comprehensive input validation and sanitization
 // to protect against common security vulnerabilities including SQL injection,
 // XSS, path traversal, and other injection attacks. It validates and sanitizes
@@ -73,7 +81,7 @@ func DefaultInputValidationConfig() InputValidationConfig {
 }
 
 // NewInputValidator creates a new input validator with the specified configuration.
-// It compiles all necessary regex patterns and initializes security pattern lists.
+// It uses pre-compiled regex patterns and initializes security pattern lists.
 //
 // Parameters:
 //   - config: Validation configuration with size limits and mode settings.
@@ -81,29 +89,8 @@ func DefaultInputValidationConfig() InputValidationConfig {
 //
 // Returns:
 //   - A configured InputValidator instance.
-//   - An error if regex compilation fails.
+//   - An error (always nil, kept for API compatibility).
 func NewInputValidator(config InputValidationConfig, logger *Logger) (*InputValidator, error) {
-	// Compile regex patterns
-	emailRegex, err := regexp.Compile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
-	if err != nil {
-		return nil, fmt.Errorf("failed to compile email regex: %w", err)
-	}
-
-	urlRegex, err := regexp.Compile(`^https?://[a-zA-Z0-9.-]+(?:\.[a-zA-Z]{2,})?(?::[0-9]+)?(?:/[^\s]*)?$`)
-	if err != nil {
-		return nil, fmt.Errorf("failed to compile URL regex: %w", err)
-	}
-
-	tokenRegex, err := regexp.Compile(`^[A-Za-z0-9._-]+$`)
-	if err != nil {
-		return nil, fmt.Errorf("failed to compile token regex: %w", err)
-	}
-
-	usernameRegex, err := regexp.Compile(`^[a-zA-Z0-9._-]+$`)
-	if err != nil {
-		return nil, fmt.Errorf("failed to compile username regex: %w", err)
-	}
-
 	return &InputValidator{
 		maxTokenLength:          config.MaxTokenLength,
 		maxURLLength:            config.MaxURLLength,
@@ -112,10 +99,10 @@ func NewInputValidator(config InputValidationConfig, logger *Logger) (*InputVali
 		maxEmailLength:          config.MaxEmailLength,
 		maxUsernameLength:       config.MaxUsernameLength,
 		allowPrivateIPAddresses: config.AllowPrivateIPAddresses,
-		emailRegex:              emailRegex,
-		urlRegex:                urlRegex,
-		tokenRegex:              tokenRegex,
-		usernameRegex:           usernameRegex,
+		emailRegex:              emailRegexPattern,
+		urlRegex:                urlRegexPattern,
+		tokenRegex:              tokenRegexPattern,
+		usernameRegex:           usernameRegexPattern,
 		sqlInjectionPatterns: []string{
 			"'", "\"", ";", "--", "/*", "*/", "xp_", "sp_",
 			"union", "select", "insert", "update", "delete", "drop",

internal/cache/backends/hybrid.go

@@ -20,6 +20,7 @@ type HybridBackend struct {
 	ctx                 context.Context
 	syncWriteCacheTypes map[string]bool
 	asyncWriteBuffer    chan *asyncWriteItem
+	l1BackfillBuffer    chan *l1BackfillItem
 	cancel              context.CancelFunc
 	wg                  sync.WaitGroup
 	l1Hits              atomic.Int64
@@ -28,6 +29,7 @@ type HybridBackend struct {
 	l1Writes            atomic.Int64
 	misses              atomic.Int64
 	l2Hits              atomic.Int64
+	l1BackfillDrops     atomic.Int64
 	fallbackMode        atomic.Bool
 }
 
@@ -39,6 +41,15 @@ type asyncWriteItem struct {
 	ttl   time.Duration
 }
 
+// l1BackfillItem represents a deferred write of an L2-resolved value back into
+// L1. Backfills run on a single bounded worker so a burst of L2 hits cannot
+// detonate the goroutine count (issue: ~1000% CPU under sustained polling).
+type l1BackfillItem struct {
+	key   string
+	value []byte
+	ttl   time.Duration
+}
+
 // Logger interface for structured logging
 type Logger interface {
 	Debugf(format string, args ...interface{})
@@ -114,6 +125,7 @@ func NewHybridBackend(config *HybridConfig) (*HybridBackend, error) {
 		secondary:           config.Secondary,
 		syncWriteCacheTypes: config.SyncWriteCacheTypes,
 		asyncWriteBuffer:    make(chan *asyncWriteItem, config.AsyncBufferSize),
+		l1BackfillBuffer:    make(chan *l1BackfillItem, config.AsyncBufferSize),
 		ctx:                 ctx,
 		cancel:              cancel,
 		logger:              config.Logger,
@@ -123,6 +135,11 @@ func NewHybridBackend(config *HybridConfig) (*HybridBackend, error) {
 	h.wg.Add(1)
 	go h.asyncWriteWorker()
 
+	// Start L1 backfill worker (single goroutine) to bound goroutine growth on
+	// L2 hits regardless of request rate.
+	h.wg.Add(1)
+	go h.l1BackfillWorker()
+
 	// Start health monitoring
 	h.wg.Add(1)
 	go h.healthMonitor()
@@ -223,18 +240,10 @@ func (h *HybridBackend) Get(ctx context.Context, key string) ([]byte, time.Durat
 
 	h.l2Hits.Add(1)
 
-	// Populate L1 cache with value from L2 (write-through on read)
-	// Use goroutine to avoid blocking the read path
-	go func() {
-		writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-		defer cancel()
-
-		if err := h.primary.Set(writeCtx, key, value, ttl); err != nil {
-			h.logger.Debugf("Failed to populate L1 cache from L2 for key %s: %v", key, err)
-		} else {
-			h.logger.Debugf("Populated L1 cache from L2 for key: %s", key)
-		}
-	}()
+	// Populate L1 cache with value from L2 (write-through on read).
+	// Hand off to the bounded backfill worker instead of spawning a goroutine
+	// per read - under burst that would mint thousands of goroutines.
+	h.queueL1Backfill(key, value, ttl)
 
 	return value, ttl, true, nil
 }
@@ -371,6 +380,7 @@ func (h *HybridBackend) Close() error {
 
 	// Close async write channel
 	close(h.asyncWriteBuffer)
+	close(h.l1BackfillBuffer)
 
 	// Wait for workers to finish with timeout
 	done := make(chan struct{})
@@ -440,13 +450,7 @@ func (h *HybridBackend) GetMany(ctx context.Context, keys []string) (map[string]
 			for key, value := range l2Results {
 				results[key] = value
 				h.l2Hits.Add(1)
-
-				// Asynchronously populate L1
-				go func(k string, v []byte) {
-					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-					defer cancel()
-					_ = h.primary.Set(writeCtx, k, v, 0) // Use default TTL
-				}(key, value)
+				h.queueL1Backfill(key, value, 0) // 0 = primary backend default TTL
 			}
 		}
 	} else {
@@ -455,13 +459,7 @@ func (h *HybridBackend) GetMany(ctx context.Context, keys []string) (map[string]
 			if value, ttl, exists, err := h.secondary.Get(ctx, key); err == nil && exists {
 				results[key] = value
 				h.l2Hits.Add(1)
-
-				// Asynchronously populate L1
-				go func(k string, v []byte, t time.Duration) {
-					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-					defer cancel()
-					_ = h.primary.Set(writeCtx, k, v, t)
-				}(key, value, ttl)
+				h.queueL1Backfill(key, value, ttl)
 			}
 		}
 	}
@@ -538,6 +536,55 @@ func (h *HybridBackend) SetMany(ctx context.Context, items map[string][]byte, tt
 	return nil
 }
 
+// queueL1Backfill enqueues an L2-resolved value for write-through into L1.
+// Drops on full buffer to keep the read path constant-time; the next L2 hit
+// for the same key simply re-queues it.
+func (h *HybridBackend) queueL1Backfill(key string, value []byte, ttl time.Duration) {
+	select {
+	case h.l1BackfillBuffer <- &l1BackfillItem{key: key, value: value, ttl: ttl}:
+	default:
+		h.l1BackfillDrops.Add(1)
+		h.logger.Debugf("L1 backfill buffer full, dropping for key: %s", key)
+	}
+}
+
+// l1BackfillWorker drains the backfill queue serially. Single worker is
+// intentional - L1 writes are local and cheap, and serializing them keeps
+// goroutine count bounded under any read rate.
+func (h *HybridBackend) l1BackfillWorker() {
+	defer h.wg.Done()
+
+	for {
+		select {
+		case <-h.ctx.Done():
+			// Drain remaining items best-effort then exit.
+			for len(h.l1BackfillBuffer) > 0 {
+				select {
+				case item := <-h.l1BackfillBuffer:
+					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+					_ = h.primary.Set(writeCtx, item.key, item.value, item.ttl)
+					cancel()
+				default:
+					return
+				}
+			}
+			return
+
+		case item, ok := <-h.l1BackfillBuffer:
+			if !ok {
+				return
+			}
+			writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+			if err := h.primary.Set(writeCtx, item.key, item.value, item.ttl); err != nil {
+				h.logger.Debugf("Failed to populate L1 cache from L2 for key %s: %v", item.key, err)
+			} else {
+				h.logger.Debugf("Populated L1 cache from L2 for key: %s", item.key)
+			}
+			cancel()
+		}
+	}
+}
+
 // asyncWriteWorker processes asynchronous writes to L2
 func (h *HybridBackend) asyncWriteWorker() {
 	defer h.wg.Done()

internal/cache/backends/hybrid_l1_backfill_test.go

@@ -0,0 +1,112 @@
+//go:build !yaegi
+
+package backends
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestHybridBackend_L1BackfillBounded verifies that a burst of L2 hits does
+// not detonate the goroutine count. Pre-fix the code spawned one goroutine
+// per Get() L2 hit; post-fix all backfills funnel through a single worker.
+func TestHybridBackend_L1BackfillBounded(t *testing.T) {
+	primary := newMockBackend()
+	secondary := newMockBackend()
+
+	hybrid, err := NewHybridBackend(&HybridConfig{
+		Primary:         primary,
+		Secondary:       secondary,
+		AsyncBufferSize: 256,
+	})
+	require.NoError(t, err)
+	defer hybrid.Close()
+
+	ctx := context.Background()
+	const burst = 1000
+
+	// Pre-populate L2 with `burst` distinct keys so each Get triggers a
+	// fresh L1 backfill enqueue.
+	for i := 0; i < burst; i++ {
+		require.NoError(t, secondary.Set(ctx, fmt.Sprintf("k:%d", i), []byte("v"), time.Minute))
+	}
+
+	baseline := runtime.NumGoroutine()
+
+	// Issue the burst as fast as possible; the backfill worker MUST be the
+	// only goroutine doing L1 writes. Allow brief slack for the test runtime
+	// scheduling but anything north of +20 means goroutine leakage.
+	peak := baseline
+	for i := 0; i < burst; i++ {
+		_, _, exists, err := hybrid.Get(ctx, fmt.Sprintf("k:%d", i))
+		require.NoError(t, err)
+		require.True(t, exists)
+		if g := runtime.NumGoroutine(); g > peak {
+			peak = g
+		}
+	}
+
+	delta := peak - baseline
+	if delta > 20 {
+		t.Fatalf("goroutine count grew by %d during burst (baseline=%d peak=%d); backfill worker not bounding goroutines",
+			delta, baseline, peak)
+	}
+
+	// L1 must eventually catch up via the worker. Worker drains serially so
+	// give it a generous window proportional to the burst size.
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		var populated int
+		for i := 0; i < burst; i++ {
+			if _, _, ok, _ := primary.Get(ctx, fmt.Sprintf("k:%d", i)); ok {
+				populated++
+			}
+		}
+		// Be lenient: drops are acceptable under buffer pressure, just want
+		// most of the keys to make it.
+		if populated >= burst-int(hybrid.l1BackfillDrops.Load()) {
+			return
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	t.Fatalf("L1 not backfilled within deadline: l2Hits=%d l1Writes=%d drops=%d",
+		hybrid.l2Hits.Load(), hybrid.l1Writes.Load(), hybrid.l1BackfillDrops.Load())
+}
+
+// TestHybridBackend_L1BackfillFullDrops verifies the drop semantics when the
+// buffer is saturated. Drops must be counted, never block, never spawn a
+// goroutine.
+func TestHybridBackend_L1BackfillFullDrops(t *testing.T) {
+	primary := newMockBackend()
+	secondary := newMockBackend()
+
+	// Tiny buffer + slow primary writes via failSet so the worker stays
+	// blocked enough to overflow the buffer.
+	hybrid, err := NewHybridBackend(&HybridConfig{
+		Primary:         primary,
+		Secondary:       secondary,
+		AsyncBufferSize: 4,
+	})
+	require.NoError(t, err)
+	defer hybrid.Close()
+
+	// Stop the worker from draining: cancel the underlying context so the
+	// worker bails out, leaving us with a cold buffer and the queue method
+	// itself responsible for drop accounting.
+	hybrid.cancel()
+	// Wait for worker to exit so it can't drain.
+	time.Sleep(50 * time.Millisecond)
+
+	for i := 0; i < 50; i++ {
+		hybrid.queueL1Backfill(fmt.Sprintf("k:%d", i), []byte("v"), time.Minute)
+	}
+
+	assert.Greater(t, hybrid.l1BackfillDrops.Load(), int64(0),
+		"expected some drops when buffer is saturated and worker is stopped")
+}

internal/cache/backends/memory_shard.go

@@ -241,9 +241,11 @@ func (s *cacheShard) evictLRULocked() bool {
 
 	element := s.lruList.Back()
 	if element != nil {
-		item := element.Value.(*memoryCacheItem)
-		s.deleteItemLocked(item)
-		return true
+		item, ok := element.Value.(*memoryCacheItem)
+		if ok {
+			s.deleteItemLocked(item)
+			return true
+		}
 	}
 	return false
 }
@@ -267,8 +269,10 @@ func (s *cacheShard) getOldestAccessTime() time.Time {
 
 	element := s.lruList.Back()
 	if element != nil {
-		item := element.Value.(*memoryCacheItem)
-		return item.accessedAt
+		item, ok := element.Value.(*memoryCacheItem)
+		if ok {
+			return item.accessedAt
+		}
 	}
 	return time.Time{}
 }

internal/cache/backends/redis.go

@@ -345,7 +345,7 @@ func (r *RedisBackend) prefixKey(key string) string {
 
 // executeWithRetry executes a Redis operation with exponential backoff retry logic.
 // It checks context cancellation at multiple points to ensure fast abort when the
-// caller's context is cancelled (e.g., due to request timeout).
+// caller's context is canceled (e.g., due to request timeout).
 func (r *RedisBackend) executeWithRetry(ctx context.Context, operation func(*RedisConn) error) error {
 	maxRetries := 3
 	baseDelay := 50 * time.Millisecond // Reduced from 100ms to fail faster
@@ -377,7 +377,7 @@ func (r *RedisBackend) executeWithRetry(ctx context.Context, operation func(*Red
 		err = operation(conn)
 		r.pool.Put(conn)
 
-		// Check context after operation - if cancelled, don't bother retrying
+		// Check context after operation - if canceled, don't bother retrying
 		if ctx.Err() != nil {
 			return ctx.Err()
 		}

internal/cache/backends/redis_pool_test.go

@@ -3,6 +3,7 @@ package backends
 import (
 	"context"
 	"errors"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -201,7 +202,7 @@ func TestConnectionPool_ContextCancellation(t *testing.T) {
 	conn, err := pool.Get(context.Background())
 	require.NoError(t, err)
 
-	// Try to get another with cancelled context
+	// Try to get another with canceled context
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel() // Cancel immediately
 
@@ -617,4 +618,33 @@ func TestRedisConn_TooManyArguments(t *testing.T) {
 			assert.NotContains(t, err.Error(), "too many arguments")
 		}
 	})
+
+}
+
+// TestRedisConn_RejectOversizedArgumentBytes is a regression test for CodeQL
+// alert #10 (go/allocation-size-overflow). A single argument larger than
+// maxTotalArgBytes (64 MiB) must be rejected by the per-argument overflow
+// guard in Do() before any allocation is attempted.
+func TestRedisConn_RejectOversizedArgumentBytes(t *testing.T) {
+	mr := NewMiniredisServer(t)
+
+	pool, err := NewConnectionPool(&PoolConfig{
+		Address:        mr.GetAddr(),
+		MaxConnections: 1,
+		ConnectTimeout: 5 * time.Second,
+		ReadTimeout:    3 * time.Second,
+		WriteTimeout:   3 * time.Second,
+	})
+	require.NoError(t, err)
+	defer pool.Close()
+
+	conn, err := pool.Get(context.Background())
+	require.NoError(t, err)
+	defer pool.Put(conn)
+
+	largeArg := strings.Repeat("x", (64<<20)+1)
+
+	_, err = conn.Do("SET", "k", largeArg)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "arguments too large")
 }

internal/cache/backends/resp.go

@@ -7,52 +7,34 @@ import (
 	"io"
 	"strconv"
 	"strings"
-	"sync"
 )
 
 // RESP (REdis Serialization Protocol) implementation
 // Pure Go implementation compatible with Yaegi interpreter (no unsafe package)
+//
+// NOTE: sync.Pool was intentionally removed for Yaegi compatibility.
+// Yaegi (Traefik's Go interpreter) has issues with sync.Pool and reflection
+// that cause "reflect: call of reflect.Value.Field on zero Value" panics.
+// See: https://github.com/lukaszraczylo/traefikoidc/issues/120
 
 var (
 	ErrInvalidRESP = errors.New("invalid RESP response")
 	ErrNilResponse = errors.New("nil response")
 )
 
-// Object pools for memory optimization - reduces allocations by 50-70%
-var (
-	readerPool = sync.Pool{
-		New: func() interface{} {
-			return &RESPReader{
-				r: bufio.NewReaderSize(nil, 4096),
-			}
-		},
-	}
-
-	writerPool = sync.Pool{
-		New: func() interface{} {
-			return &RESPWriter{
-				w: nil,
-			}
-		},
-	}
-)
-
 // RESPWriter writes RESP protocol messages
 type RESPWriter struct {
 	w io.Writer
 }
 
-// NewRESPWriter creates a new RESP writer from the pool (memory optimized)
+// NewRESPWriter creates a new RESP writer
 func NewRESPWriter(w io.Writer) *RESPWriter {
-	writer := writerPool.Get().(*RESPWriter)
-	writer.w = w
-	return writer
+	return &RESPWriter{w: w}
 }
 
-// Release returns the writer to the pool for reuse
+// Release is a no-op for API compatibility (pooling removed for Yaegi compatibility)
 func (w *RESPWriter) Release() {
-	w.w = nil
-	writerPool.Put(w)
+	// No-op: pooling removed for Yaegi compatibility
 }
 
 // WriteCommand writes a Redis command in RESP array format
@@ -78,17 +60,16 @@ type RESPReader struct {
 	r *bufio.Reader
 }
 
-// NewRESPReader creates a new RESP reader from the pool (memory optimized)
+// NewRESPReader creates a new RESP reader
 func NewRESPReader(r io.Reader) *RESPReader {
-	reader := readerPool.Get().(*RESPReader)
-	reader.r.Reset(r)
-	return reader
+	return &RESPReader{
+		r: bufio.NewReaderSize(r, 4096),
+	}
 }
 
-// Release returns the reader to the pool for reuse
+// Release is a no-op for API compatibility (pooling removed for Yaegi compatibility)
 func (r *RESPReader) Release() {
-	r.r.Reset(nil)
-	readerPool.Put(r)
+	// No-op: pooling removed for Yaegi compatibility
 }
 
 // ReadResponse reads a RESP response and returns the parsed value

internal/cache/backends/singleflight.go

@@ -87,7 +87,7 @@ func (s *SingleflightCache) GetOrFetch(ctx context.Context, key string, fetcher
 	// If successful, store in cache
 	if call.err == nil && call.val != nil {
 		// Use a background context for cache storage to ensure it completes
-		// even if the original context is cancelled
+		// even if the original context is canceled
 		storeCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		_ = s.backend.Set(storeCtx, key, call.val, call.ttl)
 		cancel()

internal/cache/manager.go

@@ -232,7 +232,7 @@ func (m *Manager) Close() error {
 
 	var firstErr error
 
-	if err := m.tokenCache.Close(); err != nil && firstErr == nil {
+	if err := m.tokenCache.Close(); err != nil {
 		firstErr = err
 	}
 	if err := m.metadataCache.Close(); err != nil && firstErr == nil {

internal/cleanup/workers.go

@@ -397,7 +397,7 @@ func (wp *WorkerPool) Submit(task func()) error {
 }
 
 // worker is the main worker routine
-func (wp *WorkerPool) worker(id int) {
+func (wp *WorkerPool) worker(_ int) {
 	defer wp.workerWg.Done()
 
 	for {

internal/features/flags.go

@@ -173,7 +173,7 @@ func (m *FeatureManager) LoadFromEnv() {
 	for name, flag := range flags {
 		envVar := "FEATURE_" + name
 		if value := os.Getenv(envVar); value != "" {
-			enabled := strings.ToLower(value) == "true" || value == "1"
+			enabled := strings.EqualFold(value, "true") || value == "1"
 			flag.enabled.Store(enabled)
 		}
 	}

internal/providers/aws_cognito.go

@@ -40,7 +40,7 @@ func (p *AWSCognitoProvider) BuildAuthParams(baseParams url.Values, scopes []str
 	// Remove offline_access scope as Cognito doesn't use it (case-insensitive)
 	var filteredScopes []string
 	for _, scope := range scopes {
-		if strings.ToLower(scope) != ScopeOfflineAccess {
+		if !strings.EqualFold(scope, ScopeOfflineAccess) {
 			filteredScopes = append(filteredScopes, scope)
 		}
 	}

internal/providers/registry.go

@@ -147,7 +147,8 @@ func (r *ProviderRegistry) detectProviderUnsafe(issuerURL string) OIDCProvider {
 				return p
 			}
 		case ProviderTypeKeycloak:
-			if strings.Contains(host, "keycloak") || strings.Contains(normalizedURL.Path, "/auth/realms/") {
+			// Match both Keycloak <17 (`/auth/realms/`) and 17+ (`/realms/`).
+			if strings.Contains(host, "keycloak") || strings.Contains(normalizedURL.Path, "/realms/") {
 				return p
 			}
 		case ProviderTypeAWSCognito:

internal/providers/registry_test.go

@@ -225,10 +225,15 @@ func TestProviderRegistry_DetectProvider(t *testing.T) {
 			expected:  oktaProvider,
 		},
 		{
-			name:      "Keycloak provider detection",
+			name:      "Keycloak provider detection (legacy /auth/realms/)",
 			issuerURL: "https://auth.example.com/auth/realms/master",
 			expected:  keycloakProvider,
 		},
+		{
+			name:      "Keycloak provider detection (modern /realms/, KC 17+)",
+			issuerURL: "https://auth.example.com/realms/master",
+			expected:  keycloakProvider,
+		},
 		{
 			name:      "AWS Cognito provider detection",
 			issuerURL: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",

internal/providers/warnings.go

@@ -18,16 +18,17 @@ func GetProviderWarnings(providerType ProviderType) []ProviderWarning {
 
 	switch providerType {
 	case ProviderTypeGitHub:
-		warnings = append(warnings, ProviderWarning{
-			ProviderType: ProviderTypeGitHub,
-			Level:        "warning",
-			Message:      "GitHub uses OAuth 2.0, not OpenID Connect. ID tokens are not available. Use access tokens for API calls only.",
-		})
-		warnings = append(warnings, ProviderWarning{
-			ProviderType: ProviderTypeGitHub,
-			Level:        "info",
-			Message:      "GitHub OAuth apps do not support refresh tokens. Users will need to re-authenticate when tokens expire.",
-		})
+		warnings = append(warnings,
+			ProviderWarning{
+				ProviderType: ProviderTypeGitHub,
+				Level:        "warning",
+				Message:      "GitHub uses OAuth 2.0, not OpenID Connect. ID tokens are not available. Use access tokens for API calls only.",
+			},
+			ProviderWarning{
+				ProviderType: ProviderTypeGitHub,
+				Level:        "info",
+				Message:      "GitHub OAuth apps do not support refresh tokens. Users will need to re-authenticate when tokens expire.",
+			})
 
 	case ProviderTypeAuth0:
 		warnings = append(warnings, ProviderWarning{

internal/recovery/metrics.go

@@ -116,7 +116,7 @@ func (re *RetryExecutor) ExecuteWithContext(ctx context.Context, fn func() error
 			// Continue to next attempt
 		case <-ctx.Done():
 			re.RecordFailure()
-			return fmt.Errorf("retry cancelled: %w", ctx.Err())
+			return fmt.Errorf("retry canceled: %w", ctx.Err())
 		}
 	}
 
@@ -301,7 +301,7 @@ func (rm *RecoveryMetrics) GetAllMetrics() map[string]interface{} {
 		}
 	}
 
-	allMetrics["summary"] = map[string]interface{}{
+	summary := map[string]interface{}{
 		"totalMechanisms": len(rm.mechanisms),
 		"totalRequests":   totalRequests,
 		"totalSuccesses":  totalSuccesses,
@@ -310,8 +310,9 @@ func (rm *RecoveryMetrics) GetAllMetrics() map[string]interface{} {
 
 	if totalRequests > 0 {
 		successRate := float64(totalSuccesses) / float64(totalRequests) * 100
-		allMetrics["summary"].(map[string]interface{})["overallSuccessRate"] = fmt.Sprintf("%.2f%%", successRate)
+		summary["overallSuccessRate"] = fmt.Sprintf("%.2f%%", successRate)
 	}
+	allMetrics["summary"] = summary
 
 	return allMetrics
 }

internal/recovery/metrics_test.go

@@ -223,7 +223,7 @@ func TestRetryExecutor_ExecuteWithContext_ContextCancelled(t *testing.T) {
 	wg.Wait()
 
 	if execErr == nil {
-		t.Error("Expected error when context is cancelled")
+		t.Error("Expected error when context is canceled")
 	}
 }
 
@@ -240,7 +240,7 @@ func TestRetryExecutor_ExecuteWithContext_ContextCancelledBeforeStart(t *testing
 	})
 
 	if err == nil {
-		t.Error("Expected error when context is already cancelled")
+		t.Error("Expected error when context is already canceled")
 	}
 }
 
@@ -282,7 +282,7 @@ func TestRetryExecutor_isRetryableError(t *testing.T) {
 		{name: "timeout", err: errors.New("TIMEOUT"), expected: true}, // case insensitive
 		{name: "EOF", err: errors.New("EOF"), expected: false},
 		{name: "random error", err: errors.New("something else"), expected: false},
-		{name: "context cancelled", err: context.Canceled, expected: false},
+		{name: "context canceled", err: context.Canceled, expected: false},
 		{name: "context deadline exceeded", err: context.DeadlineExceeded, expected: false},
 	}
 

jwk.go

@@ -2,6 +2,7 @@ package traefikoidc
 
 import (
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
@@ -18,6 +19,18 @@ import (
 	"time"
 )
 
+// parsedKeysSuffix marks the parallel UniversalCache entry that stores
+// pre-parsed public keys for a given JWKS URL.
+const parsedKeysSuffix = ":parsed"
+
+// parsedJWKS holds keys decoded from a JWKSet, indexed by kid. Storing the
+// already-parsed crypto.PublicKey avoids re-running the DER/PEM round trip
+// on every JWT verification — a costly operation under the yaegi interpreter
+// that hosts Traefik plugins.
+type parsedJWKS struct {
+	keys map[string]crypto.PublicKey
+}
+
 // JWK represents a JSON Web Key as defined in RFC 7517.
 // It can represent different key types including RSA, EC, and symmetric keys.
 type JWK struct {
@@ -49,6 +62,7 @@ type JWKCache struct {
 // JWKCacheInterface defines the contract for JWK caching implementations.
 type JWKCacheInterface interface {
 	GetJWKS(ctx context.Context, jwksURL string, httpClient *http.Client) (*JWKSet, error)
+	GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error)
 	Cleanup()
 	Close()
 }
@@ -96,6 +110,62 @@ func (c *JWKCache) GetJWKS(ctx context.Context, jwksURL string, httpClient *http
 	return jwks, nil
 }
 
+// GetPublicKey returns the parsed public key for a given kid, fetching and
+// caching the JWKS plus its derived parsedJWKS on miss. The parsed entry is
+// stored alongside the raw JWKSet under a sibling cache key with the same
+// 1-hour TTL, so both invalidate together when the upstream JWKS rotates.
+func (c *JWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	parsedKey := jwksURL + parsedKeysSuffix
+	if v, found := c.cache.Get(parsedKey); found {
+		if pj, ok := v.(*parsedJWKS); ok {
+			if k, ok := pj.keys[kid]; ok {
+				return k, nil
+			}
+		}
+	}
+
+	jwks, err := c.GetJWKS(ctx, jwksURL, httpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	pj := buildParsedJWKS(jwks)
+	_ = c.cache.Set(parsedKey, pj, 1*time.Hour) // Safe to ignore: cache failures are non-critical
+
+	if k, ok := pj.keys[kid]; ok {
+		return k, nil
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
+// buildParsedJWKS pre-parses every JWK in the set into the matching
+// crypto.PublicKey, indexed by kid. Errors on individual keys are skipped so
+// a single bad key does not block the rest of the keyset.
+func buildParsedJWKS(jwks *JWKSet) *parsedJWKS {
+	out := make(map[string]crypto.PublicKey, len(jwks.Keys))
+	for i := range jwks.Keys {
+		k := &jwks.Keys[i]
+		if k.Kid == "" {
+			continue
+		}
+		var pub crypto.PublicKey
+		var err error
+		switch k.Kty {
+		case "RSA":
+			pub, err = k.ToRSAPublicKey()
+		case "EC":
+			pub, err = k.ToECDSAPublicKey()
+		default:
+			continue
+		}
+		if err != nil {
+			continue
+		}
+		out[k.Kid] = pub
+	}
+	return &parsedJWKS{keys: out}
+}
+
 // Cleanup is a no-op as cleanup is handled by UniversalCache
 func (c *JWKCache) Cleanup() {
 	// Handled internally by UniversalCache
@@ -213,9 +283,9 @@ func (jwk *JWK) ToECDSAPublicKey() (*ecdsa.PublicKey, error) {
 // GetKey finds a key by its ID (kid) in the JWKSet.
 // Returns nil if no key with the given ID is found.
 func (jwks *JWKSet) GetKey(kid string) *JWK {
-	for _, key := range jwks.Keys {
-		if key.Kid == kid {
-			return &key
+	for i := range jwks.Keys {
+		if jwks.Keys[i].Kid == kid {
+			return &jwks.Keys[i]
 		}
 	}
 	return nil

jwt.go

@@ -120,7 +120,7 @@ func getReplayCacheStats() (size int, maxSize int) {
 // Parameters:
 //   - ctx: Parent context for cancellation
 //   - logger: Logger for debug output (can be nil)
-func startReplayCacheCleanup(ctx context.Context, logger *Logger) {
+func startReplayCacheCleanup(_ context.Context, logger *Logger) {
 	registry := GetGlobalTaskRegistry()
 
 	// Define the cleanup task function
@@ -528,6 +528,21 @@ func verifyNotBefore(notBefore float64) error {
 //   - An error if the key parsing fails, the algorithm is unsupported,
 //     or the signature verification fails
 func verifySignature(tokenString string, publicKeyPEM []byte, alg string) error {
+	block, _ := pem.Decode(publicKeyPEM)
+	if block == nil {
+		return fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+	pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %w", err)
+	}
+	return verifySignatureWithKey(tokenString, pubKey, alg)
+}
+
+// verifySignatureWithKey verifies a JWT signature using an already-parsed
+// public key, skipping the PEM-encode/decode round trip that verifySignature
+// performs. This is the hot path used by VerifyJWTSignatureAndClaims.
+func verifySignatureWithKey(tokenString string, pubKey crypto.PublicKey, alg string) error {
 	parts := strings.Split(tokenString, ".")
 	if len(parts) != 3 {
 		return fmt.Errorf("invalid token format")
@@ -537,14 +552,6 @@ func verifySignature(tokenString string, publicKeyPEM []byte, alg string) error
 	if err != nil {
 		return fmt.Errorf("failed to decode signature: %w", err)
 	}
-	block, _ := pem.Decode(publicKeyPEM)
-	if block == nil {
-		return fmt.Errorf("failed to parse PEM block containing the public key")
-	}
-	pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to parse public key: %w", err)
-	}
 	var hashFunc crypto.Hash
 	switch alg {
 	case "RS256", "PS256", "ES256":

logout.go

@@ -0,0 +1,502 @@
+// Package traefikoidc provides OIDC authentication middleware for Traefik.
+// This file implements OIDC Backchannel Logout (OpenID Connect Back-Channel Logout 1.0)
+// and Front-Channel Logout (OpenID Connect Front-Channel Logout 1.0) functionality.
+package traefikoidc
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+)
+
+const (
+	// logoutTokenType is the expected typ claim for logout tokens
+	// #nosec G101 -- This is a JWT type claim value from OIDC spec, not a credential
+	logoutTokenType = "logout+jwt"
+
+	// sessionInvalidationTTL is how long to remember invalidated sessions
+	// Should be at least as long as your session max age
+	sessionInvalidationTTL = 25 * time.Hour
+)
+
+// LogoutTokenClaims represents the claims in an OIDC logout token
+// as defined in OpenID Connect Back-Channel Logout 1.0
+type LogoutTokenClaims struct {
+	Issuer    string                 `json:"iss"`
+	Subject   string                 `json:"sub,omitempty"`
+	Audience  interface{}            `json:"aud"` // Can be string or []string
+	IssuedAt  int64                  `json:"iat"`
+	JTI       string                 `json:"jti"`
+	Events    map[string]interface{} `json:"events"`
+	SessionID string                 `json:"sid,omitempty"`
+	Nonce     string                 `json:"nonce,omitempty"` // Must NOT be present
+}
+
+// handleBackchannelLogout processes OIDC Backchannel Logout requests.
+// It accepts POST requests with a logout_token parameter containing a JWT
+// that identifies which session(s) to terminate.
+//
+// According to OpenID Connect Back-Channel Logout 1.0:
+// - The logout_token is a JWT signed by the IdP
+// - It contains either a 'sid' (session ID) or 'sub' (subject) claim to identify the session
+// - The RP must validate the token and invalidate the matching session(s)
+//
+// Parameters:
+//   - rw: The HTTP response writer
+//   - req: The HTTP request containing the logout_token
+func (t *TraefikOidc) handleBackchannelLogout(rw http.ResponseWriter, req *http.Request) {
+	t.logger.Debug("Processing backchannel logout request")
+
+	// Backchannel logout must be POST
+	if req.Method != http.MethodPost {
+		t.logger.Errorf("Backchannel logout: invalid method %s, expected POST", req.Method)
+		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Parse form data to get logout_token
+	if err := req.ParseForm(); err != nil {
+		t.logger.Errorf("Backchannel logout: failed to parse form: %v", err)
+		http.Error(rw, "Bad request", http.StatusBadRequest)
+		return
+	}
+
+	logoutToken := req.FormValue("logout_token")
+	if logoutToken == "" {
+		// Also try reading from request body as raw JWT
+		body, err := io.ReadAll(io.LimitReader(req.Body, 64*1024)) // 64KB limit
+		if err == nil && len(body) > 0 {
+			logoutToken = string(body)
+		}
+	}
+
+	if logoutToken == "" {
+		t.logger.Error("Backchannel logout: missing logout_token")
+		http.Error(rw, "logout_token required", http.StatusBadRequest)
+		return
+	}
+
+	// Parse and validate the logout token
+	claims, err := t.validateLogoutToken(logoutToken)
+	if err != nil {
+		t.logger.Errorf("Backchannel logout: token validation failed: %v", err)
+		// Return 400 for invalid token per spec
+		http.Error(rw, "Invalid logout token", http.StatusBadRequest)
+		return
+	}
+
+	// Invalidate session(s) based on sid or sub
+	if err := t.invalidateSession(claims.SessionID, claims.Subject); err != nil {
+		t.logger.Errorf("Backchannel logout: failed to invalidate session: %v", err)
+		http.Error(rw, "Failed to invalidate session", http.StatusInternalServerError)
+		return
+	}
+
+	t.logger.Infof("Backchannel logout: successfully invalidated session (sid=%s, sub=%s)",
+		claims.SessionID, claims.Subject)
+
+	// Return 200 OK with empty body per spec
+	rw.WriteHeader(http.StatusOK)
+}
+
+// handleFrontchannelLogout processes OIDC Front-Channel Logout requests.
+// It accepts GET requests with 'iss' and 'sid' query parameters that identify
+// which session to terminate. The IdP typically loads this URL in an iframe.
+//
+// According to OpenID Connect Front-Channel Logout 1.0:
+// - The request contains 'iss' (issuer) and optionally 'sid' (session ID)
+// - The RP should clear the session and return a response (typically empty or image)
+// - The response must be cacheable to allow the IdP to load it in an iframe
+//
+// Parameters:
+//   - rw: The HTTP response writer
+//   - req: The HTTP request containing iss and sid parameters
+func (t *TraefikOidc) handleFrontchannelLogout(rw http.ResponseWriter, req *http.Request) {
+	t.logger.Debug("Processing front-channel logout request")
+
+	// Front-channel logout should be GET
+	if req.Method != http.MethodGet {
+		t.logger.Errorf("Front-channel logout: invalid method %s, expected GET", req.Method)
+		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Get iss and sid from query parameters
+	iss := req.URL.Query().Get("iss")
+	sid := req.URL.Query().Get("sid")
+
+	// Validate issuer matches our expected issuer
+	t.metadataMu.RLock()
+	expectedIssuer := t.issuerURL
+	t.metadataMu.RUnlock()
+
+	if iss != "" && iss != expectedIssuer {
+		t.logger.Errorf("Front-channel logout: issuer mismatch: got %s, expected %s", iss, expectedIssuer)
+		http.Error(rw, "Invalid issuer", http.StatusBadRequest)
+		return
+	}
+
+	// Must have at least sid for front-channel logout
+	if sid == "" {
+		t.logger.Error("Front-channel logout: missing sid parameter")
+		http.Error(rw, "sid parameter required", http.StatusBadRequest)
+		return
+	}
+
+	// Invalidate the session
+	if err := t.invalidateSession(sid, ""); err != nil {
+		t.logger.Errorf("Front-channel logout: failed to invalidate session: %v", err)
+		http.Error(rw, "Failed to invalidate session", http.StatusInternalServerError)
+		return
+	}
+
+	t.logger.Infof("Front-channel logout: successfully invalidated session (sid=%s)", sid)
+
+	// Return a minimal HTML response that's suitable for iframe loading
+	// Set headers to allow embedding and caching
+	rw.Header().Set("Content-Type", "text/html; charset=utf-8")
+	rw.Header().Set("Cache-Control", "no-cache, no-store")
+	rw.Header().Set("Pragma", "no-cache")
+	// Allow embedding in iframes from any origin (required for front-channel logout)
+	rw.Header().Del("X-Frame-Options")
+	rw.WriteHeader(http.StatusOK)
+	_, _ = rw.Write([]byte("<!DOCTYPE html><html><head><title>Logged Out</title></head><body></body></html>"))
+}
+
+// validateLogoutToken parses and validates a logout token JWT.
+// It verifies the token signature, issuer, audience, and required claims.
+//
+// Parameters:
+//   - tokenString: The raw JWT logout token
+//
+// Returns:
+//   - The parsed logout token claims
+//   - An error if validation fails
+func (t *TraefikOidc) validateLogoutToken(tokenString string) (*LogoutTokenClaims, error) {
+	// Parse the JWT
+	jwt, err := parseJWT(tokenString)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse logout token: %w", err)
+	}
+
+	// Check token type if present
+	if typ, ok := jwt.Header["typ"].(string); ok {
+		// The typ should be "logout+jwt" or omitted
+		if typ != "" && typ != logoutTokenType && typ != "JWT" {
+			return nil, fmt.Errorf("invalid token type: %s", typ)
+		}
+	}
+
+	// Verify signature only (not standard claims - logout tokens don't have 'exp')
+	if err := t.verifyLogoutTokenSignature(jwt, tokenString); err != nil {
+		return nil, fmt.Errorf("signature verification failed: %w", err)
+	}
+
+	// Extract claims
+	claims := &LogoutTokenClaims{}
+	claimsJSON, err := json.Marshal(jwt.Claims)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal claims: %w", err)
+	}
+	if err := json.Unmarshal(claimsJSON, claims); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal claims: %w", err)
+	}
+
+	// Validate required claims
+	t.metadataMu.RLock()
+	expectedIssuer := t.issuerURL
+	t.metadataMu.RUnlock()
+
+	// Validate issuer
+	if claims.Issuer != expectedIssuer {
+		return nil, fmt.Errorf("issuer mismatch: got %s, expected %s", claims.Issuer, expectedIssuer)
+	}
+
+	// Validate audience (must contain our client_id)
+	if !t.validateLogoutTokenAudience(claims.Audience) {
+		return nil, fmt.Errorf("audience validation failed")
+	}
+
+	// Validate iat (issued at) - must be present and not too old
+	if claims.IssuedAt == 0 {
+		return nil, fmt.Errorf("missing iat claim")
+	}
+	iatTime := time.Unix(claims.IssuedAt, 0)
+	// Allow up to 5 minutes clock skew and 10 minutes token age
+	if time.Since(iatTime) > 15*time.Minute {
+		return nil, fmt.Errorf("logout token too old: issued at %v", iatTime)
+	}
+	// Token should not be from the future (with 5 min clock skew tolerance)
+	if iatTime.After(time.Now().Add(5 * time.Minute)) {
+		return nil, fmt.Errorf("logout token issued in the future: %v", iatTime)
+	}
+
+	// Validate events claim - must contain the logout event
+	if claims.Events == nil {
+		return nil, fmt.Errorf("missing events claim")
+	}
+	if _, ok := claims.Events["http://schemas.openid.net/event/backchannel-logout"]; !ok {
+		return nil, fmt.Errorf("missing backchannel-logout event in events claim")
+	}
+
+	// Validate that nonce is NOT present (per spec)
+	if claims.Nonce != "" {
+		return nil, fmt.Errorf("nonce claim must not be present in logout token")
+	}
+
+	// Must have either sid or sub (or both)
+	if claims.SessionID == "" && claims.Subject == "" {
+		return nil, fmt.Errorf("logout token must contain either sid or sub claim")
+	}
+
+	return claims, nil
+}
+
+// validateLogoutTokenAudience checks if the logout token audience contains our client_id
+func (t *TraefikOidc) validateLogoutTokenAudience(aud interface{}) bool {
+	switch v := aud.(type) {
+	case string:
+		return v == t.clientID
+	case []interface{}:
+		for _, a := range v {
+			if s, ok := a.(string); ok && s == t.clientID {
+				return true
+			}
+		}
+	case []string:
+		for _, a := range v {
+			if a == t.clientID {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// verifyLogoutTokenSignature verifies only the signature of a logout token.
+// Unlike VerifyJWTSignatureAndClaims, this does NOT validate standard claims like 'exp'
+// because logout tokens don't have an expiration claim per OIDC Back-Channel Logout spec.
+//
+// Parameters:
+//   - jwt: The parsed JWT structure
+//   - tokenString: The raw token string for signature verification
+//
+// Returns:
+//   - An error if signature verification fails
+func (t *TraefikOidc) verifyLogoutTokenSignature(jwt *JWT, tokenString string) error {
+	t.logger.Debug("Verifying logout token signature")
+
+	// Read jwksURL with RLock
+	t.metadataMu.RLock()
+	jwksURL := t.jwksURL
+	t.metadataMu.RUnlock()
+
+	jwks, err := t.jwkCache.GetJWKS(context.Background(), jwksURL, t.httpClient)
+	if err != nil {
+		return fmt.Errorf("failed to get JWKS: %w", err)
+	}
+
+	if jwks == nil {
+		return fmt.Errorf("JWKS is nil, cannot verify token")
+	}
+
+	kid, ok := jwt.Header["kid"].(string)
+	if !ok || kid == "" {
+		return fmt.Errorf("missing key ID in token header")
+	}
+
+	alg, ok := jwt.Header["alg"].(string)
+	if !ok || alg == "" {
+		return fmt.Errorf("missing algorithm in token header")
+	}
+
+	// Find the matching key in JWKS
+	var matchingKey *JWK
+	for i := range jwks.Keys {
+		if jwks.Keys[i].Kid == kid {
+			matchingKey = &jwks.Keys[i]
+			break
+		}
+	}
+
+	if matchingKey == nil {
+		return fmt.Errorf("no matching public key found for kid: %s", kid)
+	}
+
+	publicKeyPEM, err := jwkToPEM(matchingKey)
+	if err != nil {
+		return fmt.Errorf("failed to convert JWK to PEM: %w", err)
+	}
+
+	if err := verifySignature(tokenString, publicKeyPEM, alg); err != nil {
+		return fmt.Errorf("signature verification failed: %w", err)
+	}
+
+	t.logger.Debug("Logout token signature verified successfully")
+	return nil
+}
+
+// invalidateSession marks a session as invalidated in the session invalidation cache.
+// It stores entries by both sid and sub if available.
+//
+// Parameters:
+//   - sid: The session ID to invalidate (from the 'sid' claim)
+//   - sub: The subject to invalidate (from the 'sub' claim)
+//
+// Returns:
+//   - An error if the invalidation fails
+func (t *TraefikOidc) invalidateSession(sid, sub string) error {
+	if t.sessionInvalidationCache == nil {
+		return fmt.Errorf("session invalidation cache not initialized")
+	}
+
+	now := time.Now().Unix()
+
+	// Store by session ID
+	if sid != "" {
+		key := t.buildSessionInvalidationKey("sid", sid)
+		t.sessionInvalidationCache.Set(key, now, sessionInvalidationTTL)
+		t.logger.Debugf("Invalidated session by sid: %s", sid)
+	}
+
+	// Store by subject (invalidates all sessions for this user)
+	if sub != "" {
+		key := t.buildSessionInvalidationKey("sub", sub)
+		t.sessionInvalidationCache.Set(key, now, sessionInvalidationTTL)
+		t.logger.Debugf("Invalidated session by sub: %s", sub)
+	}
+
+	return nil
+}
+
+// isSessionInvalidated checks if a session has been invalidated via backchannel
+// or front-channel logout.
+//
+// Parameters:
+//   - sid: The session ID to check
+//   - sub: The subject to check
+//   - sessionCreatedAt: When the session was created (to compare against invalidation time)
+//
+// Returns:
+//   - true if the session has been invalidated, false otherwise
+func (t *TraefikOidc) isSessionInvalidated(sid, sub string, sessionCreatedAt time.Time) bool {
+	if t.sessionInvalidationCache == nil {
+		return false
+	}
+
+	// Truncate session creation time to seconds for fair comparison with Unix timestamps
+	sessionCreatedAtSec := sessionCreatedAt.Truncate(time.Second)
+
+	// Check by session ID first (more specific)
+	if sid != "" {
+		key := t.buildSessionInvalidationKey("sid", sid)
+		if val, found := t.sessionInvalidationCache.Get(key); found {
+			if invalidatedAt, ok := val.(int64); ok {
+				// Session was invalidated at or after it was created
+				invalidationTime := time.Unix(invalidatedAt, 0)
+				if !invalidationTime.Before(sessionCreatedAtSec) {
+					t.logger.Debugf("Session invalidated by sid: %s", sid)
+					return true
+				}
+			}
+		}
+	}
+
+	// Check by subject (all sessions for this user)
+	if sub != "" {
+		key := t.buildSessionInvalidationKey("sub", sub)
+		if val, found := t.sessionInvalidationCache.Get(key); found {
+			if invalidatedAt, ok := val.(int64); ok {
+				// Sessions for this subject created at or before invalidation are invalid
+				invalidationTime := time.Unix(invalidatedAt, 0)
+				if !invalidationTime.Before(sessionCreatedAtSec) {
+					t.logger.Debugf("Session invalidated by sub: %s", sub)
+					return true
+				}
+			}
+		}
+	}
+
+	return false
+}
+
+// buildSessionInvalidationKey creates a cache key for session invalidation
+func (t *TraefikOidc) buildSessionInvalidationKey(keyType, value string) string {
+	return fmt.Sprintf("session_invalidation:%s:%s", keyType, value)
+}
+
+// extractSessionInfo extracts sid and sub from an ID token for session tracking
+func (t *TraefikOidc) extractSessionInfo(idToken string) (sid, sub string, createdAt time.Time) {
+	if idToken == "" {
+		return "", "", time.Time{}
+	}
+
+	jwt, err := parseJWT(idToken)
+	if err != nil {
+		return "", "", time.Time{}
+	}
+
+	// Extract sid (session ID)
+	if sidVal, ok := jwt.Claims["sid"].(string); ok {
+		sid = sidVal
+	}
+
+	// Extract sub (subject)
+	if subVal, ok := jwt.Claims["sub"].(string); ok {
+		sub = subVal
+	}
+
+	// Extract iat for session creation time
+	if iatVal, ok := jwt.Claims["iat"].(float64); ok {
+		createdAt = time.Unix(int64(iatVal), 0)
+	} else {
+		// Default to now if iat not present
+		createdAt = time.Now()
+	}
+
+	return sid, sub, createdAt
+}
+
+// determineLogoutPath checks if the given path matches any logout URL
+func (t *TraefikOidc) determineLogoutPath(path string) string {
+	// Check backchannel logout path
+	if t.backchannelLogoutPath != "" && path == t.backchannelLogoutPath {
+		return "backchannel"
+	}
+
+	// Check front-channel logout path
+	if t.frontchannelLogoutPath != "" && path == t.frontchannelLogoutPath {
+		return "frontchannel"
+	}
+
+	// Check regular logout path (for RP-initiated logout)
+	if path == t.logoutURLPath {
+		return "rp"
+	}
+
+	return ""
+}
+
+// normalizeLogoutPath ensures logout paths start with / and prevents open redirects
+func normalizeLogoutPath(path string) string {
+	if path == "" {
+		return ""
+	}
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	// Prevent open redirect: ensure second character is not / or \
+	// This prevents URLs like //example.com or /\example.com from being treated as absolute URLs
+	if len(path) > 1 && (path[1] == '/' || path[1] == '\\') {
+		// Strip leading slashes/backslashes and re-normalize
+		path = strings.TrimLeft(path, "/\\")
+		if path != "" {
+			path = "/" + path
+		}
+	}
+	return path
+}

main.go

@@ -113,12 +113,26 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 		}
 	}
 	// Setup HTTP client
+	caPool, err := config.loadCACertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load CA certificates: %w", err)
+	}
+	if config.InsecureSkipVerify {
+		logger.Errorf("SECURITY WARNING: InsecureSkipVerify is enabled for the OIDC provider. TLS certificate verification is DISABLED. Do not use in production.")
+	}
 	var httpClient *http.Client
 	if config.HTTPClient != nil {
 		httpClient = config.HTTPClient
 	} else {
-		httpClient = CreateDefaultHTTPClient()
+		defaultCfg := DefaultHTTPClientConfig()
+		defaultCfg.RootCAs = caPool
+		defaultCfg.InsecureSkipVerify = config.InsecureSkipVerify
+		httpClient = CreatePooledHTTPClient(defaultCfg)
 	}
+	tokenCfg := TokenHTTPClientConfig()
+	tokenCfg.RootCAs = caPool
+	tokenCfg.InsecureSkipVerify = config.InsecureSkipVerify
+	tokenHTTPClient := CreatePooledHTTPClient(tokenCfg)
 	goroutineWG := &sync.WaitGroup{}
 	cacheManager := GetGlobalCacheManagerWithConfig(goroutineWG, config)
 
@@ -199,7 +213,7 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 		limiter:               rate.NewLimiter(rate.Every(time.Second), config.RateLimit),
 		tokenCache:            cacheManager.GetSharedTokenCache(),
 		httpClient:            httpClient,
-		tokenHTTPClient:       CreateTokenHTTPClient(),
+		tokenHTTPClient:       tokenHTTPClient,
 		excludedURLs:          createStringMap(config.ExcludedURLs),
 		allowedUserDomains:    createStringMap(config.AllowedUserDomains),
 		allowedUsers:          createCaseInsensitiveStringMap(config.AllowedUsers),
@@ -212,16 +226,30 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 			}
 			return 60 * time.Second
 		}(),
-		tokenCleanupStopChan:    make(chan struct{}),
-		metadataRefreshStopChan: make(chan struct{}),
-		ctx:                     pluginCtx,
-		cancelFunc:              cancelFunc,
-		suppressDiagnosticLogs:  isTestMode(),
-		securityHeadersApplier:  config.GetSecurityHeadersApplier(),
-		scopeFilter:             NewScopeFilter(logger), // NEW - for discovery-based scope filtering
-		dcrConfig:               config.DynamicClientRegistration,
-		allowPrivateIPAddresses: config.AllowPrivateIPAddresses,
-		minimalHeaders:          config.MinimalHeaders,
+		maxRefreshTokenAge: func() time.Duration {
+			// 0 (or unset) disables the heuristic; negative is rejected by Validate.
+			if config.MaxRefreshTokenAgeSeconds > 0 {
+				return time.Duration(config.MaxRefreshTokenAgeSeconds) * time.Second
+			}
+			return 0
+		}(),
+		tokenCleanupStopChan:     make(chan struct{}),
+		metadataRefreshStopChan:  make(chan struct{}),
+		ctx:                      pluginCtx,
+		cancelFunc:               cancelFunc,
+		suppressDiagnosticLogs:   isTestMode(),
+		securityHeadersApplier:   config.GetSecurityHeadersApplier(),
+		scopeFilter:              NewScopeFilter(logger), // NEW - for discovery-based scope filtering
+		dcrConfig:                config.DynamicClientRegistration,
+		allowPrivateIPAddresses:  config.AllowPrivateIPAddresses,
+		minimalHeaders:           config.MinimalHeaders,
+		stripAuthCookies:         config.StripAuthCookies,
+		enableBackchannelLogout:  config.EnableBackchannelLogout,
+		enableFrontchannelLogout: config.EnableFrontchannelLogout,
+		backchannelLogoutPath:    normalizeLogoutPath(config.BackchannelLogoutURL),
+		frontchannelLogoutPath:   normalizeLogoutPath(config.FrontchannelLogoutURL),
+		sessionInvalidationCache: cacheManager.GetSharedSessionInvalidationCache(),
+		refreshResultCache:       cacheManager.GetSharedRefreshResultCache(),
 	}
 
 	// Log audience configuration
@@ -240,6 +268,11 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 	tokenResilienceConfig := DefaultTokenResilienceConfig()
 	t.tokenResilienceManager = NewTokenResilienceManager(tokenResilienceConfig, t.logger)
 
+	// Coalesces concurrent refresh-token grants per refresh_token to one upstream
+	// call, preventing the thundering herd that yields invalid_grant when the IdP
+	// rotates refresh tokens (Zitadel/Authentik default).
+	t.refreshCoordinator = NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), t.logger)
+
 	t.extractClaimsFunc = extractClaims
 	t.initiateAuthenticationFunc = func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
 		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
@@ -287,17 +320,22 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 
 	startReplayCacheCleanup(pluginCtx, logger)
 
-	// Start memory monitoring for leak detection and performance insights
+	// Start memory monitoring for leak detection and performance insights.
+	// The interval is clamped to MinMemoryMonitorInterval (30s) inside
+	// StartMonitoring; tests that need deterministic sampling should call
+	// MemoryMonitor.Refresh() directly instead of waiting on a fast ticker.
 	memoryMonitor := GetGlobalMemoryMonitor()
-	monitorInterval := 60 * time.Second
-	if isTestMode() {
-		monitorInterval = 100 * time.Millisecond // Fast interval for tests
-	}
-	memoryMonitor.StartMonitoring(pluginCtx, monitorInterval)
+	memoryMonitor.StartMonitoring(pluginCtx, DefaultMemoryMonitorInterval)
 	logger.Debug("Started global memory monitoring")
 
 	logger.Debugf("TraefikOidc.New: Final t.scopes initialized to: %v", t.scopes)
 
+	// Log callback URL configuration to help diagnose redirect loop issues.
+	// If callbackURL is a full URL instead of a path, the callback matching
+	// in ServeHTTP will silently fail because req.URL.Path is compared directly.
+	logger.Debugf("TraefikOidc.New: callbackURL (redirURLPath) configured as: %q", t.redirURLPath)
+	logger.Debugf("TraefikOidc.New: logoutURLPath configured as: %q", t.logoutURLPath)
+
 	t.providerURL = config.ProviderURL
 
 	// Use singleton resource manager for metadata initialization

main_coverage_boost_test.go

@@ -9,7 +9,7 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-// Config Marshalling Tests
+// Config Marshaling Tests
 
 func TestConfig_MarshalJSON(t *testing.T) {
 	config := &Config{

main_servehttp_test.go

@@ -710,3 +710,344 @@ func TestMinimalHeaders_TokenHeaderNotSet(t *testing.T) {
 		t.Error("expected X-Auth-Request-Redirect to NOT be set with minimalHeaders=true")
 	}
 }
+
+// TestStripAuthCookies tests the stripAuthCookies configuration option.
+// This addresses GitHub issue #122 - OIDC cookies bloating backend requests.
+func TestStripAuthCookies(t *testing.T) {
+	tests := []struct {
+		name              string
+		stripAuthCookies  bool
+		expectOIDCCookies bool
+		expectAppCookies  bool
+	}{
+		{
+			name:              "stripAuthCookies=false (default) forwards all cookies",
+			stripAuthCookies:  false,
+			expectOIDCCookies: true,
+			expectAppCookies:  true,
+		},
+		{
+			name:              "stripAuthCookies=true strips OIDC cookies but keeps app cookies",
+			stripAuthCookies:  true,
+			expectOIDCCookies: false,
+			expectAppCookies:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var capturedCookies []*http.Cookie
+
+			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				capturedCookies = r.Cookies()
+				w.WriteHeader(http.StatusOK)
+			})
+
+			sessionManager := createTestSessionManager(t)
+			cookiePrefix := sessionManager.GetCookiePrefix()
+
+			oidc := &TraefikOidc{
+				next:                   next,
+				logger:                 NewLogger("debug"),
+				initComplete:           make(chan struct{}),
+				sessionManager:         sessionManager,
+				firstRequestReceived:   true,
+				metadataRefreshStarted: true,
+				issuerURL:              "https://provider.example.com",
+				stripAuthCookies:       tt.stripAuthCookies,
+				extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+					return map[string]interface{}{
+						"email": "user@example.com",
+					}, nil
+				},
+			}
+			close(oidc.initComplete)
+
+			req := httptest.NewRequest("GET", "/protected", nil)
+			rw := httptest.NewRecorder()
+
+			// Get a valid session first (before adding fake cookies)
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
+			session.SetEmail("user@example.com")
+			session.SetAuthenticated(true)
+
+			// Now add OIDC session cookies (simulating what the browser would send)
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "m", Value: "session-data"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_0", Value: "chunk0"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_1", Value: "chunk1"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "a", Value: "access-token"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "r", Value: "refresh-token"})
+
+			// Add non-OIDC application cookies (these must always pass through)
+			req.AddCookie(&http.Cookie{Name: "my_app_session", Value: "app-session-id"})
+			req.AddCookie(&http.Cookie{Name: "theme", Value: "dark"})
+
+			oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+			// Check for OIDC cookies in captured cookies
+			hasOIDCCookie := false
+			hasAppSession := false
+			hasTheme := false
+			for _, c := range capturedCookies {
+				if len(c.Name) >= len(cookiePrefix) && c.Name[:len(cookiePrefix)] == cookiePrefix {
+					hasOIDCCookie = true
+				}
+				if c.Name == "my_app_session" {
+					hasAppSession = true
+				}
+				if c.Name == "theme" {
+					hasTheme = true
+				}
+			}
+
+			if tt.expectOIDCCookies && !hasOIDCCookie {
+				t.Error("expected OIDC cookies to be forwarded to backend")
+			}
+			if !tt.expectOIDCCookies && hasOIDCCookie {
+				t.Error("expected OIDC cookies to be stripped before forwarding to backend")
+			}
+
+			if tt.expectAppCookies && !hasAppSession {
+				t.Error("expected my_app_session cookie to be forwarded to backend")
+			}
+			if tt.expectAppCookies && !hasTheme {
+				t.Error("expected theme cookie to be forwarded to backend")
+			}
+		})
+	}
+}
+
+// TestStripAuthCookies_NoCookies verifies stripping works when the request has no cookies.
+func TestStripAuthCookies_NoCookies(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetEmail("user@example.com")
+	session.SetAuthenticated(true)
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 0 {
+		t.Errorf("expected no cookies, got %d", len(capturedCookies))
+	}
+}
+
+// TestStripAuthCookies_OnlyOIDCCookies verifies that when all cookies are OIDC cookies,
+// the Cookie header is empty after stripping.
+func TestStripAuthCookies_OnlyOIDCCookies(t *testing.T) {
+	var capturedCookieHeader string
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookieHeader = r.Header.Get("Cookie")
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	cookiePrefix := sessionManager.GetCookiePrefix()
+
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetEmail("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add only OIDC cookies
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "m", Value: "session-data"})
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_0", Value: "chunk0"})
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "a", Value: "access-token"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 0 {
+		t.Errorf("expected all cookies to be stripped, got %d", len(capturedCookies))
+	}
+	if capturedCookieHeader != "" {
+		t.Errorf("expected empty Cookie header, got %q", capturedCookieHeader)
+	}
+}
+
+// TestStripAuthCookies_OnlyAppCookies verifies that non-OIDC cookies pass through
+// untouched when stripping is enabled.
+func TestStripAuthCookies_OnlyAppCookies(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetEmail("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add only non-OIDC cookies
+	req.AddCookie(&http.Cookie{Name: "my_app_session", Value: "abc123"})
+	req.AddCookie(&http.Cookie{Name: "lang", Value: "en"})
+	req.AddCookie(&http.Cookie{Name: "theme", Value: "dark"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 3 {
+		t.Errorf("expected 3 cookies, got %d", len(capturedCookies))
+	}
+
+	cookieNames := make(map[string]bool)
+	for _, c := range capturedCookies {
+		cookieNames[c.Name] = true
+	}
+	for _, expected := range []string{"my_app_session", "lang", "theme"} {
+		if !cookieNames[expected] {
+			t.Errorf("expected cookie %q to be forwarded", expected)
+		}
+	}
+}
+
+// TestStripAuthCookies_CustomPrefix verifies stripping works with a custom cookie prefix.
+func TestStripAuthCookies_CustomPrefix(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	// Create session manager with custom prefix
+	sm, err := NewSessionManager("test-encryption-key-32-characters", false, "", "myapp_oidc_", 0, NewLogger("debug"))
+	if err != nil {
+		t.Fatalf("Failed to create session manager: %v", err)
+	}
+	customPrefix := sm.GetCookiePrefix()
+
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sm,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sm.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetEmail("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add cookies with the custom prefix (should be stripped)
+	req.AddCookie(&http.Cookie{Name: customPrefix + "m", Value: "session-data"})
+	req.AddCookie(&http.Cookie{Name: customPrefix + "s_0", Value: "chunk0"})
+
+	// Add default-prefix cookie (should NOT be stripped — different prefix)
+	req.AddCookie(&http.Cookie{Name: "_oidc_raczylo_m", Value: "other-session"})
+
+	// Add app cookie (should NOT be stripped)
+	req.AddCookie(&http.Cookie{Name: "my_app", Value: "val"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	cookieNames := make(map[string]bool)
+	for _, c := range capturedCookies {
+		cookieNames[c.Name] = true
+	}
+
+	// Custom prefix cookies should be stripped
+	if cookieNames[customPrefix+"m"] {
+		t.Errorf("expected cookie %q to be stripped", customPrefix+"m")
+	}
+	if cookieNames[customPrefix+"s_0"] {
+		t.Errorf("expected cookie %q to be stripped", customPrefix+"s_0")
+	}
+
+	// Default prefix cookie should pass through (different prefix)
+	if !cookieNames["_oidc_raczylo_m"] {
+		t.Error("expected _oidc_raczylo_m cookie to pass through (different prefix)")
+	}
+
+	// App cookie should pass through
+	if !cookieNames["my_app"] {
+		t.Error("expected my_app cookie to pass through")
+	}
+}

main_test.go

@@ -208,6 +208,32 @@ func (m *MockJWKCache) GetJWKS(ctx context.Context, jwksURL string, httpClient *
 	return m.JWKS, m.Err
 }
 
+func (m *MockJWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	if m.Err != nil {
+		return nil, m.Err
+	}
+	if m.JWKS == nil {
+		return nil, fmt.Errorf("JWKS is nil")
+	}
+	for i := range m.JWKS.Keys {
+		k := &m.JWKS.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		default:
+			return nil, fmt.Errorf("unsupported key type: %s", k.Kty)
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (m *MockJWKCache) Cleanup() {
 	// Mock cleanup is a no-op - we don't want to destroy the mock JWKS data
 	// Real cleanup is for expired entries, not resetting all data

memory_leak_fixes.go

@@ -9,13 +9,18 @@ import (
 // LazyBackgroundTask wraps BackgroundTask to provide delayed initialization.
 // This prevents memory leaks from unnecessary background tasks by starting
 // them only when actually needed, reducing resource usage in idle scenarios.
+//
+// Lifecycle is one-shot: once Stop has been called the task cannot be
+// restarted. The underlying BackgroundTask uses sync.Once for Start and
+// refuses to re-run after Stop, so restart is not supported by design.
 type LazyBackgroundTask struct {
 	// BackgroundTask is the underlying task implementation
 	*BackgroundTask
-	// started tracks whether the task has been activated
+	// mu guards the started flag against concurrent StartIfNeeded / Stop calls.
+	mu sync.Mutex
+	// started tracks whether the task has been activated.
+	// Only mutated while holding mu.
 	started bool
-	// startOnce ensures single initialization
-	startOnce sync.Once
 }
 
 // NewLazyBackgroundTask creates a background task that doesn't start immediately.
@@ -29,24 +34,28 @@ func NewLazyBackgroundTask(name string, interval time.Duration, taskFunc func(),
 }
 
 // StartIfNeeded starts the background task only if it hasn't been started yet.
-// Uses sync.Once to ensure thread-safe single initialization.
+// Safe to call concurrently. After Stop has been called this is a no-op;
+// the task is not restartable.
 func (lt *LazyBackgroundTask) StartIfNeeded() {
-	lt.startOnce.Do(func() {
-		if !lt.started {
-			lt.BackgroundTask.Start()
-			lt.started = true
-		}
-	})
+	lt.mu.Lock()
+	defer lt.mu.Unlock()
+	if lt.started {
+		return
+	}
+	lt.BackgroundTask.Start()
+	lt.started = true
 }
 
 // Stop stops the background task if it was started.
-// Resets the start state to allow potential future re-initialization.
+// Once stopped, the task cannot be restarted (see type doc).
 func (lt *LazyBackgroundTask) Stop() {
-	if lt.started {
-		lt.BackgroundTask.Stop()
-		lt.started = false
-		lt.startOnce = sync.Once{}
+	lt.mu.Lock()
+	defer lt.mu.Unlock()
+	if !lt.started {
+		return
 	}
+	lt.BackgroundTask.Stop()
+	lt.started = false
 }
 
 // NewLazyCacheWithLogger creates a cache that doesn't start cleanup until first use.

memory_monitor.go

@@ -58,13 +58,21 @@ func (mpl MemoryPressureLevel) String() string {
 	}
 }
 
-// MemoryMonitor provides comprehensive memory monitoring and alerting
+// MemoryMonitor provides comprehensive memory monitoring and alerting.
+//
+// Memory sampling is expensive: runtime.ReadMemStats is a stop-the-world
+// operation. To keep latency predictable the monitor caches the most recent
+// sample and only refreshes it when the background ticker fires, when TriggerGC
+// is invoked, or when a caller explicitly calls Refresh(). GetCurrentStats is a
+// cheap read of that cached sample.
 type MemoryMonitor struct {
 	lastGCTime         time.Time
 	startTime          time.Time
 	lastStats          *MemoryStats
+	cachedMemStats     runtime.MemStats
 	logger             *Logger
 	alertThresholds    MemoryAlertThresholds
+	config             MemoryMonitorConfig
 	baselineGoroutines int
 	baselineHeap       uint64
 	heapGrowthRate     float64
@@ -84,6 +92,30 @@ type MemoryAlertThresholds struct {
 	GCFrequency         float64 // Alert when GC frequency exceeds this per minute
 }
 
+// MemoryMonitorConfig configures the memory monitor's scheduling behavior.
+// Thresholds are kept separate in MemoryAlertThresholds.
+type MemoryMonitorConfig struct {
+	// Interval between background samples. Must be >= MinMemoryMonitorInterval
+	// (30s). Values below the minimum are clamped when monitoring starts.
+	Interval time.Duration
+}
+
+// Default and minimum interval values. The minimum exists because
+// runtime.ReadMemStats is stop-the-world and hammering it on a hot loop causes
+// noticeable latency spikes, especially under yaegi.
+const (
+	DefaultMemoryMonitorInterval = 60 * time.Second
+	MinMemoryMonitorInterval     = 30 * time.Second
+)
+
+// DefaultMemoryMonitorConfig returns a config with sensible production
+// defaults.
+func DefaultMemoryMonitorConfig() MemoryMonitorConfig {
+	return MemoryMonitorConfig{
+		Interval: DefaultMemoryMonitorInterval,
+	}
+}
+
 // DefaultMemoryAlertThresholds returns sensible default alert thresholds
 func DefaultMemoryAlertThresholds() MemoryAlertThresholds {
 	return MemoryAlertThresholds{
@@ -95,35 +127,82 @@ func DefaultMemoryAlertThresholds() MemoryAlertThresholds {
 	}
 }
 
-// NewMemoryMonitor creates a new memory monitor
+// NewMemoryMonitor creates a new memory monitor using default scheduling
+// configuration. See NewMemoryMonitorWithConfig for full control.
 func NewMemoryMonitor(logger *Logger, thresholds MemoryAlertThresholds) *MemoryMonitor {
+	return NewMemoryMonitorWithConfig(logger, thresholds, DefaultMemoryMonitorConfig())
+}
+
+// NewMemoryMonitorWithConfig creates a new memory monitor with an explicit
+// scheduling config.
+//
+// NOTE: the constructor performs a single runtime.ReadMemStats call to capture
+// baseline heap / goroutine / GC counters used for leak and growth detection.
+// This is a one-time stop-the-world cost at startup; all subsequent samples
+// only happen on the monitoring ticker or on explicit Refresh() calls.
+func NewMemoryMonitorWithConfig(logger *Logger, thresholds MemoryAlertThresholds, config MemoryMonitorConfig) *MemoryMonitor {
 	if logger == nil {
 		logger = GetSingletonNoOpLogger()
 	}
 
+	if config.Interval <= 0 {
+		config.Interval = DefaultMemoryMonitorInterval
+	}
+
+	// One-time initial sample to seed baselines used for growth / leak
+	// detection. All subsequent sampling is gated by the monitoring ticker or
+	// explicit Refresh() calls.
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 
-	return &MemoryMonitor{
+	mm := &MemoryMonitor{
 		logger:             logger,
 		startTime:          time.Now(),
 		alertThresholds:    thresholds,
+		config:             config,
 		baselineHeap:       memStats.HeapAlloc,
 		baselineGoroutines: runtime.NumGoroutine(),
 		// #nosec G115 -- LastGC nanoseconds fits in int64 for centuries
 		lastGCTime:  time.Unix(0, int64(memStats.LastGC)),
 		lastGCCount: memStats.NumGC,
 	}
+	mm.cachedMemStats = memStats
+	return mm
 }
 
-// GetCurrentStats collects current memory statistics
+// GetCurrentStats returns the most recently sampled memory statistics.
+//
+// This is a cheap cached read: it does NOT call runtime.ReadMemStats. Samples
+// are refreshed only by the monitoring ticker or by an explicit call to
+// Refresh(). If no sample has been produced yet, stats derived from the
+// constructor-time raw sample are returned (with no additional STW cost).
 func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
+	mm.mu.RLock()
+	stats := mm.lastStats
+	mm.mu.RUnlock()
+	if stats != nil {
+		return stats
+	}
+	return mm.buildStatsFromCache()
+}
+
+// Refresh synchronously samples current memory statistics via
+// runtime.ReadMemStats and updates the cached value. This is the only path
+// (other than the monitoring ticker and TriggerGC) that pays the stop-the-world
+// cost. Use it in tests or in callers that explicitly need a fresh sample.
+func (mm *MemoryMonitor) Refresh() *MemoryStats {
+	return mm.sample()
+}
+
+// sample performs a stop-the-world ReadMemStats, updates the cached raw stats,
+// computes a derived MemoryStats snapshot, and stores it as lastStats.
+func (mm *MemoryMonitor) sample() *MemoryStats {
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 
 	now := time.Now()
 
-	// Calculate GC frequency
+	// Calculate GC frequency relative to the previous snapshot.
 	gcFrequency := 0.0
 	mm.mu.RLock()
 	lastStats := mm.lastStats
@@ -168,6 +247,7 @@ func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
 	mm.updateHeapGrowthTracking(stats)
 
 	mm.mu.Lock()
+	mm.cachedMemStats = memStats
 	mm.lastStats = stats
 	mm.lastGCCount = memStats.NumGC
 	mm.mu.Unlock()
@@ -175,6 +255,35 @@ func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
 	return stats
 }
 
+// buildStatsFromCache constructs a MemoryStats snapshot from the cached raw
+// runtime.MemStats without issuing a new ReadMemStats call. Used as a fallback
+// when GetCurrentStats is called before the first sample() has completed.
+func (mm *MemoryMonitor) buildStatsFromCache() *MemoryStats {
+	mm.mu.RLock()
+	memStats := mm.cachedMemStats
+	mm.mu.RUnlock()
+
+	stats := &MemoryStats{
+		HeapAllocBytes:    memStats.HeapAlloc,
+		HeapSysBytes:      memStats.HeapSys,
+		HeapIdleBytes:     memStats.HeapIdle,
+		HeapInuseBytes:    memStats.HeapInuse,
+		HeapReleasedBytes: memStats.HeapReleased,
+		HeapObjects:       memStats.HeapObjects,
+		StackInuseBytes:   memStats.StackInuse,
+		StackSysBytes:     memStats.StackSys,
+		GCSysBytes:        memStats.GCSys,
+		NumGoroutines:     runtime.NumGoroutine(),
+		// #nosec G115 -- LastGC nanoseconds fits in int64 for centuries
+		LastGCTime:  time.Unix(0, int64(memStats.LastGC)),
+		GCFrequency: 0.0,
+		Timestamp:   time.Now(),
+	}
+	mm.collectApplicationStats(stats)
+	stats.MemoryPressure = mm.calculateMemoryPressure(stats)
+	return stats
+}
+
 // collectApplicationStats gathers application-specific memory stats
 func (mm *MemoryMonitor) collectApplicationStats(stats *MemoryStats) {
 	// Get session count from ChunkManager if available
@@ -229,7 +338,7 @@ func (mm *MemoryMonitor) updateGoroutineTracking(stats *MemoryStats) {
 	}
 
 	// Check for potential goroutine leak
-	if stats.NumGoroutines > mm.baselineGoroutines+int(mm.alertThresholds.GoroutineCount) {
+	if stats.NumGoroutines > mm.baselineGoroutines+mm.alertThresholds.GoroutineCount {
 		mm.mu.Lock()
 		wasAlert := mm.goroutineLeakAlert
 		if !wasAlert {
@@ -302,7 +411,16 @@ var (
 	globalMonitoringMutex   sync.Mutex
 )
 
-// StartMonitoring starts continuous memory monitoring as a global singleton
+// StartMonitoring starts continuous memory monitoring as a global singleton.
+//
+// The effective interval is resolved as follows:
+//  1. If the caller passes a positive interval, that is used.
+//  2. Otherwise the configured MemoryMonitorConfig.Interval is used.
+//  3. Otherwise the built-in default (60s) is used.
+//
+// The result is then clamped to a minimum of MinMemoryMonitorInterval (30s) to
+// avoid stop-the-world ReadMemStats storms. Callers that need rapid updates in
+// tests should call Refresh() directly instead of spinning the ticker fast.
 func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Duration) {
 	globalMonitoringMutex.Lock()
 	defer globalMonitoringMutex.Unlock()
@@ -316,7 +434,17 @@ func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Dura
 	}
 
 	if interval <= 0 {
-		interval = 30 * time.Second
+		interval = mm.config.Interval
+	}
+	if interval <= 0 {
+		interval = DefaultMemoryMonitorInterval
+	}
+	if interval < MinMemoryMonitorInterval {
+		if !isTestMode() {
+			mm.logger.Debug("Memory monitor interval %v is below minimum %v; clamping",
+				interval, MinMemoryMonitorInterval)
+		}
+		interval = MinMemoryMonitorInterval
 	}
 
 	registry := GetGlobalTaskRegistry()
@@ -325,7 +453,7 @@ func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Dura
 		"memory-monitor",
 		interval,
 		func() {
-			stats := mm.GetCurrentStats()
+			stats := mm.sample()
 			mm.LogMemoryStats(stats)
 			mm.checkAlerts(stats)
 		},
@@ -369,14 +497,16 @@ func (mm *MemoryMonitor) checkAlerts(stats *MemoryStats) {
 	}
 }
 
-// TriggerGC forces garbage collection and logs the impact
+// TriggerGC forces garbage collection and logs the impact. Both the before and
+// after measurements are fresh samples (explicit Refresh() calls) because the
+// comparison is meaningless against a stale cached snapshot.
 func (mm *MemoryMonitor) TriggerGC() {
-	before := mm.GetCurrentStats()
+	before := mm.Refresh()
 
 	runtime.GC()
 	runtime.GC() // Run twice to ensure full collection
 
-	after := mm.GetCurrentStats()
+	after := mm.Refresh()
 
 	// #nosec G115 -- heap allocation bytes fit in int64 for practical purposes
 	freedBytes := int64(before.HeapAllocBytes) - int64(after.HeapAllocBytes)

middleware.go

@@ -13,6 +13,63 @@ import (
 	"github.com/lukaszraczylo/traefikoidc/internal/utils"
 )
 
+// bypassReason describes why a request is being forwarded without OIDC auth.
+// It is only used for logging and to decide whether extra SSE-specific work
+// (propagating the user header from an existing session) should run.
+const (
+	bypassReasonExcluded = "excluded-url"
+	bypassReasonSSE      = "sse"
+)
+
+// shouldBypassAuth decides whether a request must skip OIDC authentication
+// entirely. It returns (true, reason) when either the request path matches a
+// configured excluded URL or the Accept header asks for a text/event-stream
+// response (SSE). The reason lets ServeHTTP apply any side-effects that are
+// unique to the bypass kind (e.g. propagating user headers for SSE).
+//
+// This must be called BEFORE waiting on t.initComplete so excluded and SSE
+// traffic is never blocked by a slow/broken provider.
+func (t *TraefikOidc) shouldBypassAuth(req *http.Request) (bool, string) {
+	if t.determineExcludedURL(req.URL.Path) {
+		return true, bypassReasonExcluded
+	}
+	if strings.Contains(req.Header.Get("Accept"), "text/event-stream") {
+		return true, bypassReasonSSE
+	}
+	return false, ""
+}
+
+// applySSEUserHeaders attempts to copy the authenticated user's identity from
+// an existing session onto the outgoing SSE request so downstream services
+// can still see who the user is. Failures are logged (not silenced) because
+// they indicate either a corrupt cookie or a misconfigured session manager
+// and are useful for debugging, but they never block the bypass itself.
+func (t *TraefikOidc) applySSEUserHeaders(req *http.Request) {
+	if t.sessionManager == nil {
+		return
+	}
+
+	session, err := t.sessionManager.GetSession(req)
+	if err != nil {
+		// Intentionally not fatal: SSE requests bypass auth, we just lose the
+		// forwarded-user header for this request.
+		t.logger.Debugf("SSE bypass: unable to load session for user header propagation: %v", err)
+		return
+	}
+	defer session.returnToPoolSafely()
+
+	email := session.GetEmail()
+	if email == "" {
+		return
+	}
+
+	req.Header.Set("X-Forwarded-User", email)
+	if !t.minimalHeaders {
+		req.Header.Set("X-Auth-Request-User", email)
+	}
+	t.logger.Debugf("SSE bypass: forwarded user %s from session", email)
+}
+
 // ServeHTTP implements the main middleware logic for processing HTTP requests.
 // It handles the complete OIDC authentication flow including:
 //   - Excluded URL bypass
@@ -26,6 +83,31 @@ import (
 //   - rw: The HTTP response writer.
 //   - req: The incoming HTTP request.
 func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	// Log request entry for debugging routing issues
+	t.logger.Debugf("Incoming request: %s %s", req.Method, req.URL.Path)
+
+	// Handle logout requests early - before waiting for OIDC initialization
+	// This allows users to logout even if the OIDC provider is unavailable
+	if req.URL.Path == t.logoutURLPath {
+		t.logger.Debugf("Logout path matched early: %s", req.URL.Path)
+		t.handleLogout(rw, req)
+		return
+	}
+
+	// Handle backchannel logout (IdP-initiated POST with logout_token)
+	if t.enableBackchannelLogout && t.backchannelLogoutPath != "" && req.URL.Path == t.backchannelLogoutPath {
+		t.logger.Debug("Backchannel logout path matched")
+		t.handleBackchannelLogout(rw, req)
+		return
+	}
+
+	// Handle front-channel logout (IdP-initiated GET with sid/iss in iframe)
+	if t.enableFrontchannelLogout && t.frontchannelLogoutPath != "" && req.URL.Path == t.frontchannelLogoutPath {
+		t.logger.Debug("Front-channel logout path matched")
+		t.handleFrontchannelLogout(rw, req)
+		return
+	}
+
 	if !strings.HasPrefix(req.URL.Path, "/health") {
 		t.firstRequestMutex.Lock()
 		if !t.firstRequestReceived {
@@ -42,6 +124,27 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		t.firstRequestMutex.Unlock()
 	}
 
+	// Evaluate auth-bypass once, before waiting for initialization. Excluded URLs
+	// and SSE requests must not block on provider init. For SSE we additionally
+	// attempt to forward the user identity from an existing session (best
+	// effort) so downstream handlers still see X-Forwarded-User.
+	if bypass, reason := t.shouldBypassAuth(req); bypass {
+		t.logger.Debugf("Bypassing OIDC for %s (%s)", req.URL.Path, reason)
+		if reason == bypassReasonSSE {
+			t.applySSEUserHeaders(req)
+		}
+		t.next.ServeHTTP(rw, req)
+		return
+	}
+
+	// Log waiting for initialization to help diagnose hanging requests
+	t.logger.Debug("Waiting for OIDC provider initialization...")
+
+	// time.NewTimer + Stop avoids leaking a goroutine+channel for 30s on every
+	// request when initComplete fires quickly (would happen with time.After).
+	initTimer := time.NewTimer(30 * time.Second)
+	defer initTimer.Stop()
+
 	select {
 	case <-t.initComplete:
 		// Read issuerURL with RLock
@@ -72,35 +175,13 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		t.logger.Debug("Request canceled while waiting for OIDC initialization")
 		t.sendErrorResponse(rw, req, "Request canceled", http.StatusRequestTimeout)
 		return
-	case <-time.After(30 * time.Second):
+	case <-initTimer.C:
 		t.logger.Error("Timeout waiting for OIDC initialization")
 		t.sendErrorResponse(rw, req, "Timeout waiting for OIDC provider initialization - please try again later", http.StatusServiceUnavailable)
 		return
 	}
 
-	if t.determineExcludedURL(req.URL.Path) {
-		t.logger.Debugf("Request path %s excluded by configuration, bypassing OIDC", req.URL.Path)
-		t.next.ServeHTTP(rw, req)
-		return
-	}
-	acceptHeader := req.Header.Get("Accept")
-	if strings.Contains(acceptHeader, "text/event-stream") {
-		t.logger.Debugf("Request accepts text/event-stream (%s), bypassing OIDC", acceptHeader)
-		// Set forwarded user headers from existing session before bypassing
-		if session, err := t.sessionManager.GetSession(req); err == nil {
-			defer session.returnToPoolSafely()
-			if email := session.GetEmail(); email != "" {
-				req.Header.Set("X-Forwarded-User", email)
-				if !t.minimalHeaders {
-					req.Header.Set("X-Auth-Request-User", email)
-				}
-				t.logger.Debugf("SSE bypass: forwarded user %s from session", email)
-			}
-		}
-		t.next.ServeHTTP(rw, req)
-		return
-	}
-
+	// Bypass checks already ran before the init wait; no need to repeat them.
 	t.sessionManager.CleanupOldCookies(rw, req)
 
 	session, err := t.sessionManager.GetSession(req)
@@ -118,6 +199,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			t.sendErrorResponse(rw, req, "Critical session error", http.StatusInternalServerError)
 			return
 		}
+		// Sub-resource requests (script/image/fetch/serviceWorker) must not
+		// trigger an OIDC redirect from this path either: they would overwrite
+		// any in-flight CSRF/nonce in the session. Let the next HTML navigation
+		// initiate the flow. See issue #129.
+		if t.isAjaxRequest(req) || t.isNonNavigationRequest(req) {
+			t.sendErrorResponse(rw, req, "Authentication required", http.StatusUnauthorized)
+			return
+		}
 		scheme := utils.DetermineScheme(req, t.forceHTTPS)
 		host := utils.DetermineHost(req)
 		redirectURL := buildFullURL(scheme, host, t.redirURLPath)
@@ -131,14 +220,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	host := utils.DetermineHost(req)
 	redirectURL := buildFullURL(scheme, host, t.redirURLPath)
 
-	if req.URL.Path == t.logoutURLPath {
-		t.handleLogout(rw, req)
-		return
-	}
+	// Check if the current request is the OIDC callback
+	t.logger.Debugf("Checking callback URL match: request_path=%q, configured_callback=%q", req.URL.Path, t.redirURLPath)
 	if req.URL.Path == t.redirURLPath {
+		t.logger.Debugf("Callback URL matched, processing OIDC callback (redirect_url=%s)", redirectURL)
 		t.handleCallback(rw, req, redirectURL)
 		return
 	}
+	t.logger.Debugf("Callback URL did not match (request_path=%q != configured=%q), continuing auth flow", req.URL.Path, t.redirURLPath)
 
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)
 
@@ -171,8 +260,12 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	refreshTokenPresent := session.GetRefreshToken() != ""
 
-	// Check if this is an AJAX request that should receive 401 instead of redirect
-	isAjaxRequest := t.isAjaxRequest(req)
+	// Decide whether to answer with 401 instead of a redirect. AJAX requests
+	// cannot follow a 302 into an IdP, and sub-resource loads (script/image/
+	// fetch/serviceWorker) must not trigger a fresh OIDC flow because parallel
+	// loads would each overwrite the session CSRF/nonce (issue #129). Only
+	// top-level HTML navigations should redirect.
+	isAjaxRequest := t.isAjaxRequest(req) || t.isNonNavigationRequest(req)
 
 	// Check if refresh token is likely expired (older than 6 hours)
 	refreshTokenExpired := refreshTokenPresent && t.isRefreshTokenExpired(session)
@@ -275,6 +368,24 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 		return
 	}
 
+	// Check if session has been invalidated via backchannel or front-channel logout
+	if t.enableBackchannelLogout || t.enableFrontchannelLogout {
+		idToken := session.GetIDToken()
+		if idToken != "" {
+			sid, sub, createdAt := t.extractSessionInfo(idToken)
+			if t.isSessionInvalidated(sid, sub, createdAt) {
+				t.logger.Infof("Session for user %s has been invalidated via IdP-initiated logout", email)
+				// Clear the session and redirect to login
+				if err := session.Clear(req, rw); err != nil {
+					t.logger.Errorf("Error clearing invalidated session: %v", err)
+				}
+				session.ResetRedirectCount()
+				t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+				return
+			}
+		}
+	}
+
 	tokenForClaims := session.GetIDToken()
 	if tokenForClaims == "" {
 		tokenForClaims = session.GetAccessToken()
@@ -337,7 +448,10 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 	}
 
 	if len(t.headerTemplates) > 0 {
-		claims, err := t.extractClaimsFunc(session.GetIDToken())
+		// Reuse claims parsed earlier in this request if the ID token has not
+		// changed. Saves an unnecessary JWT parse on every authenticated
+		// request that uses headerTemplates.
+		claims, err := session.GetIDTokenClaims(t.extractClaimsFunc)
 		if err != nil {
 			t.logger.Errorf("Failed to extract claims from ID Token for template headers: %v", err)
 		} else {
@@ -385,6 +499,22 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 		rw.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 	}
 
+	// Strip OIDC session cookies before forwarding to the backend to prevent
+	// HTTP 431 "Request Header Fields Too Large" errors (GitHub issue #122).
+	if t.stripAuthCookies {
+		prefix := t.sessionManager.GetCookiePrefix()
+		filtered := make([]*http.Cookie, 0, len(req.Cookies()))
+		for _, c := range req.Cookies() {
+			if !strings.HasPrefix(c.Name, prefix) {
+				filtered = append(filtered, c)
+			}
+		}
+		req.Header.Del("Cookie")
+		for _, c := range filtered {
+			req.AddCookie(c)
+		}
+	}
+
 	t.logger.Debugf("Request authorized for user %s, forwarding to next handler", email)
 
 	t.next.ServeHTTP(rw, req)

middleware_edge_cases_test.go

@@ -95,6 +95,38 @@ func TestMiddlewareAJAXRequestHandling(t *testing.T) {
 	}
 }
 
+// TestLogoutWorksWithoutOIDCInitialization tests that logout works even if OIDC provider is unavailable
+// This is critical for allowing users to clear their session when the provider is down
+func TestLogoutWorksWithoutOIDCInitialization(t *testing.T) {
+	oidc := &TraefikOidc{
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}), // Never close to simulate provider unavailable
+		sessionManager:         createTestSessionManager(t),
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		logoutURLPath:          "/logout",
+		postLogoutRedirectURI:  "/",
+		forceHTTPS:             false,
+	}
+	// Note: initComplete is NOT closed, simulating OIDC provider being unavailable
+
+	req := httptest.NewRequest("GET", "/logout", nil)
+	req.Host = "example.com"
+	rw := httptest.NewRecorder()
+
+	oidc.ServeHTTP(rw, req)
+
+	// Should redirect to post-logout URI even without OIDC initialization
+	if rw.Code != http.StatusFound {
+		t.Errorf("Expected redirect (302) for logout, got %d", rw.Code)
+	}
+
+	location := rw.Header().Get("Location")
+	if location == "" {
+		t.Error("Expected Location header for logout redirect")
+	}
+}
+
 // TestMiddlewareDomainRestrictions tests domain-based access control
 // NOTE: Currently commented out due to complex session setup requirements
 // These scenarios are tested indirectly through integration tests

refresh_coordinator.go

@@ -18,7 +18,6 @@ type RefreshCoordinator struct {
 	inFlightRefreshes      map[string]*refreshOperation
 	cleanupTimers          map[string]*time.Timer
 	sessionRefreshAttempts map[string]*refreshAttemptTracker
-	delayedCleanupQueue    chan delayedCleanupItem
 	circuitBreaker         *RefreshCircuitBreaker
 	metrics                *RefreshMetrics
 	logger                 *Logger
@@ -107,12 +106,6 @@ type RefreshMetrics struct {
 	currentInFlightRefreshes int32
 }
 
-// delayedCleanupItem represents an item scheduled for delayed cleanup
-type delayedCleanupItem struct {
-	cleanupAt time.Time
-	tokenHash string
-}
-
 // RefreshCircuitBreaker implements a circuit breaker specifically for refresh operations
 type RefreshCircuitBreaker struct {
 	lastFailureTime time.Time
@@ -143,7 +136,6 @@ func NewRefreshCoordinator(config RefreshCoordinatorConfig, logger *Logger) *Ref
 		metrics:                &RefreshMetrics{},
 		logger:                 logger,
 		stopChan:               make(chan struct{}),
-		delayedCleanupQueue:    make(chan delayedCleanupItem, 1000), // Buffered channel for cleanup items
 		cleanupTimers:          make(map[string]*time.Timer),
 		circuitBreaker: &RefreshCircuitBreaker{
 			config: RefreshCircuitBreakerConfig{
@@ -158,10 +150,6 @@ func NewRefreshCoordinator(config RefreshCoordinatorConfig, logger *Logger) *Ref
 	rc.wg.Add(1)
 	go rc.cleanupRoutine()
 
-	// Start delayed cleanup processor (single goroutine processes all cleanup timers)
-	rc.wg.Add(1)
-	go rc.processDelayedCleanups()
-
 	return rc
 }
 
@@ -234,7 +222,7 @@ func (rc *RefreshCoordinator) CoordinateRefresh(
 // Returns (operation, false, nil) if joined an existing operation
 // Returns (nil, false, error) if the operation was rejected
 func (rc *RefreshCoordinator) getOrCreateOperation(
-	ctx context.Context,
+	_ context.Context,
 	sessionID string,
 	tokenHash string,
 	refreshToken string,
@@ -293,7 +281,7 @@ func (rc *RefreshCoordinator) getOrCreateOperation(
 // executeRefreshAsync performs the actual refresh operation asynchronously
 func (rc *RefreshCoordinator) executeRefreshAsync(
 	operation *refreshOperation,
-	sessionID string,
+	_ string, // sessionID - reserved for future metrics/logging
 	tokenHash string,
 	refreshFunc func() (*TokenResponse, error),
 ) {
@@ -377,35 +365,19 @@ func (rc *RefreshCoordinator) scheduleDelayedCleanup(tokenHash string) {
 	rc.cleanupTimerMu.Unlock()
 }
 
-// performCleanup removes the operation from the in-flight map
+// performCleanup removes the operation from the in-flight map.
+// Idempotent: only decrements the in-flight counter if an entry was actually
+// removed. This guards against any future path accidentally calling cleanup
+// twice for the same tokenHash (which would corrupt the refresh budget).
 func (rc *RefreshCoordinator) performCleanup(tokenHash string) {
 	rc.refreshMutex.Lock()
-	delete(rc.inFlightRefreshes, tokenHash)
+	_, existed := rc.inFlightRefreshes[tokenHash]
+	if existed {
+		delete(rc.inFlightRefreshes, tokenHash)
+	}
 	rc.refreshMutex.Unlock()
-	atomic.AddInt32(&rc.metrics.currentInFlightRefreshes, -1)
-}
-
-// processDelayedCleanups processes delayed cleanup requests from the queue
-// This is a single goroutine that handles all delayed cleanups
-func (rc *RefreshCoordinator) processDelayedCleanups() {
-	defer rc.wg.Done()
-
-	for {
-		select {
-		case item := <-rc.delayedCleanupQueue:
-			// Wait until cleanup time
-			waitDuration := time.Until(item.cleanupAt)
-			if waitDuration > 0 {
-				select {
-				case <-time.After(waitDuration):
-				case <-rc.stopChan:
-					return
-				}
-			}
-			rc.performCleanup(item.tokenHash)
-		case <-rc.stopChan:
-			return
-		}
+	if existed {
+		atomic.AddInt32(&rc.metrics.currentInFlightRefreshes, -1)
 	}
 }
 
@@ -494,15 +466,33 @@ func (rc *RefreshCoordinator) recordRefreshFailure(sessionID string) {
 
 // hashRefreshToken creates a hash of the refresh token for deduplication
 func (rc *RefreshCoordinator) hashRefreshToken(token string) string {
+	return refreshCoordinatorSessionID(token)
+}
+
+// refreshCoordinatorSessionID derives a stable identifier from a refresh token
+// for both deduplication and per-session attempt tracking. Using sha256 of the
+// raw token means each rotation produces a fresh sessionID with its own attempt
+// budget, which is what we want.
+func refreshCoordinatorSessionID(token string) string {
 	hash := sha256.Sum256([]byte(token))
 	return hex.EncodeToString(hash[:])
 }
 
-// isUnderMemoryPressure checks if the system is under memory pressure
+// refreshCoordinatorWaitTimeout caps how long a request may wait for a
+// coordinated refresh result. It is wider than RefreshTimeout so a follower
+// always sees the leader's result instead of timing out independently.
+const refreshCoordinatorWaitTimeout = 35 * time.Second
+
+// isUnderMemoryPressure checks if the system is under memory pressure by
+// consulting the global memory monitor. Returns true when pressure reaches
+// High or Critical, at which point we refuse new refresh operations to
+// avoid aggravating an already-stressed heap.
 func (rc *RefreshCoordinator) isUnderMemoryPressure() bool {
-	// This is a simplified check - in production you'd want to use runtime.MemStats
-	// or system-specific memory monitoring
-	return false // Placeholder - implement actual memory check
+	monitor := GetGlobalMemoryMonitor()
+	if monitor == nil {
+		return false
+	}
+	return monitor.GetMemoryPressure() >= MemoryPressureHigh
 }
 
 // cleanupRoutine periodically cleans up stale tracking entries

refresh_coordinator_wireup_test.go

@@ -0,0 +1,164 @@
+package traefikoidc
+
+import (
+	"context"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+// stubTokenExchanger lets us count how many upstream refresh-token grants
+// happen for a given refresh_token across concurrent middleware-level calls.
+type stubTokenExchanger struct {
+	calls int32
+	delay time.Duration
+	resp  *TokenResponse
+}
+
+func (s *stubTokenExchanger) ExchangeCodeForToken(_ context.Context, _, _, _, _ string) (*TokenResponse, error) {
+	return nil, nil
+}
+
+func (s *stubTokenExchanger) GetNewTokenWithRefreshToken(_ string) (*TokenResponse, error) {
+	atomic.AddInt32(&s.calls, 1)
+	if s.delay > 0 {
+		time.Sleep(s.delay)
+	}
+	return s.resp, nil
+}
+
+func (s *stubTokenExchanger) RevokeTokenWithProvider(_, _ string) error {
+	return nil
+}
+
+// TestCoordinatedTokenRefresh_SingleUpstreamCall verifies the wireup: many
+// concurrent calls to coordinatedTokenRefresh with the same refresh token
+// must collapse to a single tokenExchanger.GetNewTokenWithRefreshToken call.
+//
+// Without the wireup this assertion fails (one upstream call per goroutine).
+func TestCoordinatedTokenRefresh_SingleUpstreamCall(t *testing.T) {
+	stub := &stubTokenExchanger{
+		delay: 100 * time.Millisecond,
+		resp: &TokenResponse{
+			AccessToken:  "new_access",
+			RefreshToken: "new_refresh",
+			IDToken:      "new_id",
+			ExpiresIn:    3600,
+		},
+	}
+
+	logger := NewLogger("error")
+	cfg := DefaultRefreshCoordinatorConfig()
+	cfg.MaxRefreshAttempts = 10000
+	cfg.MaxConcurrentRefreshes = 32
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(cfg, logger),
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	const concurrency = 50
+	var wg sync.WaitGroup
+	wg.Add(concurrency)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	start := make(chan struct{})
+
+	for i := 0; i < concurrency; i++ {
+		go func() {
+			defer wg.Done()
+			<-start
+			resp, err := oidc.coordinatedTokenRefresh(req, "shared_refresh_token")
+			if err != nil {
+				t.Errorf("unexpected error: %v", err)
+				return
+			}
+			if resp == nil || resp.AccessToken != "new_access" {
+				t.Errorf("unexpected response: %+v", resp)
+			}
+		}()
+	}
+
+	close(start)
+	wg.Wait()
+
+	got := atomic.LoadInt32(&stub.calls)
+	// Up to 2 is acceptable to absorb the documented timing slack in the
+	// existing coordinator tests (e.g. operation just cleaned up before a
+	// late goroutine reads the in-flight map). Anything beyond that means
+	// coalescing is broken.
+	if got > 2 {
+		t.Fatalf("expected <=2 upstream refresh calls, got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_FallsBackWithoutCoordinator verifies the nil
+// coordinator path so existing tests that build TraefikOidc literals stay
+// green.
+func TestCoordinatedTokenRefresh_FallsBackWithoutCoordinator(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "ok"},
+	}
+
+	oidc := &TraefikOidc{
+		logger:         NewLogger("error"),
+		tokenExchanger: stub,
+		// refreshCoordinator deliberately nil
+	}
+
+	resp, err := oidc.coordinatedTokenRefresh(nil, "rt")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "ok" {
+		t.Fatalf("unexpected response: %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 1 {
+		t.Fatalf("expected exactly 1 upstream call, got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_DistinctTokensRunInParallel verifies that
+// distinct refresh tokens are not falsely coalesced.
+func TestCoordinatedTokenRefresh_DistinctTokensRunInParallel(t *testing.T) {
+	stub := &stubTokenExchanger{
+		delay: 20 * time.Millisecond,
+		resp:  &TokenResponse{AccessToken: "ok"},
+	}
+
+	logger := NewLogger("error")
+	cfg := DefaultRefreshCoordinatorConfig()
+	cfg.MaxRefreshAttempts = 10000
+	cfg.MaxConcurrentRefreshes = 32
+	cfg.DeduplicationCleanupDelay = 0
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(cfg, logger),
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	const distinct = 8
+	var wg sync.WaitGroup
+	wg.Add(distinct)
+	for i := 0; i < distinct; i++ {
+		i := i
+		go func() {
+			defer wg.Done()
+			_, err := oidc.coordinatedTokenRefresh(nil, refreshCoordinatorSessionID(string(rune('a'+i))))
+			if err != nil {
+				t.Errorf("unexpected error: %v", err)
+			}
+		}()
+	}
+	wg.Wait()
+
+	if got := atomic.LoadInt32(&stub.calls); int(got) != distinct {
+		t.Fatalf("expected %d distinct upstream calls, got %d", distinct, got)
+	}
+}

refresh_distributed_test.go

@@ -0,0 +1,186 @@
+package traefikoidc
+
+import (
+	"context"
+	"errors"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+// inMemoryCache is the smallest CacheInterface that satisfies the cross-
+// replica dedup contract: Set/Get with TTL. Used in place of the universal
+// cache singleton so these tests stay hermetic.
+type inMemoryCache struct {
+	entries map[string]inMemoryCacheEntry
+	mu      sync.Mutex
+}
+
+type inMemoryCacheEntry struct {
+	expiresAt time.Time
+	value     interface{}
+}
+
+func newInMemoryCache() *inMemoryCache {
+	return &inMemoryCache{entries: make(map[string]inMemoryCacheEntry)}
+}
+
+func (c *inMemoryCache) Set(key string, value any, ttl time.Duration) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.entries[key] = inMemoryCacheEntry{value: value, expiresAt: time.Now().Add(ttl)}
+}
+
+func (c *inMemoryCache) Get(key string) (any, bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	e, ok := c.entries[key]
+	if !ok {
+		return nil, false
+	}
+	if time.Now().After(e.expiresAt) {
+		delete(c.entries, key)
+		return nil, false
+	}
+	return e.value, true
+}
+
+func (c *inMemoryCache) Delete(key string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.entries, key)
+}
+
+func (c *inMemoryCache) SetMaxSize(int) {}
+func (c *inMemoryCache) Cleanup()       {}
+func (c *inMemoryCache) Close()         {}
+func (c *inMemoryCache) Size() int {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return len(c.entries)
+}
+func (c *inMemoryCache) Clear() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.entries = map[string]inMemoryCacheEntry{}
+}
+func (c *inMemoryCache) GetStats() map[string]any { return map[string]any{} }
+
+// erroringTokenExchanger always errors - simulates an IdP rejection.
+type erroringTokenExchanger struct {
+	calls int32
+}
+
+func (e *erroringTokenExchanger) ExchangeCodeForToken(_ context.Context, _, _, _, _ string) (*TokenResponse, error) {
+	return nil, errors.New("not used")
+}
+
+func (e *erroringTokenExchanger) GetNewTokenWithRefreshToken(_ string) (*TokenResponse, error) {
+	atomic.AddInt32(&e.calls, 1)
+	return nil, errors.New("invalid_grant")
+}
+
+func (e *erroringTokenExchanger) RevokeTokenWithProvider(_, _ string) error { return nil }
+
+// TestCoordinatedTokenRefresh_CrossReplicaCacheHit simulates a peer Traefik
+// replica having just refreshed: the shared cache already has the result, so
+// this pod must reuse it without ever calling the IdP.
+func TestCoordinatedTokenRefresh_CrossReplicaCacheHit(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "should_not_be_called"},
+	}
+
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+	preExisting := &TokenResponse{
+		AccessToken:  "from_peer",
+		RefreshToken: "rotated_by_peer",
+		IDToken:      "id_from_peer",
+	}
+	rt := "shared_refresh_token"
+	cache.Set(refreshResultCacheKey(refreshCoordinatorSessionID(rt)), preExisting, refreshResultCacheTTL)
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	resp, err := oidc.coordinatedTokenRefresh(httptest.NewRequest("GET", "/", nil), rt)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "from_peer" {
+		t.Fatalf("expected peer-provided response, got %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 0 {
+		t.Fatalf("expected 0 upstream calls (peer already refreshed), got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_PopulatesCrossReplicaCache verifies that on a
+// cache miss the leader stores its result for peers to find within the TTL.
+func TestCoordinatedTokenRefresh_PopulatesCrossReplicaCache(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "fresh_grant"},
+	}
+
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	rt := "fresh_refresh_token"
+	resp, err := oidc.coordinatedTokenRefresh(nil, rt)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "fresh_grant" {
+		t.Fatalf("unexpected response: %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 1 {
+		t.Fatalf("expected 1 upstream call, got %d", got)
+	}
+
+	v, ok := cache.Get(refreshResultCacheKey(refreshCoordinatorSessionID(rt)))
+	if !ok {
+		t.Fatal("expected refresh result to be cached after upstream success")
+	}
+	if tr, ok := v.(*TokenResponse); !ok || tr.AccessToken != "fresh_grant" {
+		t.Fatalf("cached value malformed: %+v", v)
+	}
+}
+
+// TestCoordinatedTokenRefresh_ErrorIsNotCached makes sure we don't poison the
+// dedup cache when the IdP rejects the grant. Peers must run their own
+// refresh; they cannot inherit an error.
+func TestCoordinatedTokenRefresh_ErrorIsNotCached(t *testing.T) {
+	failing := &erroringTokenExchanger{}
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     failing,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	if _, err := oidc.coordinatedTokenRefresh(nil, "doomed_refresh_token"); err == nil {
+		t.Fatal("expected an error from the failing exchanger")
+	}
+	if cache.Size() != 0 {
+		t.Fatalf("error result must not be cached, size=%d", cache.Size())
+	}
+}

refresh_token_expiry_test.go

@@ -0,0 +1,68 @@
+package traefikoidc
+
+import (
+	"testing"
+	"time"
+
+	"github.com/gorilla/sessions"
+)
+
+// sessionWithIssuedAt builds the smallest SessionData that GetRefreshTokenIssuedAt
+// reads from. We can't reuse sessionPool.Get() here because that requires a
+// fully initialized SessionManager - overkill for this unit-level check.
+func sessionWithIssuedAt(t *testing.T, issuedAt time.Time) *SessionData {
+	t.Helper()
+	rs := sessions.NewSession(nil, "refresh")
+	if !issuedAt.IsZero() {
+		rs.Values["issued_at"] = issuedAt.Unix()
+	}
+	return &SessionData{
+		refreshSession:     rs,
+		accessTokenChunks:  make(map[int]*sessions.Session),
+		refreshTokenChunks: make(map[int]*sessions.Session),
+		idTokenChunks:      make(map[int]*sessions.Session),
+	}
+}
+
+func TestIsRefreshTokenExpired_DisabledWhenAgeZero(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 0}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-30*24*time.Hour))
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false when maxRefreshTokenAge is 0")
+	}
+}
+
+func TestIsRefreshTokenExpired_LegacySessionWithoutTimestamp(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: time.Hour}
+	sd := sessionWithIssuedAt(t, time.Time{}) // no issued_at value
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false when issued_at missing (legacy session)")
+	}
+}
+
+func TestIsRefreshTokenExpired_WithinWindow(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 6 * time.Hour}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-1*time.Hour))
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false within max age")
+	}
+}
+
+func TestIsRefreshTokenExpired_BeyondWindow(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 6 * time.Hour}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-7*time.Hour))
+	if !tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=true beyond max age")
+	}
+}
+
+func TestIsRefreshTokenExpired_NilGuards(t *testing.T) {
+	var tr *TraefikOidc
+	if tr.isRefreshTokenExpired(nil) {
+		t.Fatal("nil receiver must not panic and must return false")
+	}
+	tr = &TraefikOidc{maxRefreshTokenAge: time.Hour}
+	if tr.isRefreshTokenExpired(nil) {
+		t.Fatal("nil session must return false")
+	}
+}

session.go

@@ -164,7 +164,7 @@ func decompressCombinedPayload(compressed string) (*combinedSessionPayload, erro
 	if err != nil {
 		return nil, fmt.Errorf("failed to create gzip reader: %w", err)
 	}
-	defer gr.Close()
+	defer func() { _ = gr.Close() }()
 
 	// Limit decompressed size to prevent zip bombs
 	limitedReader := io.LimitReader(gr, 512*1024) // 512KB max
@@ -500,6 +500,11 @@ func (sm *SessionManager) combinedChunkCookieName(chunkIndex int) string {
 	return fmt.Sprintf("%s_%d", sm.combinedCookieName(), chunkIndex)
 }
 
+// GetCookiePrefix returns the cookie prefix used for all OIDC session cookies.
+func (sm *SessionManager) GetCookiePrefix() string {
+	return sm.cookiePrefix
+}
+
 // Shutdown gracefully shuts down the SessionManager and all its background tasks
 func (sm *SessionManager) Shutdown() error {
 	var shutdownErr error
@@ -1211,6 +1216,18 @@ type SessionData struct {
 	dirty bool
 
 	inUse bool
+
+	// cachedClaimsToken is the ID token string whose claims were last parsed and
+	// cached. A lazy, per-request cache to avoid re-parsing the JWT on every
+	// authenticated request (e.g. for headerTemplates). Protected by sessionMutex.
+	cachedClaimsToken string
+
+	// cachedClaims holds the parsed claims for cachedClaimsToken.
+	cachedClaims map[string]interface{}
+
+	// cachedClaimsErr holds the parse error (if any) for cachedClaimsToken so
+	// failures are not retried within the same request.
+	cachedClaimsErr error
 }
 
 // IsDirty returns true if the session data has been modified since it was last loaded or saved.
@@ -1548,9 +1565,10 @@ func (sd *SessionData) Clear(r *http.Request, w http.ResponseWriter) error {
 	}()
 
 	sd.sessionMutex.Lock()
-	defer sd.sessionMutex.Unlock()
-
 	sd.clearAllSessionData(r, true)
+	
+	// Release the lock before calling Save to prevent deadlock
+	sd.sessionMutex.Unlock()
 
 	// This is primarily for testing - in production w will often be nil
 	var err error
@@ -1588,7 +1606,7 @@ func (sd *SessionData) returnToPoolSafely() {
 // Parameters:
 //   - r: The HTTP request context.
 //   - chunks: The map of session chunks (e.g., sd.accessTokenChunks) to clear and expire.
-func (sd *SessionData) clearTokenChunks(r *http.Request, chunks map[int]*sessions.Session) {
+func (sd *SessionData) clearTokenChunks(_ *http.Request, chunks map[int]*sessions.Session) {
 	for _, session := range chunks {
 		clearSessionValues(session, true)
 	}
@@ -1731,6 +1749,12 @@ func (sd *SessionData) Reset() {
 	sd.request = nil
 	sd.useCombinedStorage = true // Reset to use combined storage by default
 
+	// Drop any cached claims so pooled SessionData does not leak claim data
+	// between requests/users.
+	sd.cachedClaimsToken = ""
+	sd.cachedClaims = nil
+	sd.cachedClaimsErr = nil
+
 	// Reset the refresh mutex to ensure clean state
 	// Note: We don't need to lock it since sessionMutex is already held
 	// and this session is not in use by any request
@@ -2508,6 +2532,41 @@ func (sd *SessionData) GetIDToken() string {
 	return sd.getIDTokenUnsafe()
 }
 
+// GetIDTokenClaims returns claims parsed from the current ID token, caching
+// the result on the SessionData so repeated callers within the same request
+// do not re-parse the JWT. The cache is keyed on the ID token string and is
+// cleared when the SessionData is reset (see Reset) or when the ID token
+// changes (e.g. after a refresh).
+//
+// The parser parameter is typically the TraefikOidc.extractClaimsFunc, which
+// lets tests inject mocks just like the direct call it replaces.
+//
+// Returns an empty claims map and a nil error when the session has no ID
+// token, matching the existing "no-op" behavior of the caller sites.
+func (sd *SessionData) GetIDTokenClaims(parser func(string) (map[string]interface{}, error)) (map[string]interface{}, error) {
+	sd.sessionMutex.Lock()
+	defer sd.sessionMutex.Unlock()
+
+	token := sd.getIDTokenUnsafe()
+	if token == "" {
+		// Invalidate any stale cache without running the parser.
+		sd.cachedClaimsToken = ""
+		sd.cachedClaims = nil
+		sd.cachedClaimsErr = nil
+		return nil, nil
+	}
+
+	if sd.cachedClaimsToken == token && (sd.cachedClaims != nil || sd.cachedClaimsErr != nil) {
+		return sd.cachedClaims, sd.cachedClaimsErr
+	}
+
+	claims, err := parser(token)
+	sd.cachedClaimsToken = token
+	sd.cachedClaims = claims
+	sd.cachedClaimsErr = err
+	return claims, err
+}
+
 // getIDTokenUnsafe retrieves the ID token without acquiring locks.
 // Enhanced ID token retrieval with comprehensive integrity checks and chunking support.
 // Used when the session mutex is already held to prevent deadlocks.

session_chunk_manager.go

@@ -926,6 +926,8 @@ func (cm *ChunkManager) detectRepeatedCharacters(token string, config TokenConfi
 //
 // Returns:
 //   - An error if the token is expired or has invalid expiration, nil if valid.
+//
+//nolint:unparam // error return kept for API consistency and future use
 func (cm *ChunkManager) validateTokenExpiration(token string, config TokenConfig) error {
 	if !strings.Contains(token, ".") {
 		return nil

settings.go

@@ -1,6 +1,7 @@
 package traefikoidc
 
 import (
+	"crypto/x509"
 	"fmt"
 	"io"
 	"log"
@@ -54,6 +55,15 @@ type Config struct {
 	AllowedUsers              []string                         `json:"allowedUsers"`
 	Headers                   []TemplatedHeader                `json:"headers"`
 	RefreshGracePeriodSeconds int                              `json:"refreshGracePeriodSeconds"`
+	// MaxRefreshTokenAgeSeconds is a heuristic upper bound on the lifetime of
+	// a stored refresh token. Once the token has been in the session longer
+	// than this, requests treat it as expired up-front - returning 401 to
+	// AJAX callers and triggering full re-auth on navigations - instead of
+	// hammering the IdP with grants that will only fail with invalid_grant.
+	// IdPs do not expose RT TTL on the wire, so this is intentionally a
+	// conservative heuristic; tune to match your provider configuration.
+	// Default 21600 (6h). Set to 0 to disable the check.
+	MaxRefreshTokenAgeSeconds int                              `json:"maxRefreshTokenAgeSeconds"`
 	SessionMaxAge             int                              `json:"sessionMaxAge"`
 	RateLimit                 int                              `json:"rateLimit"`
 	OverrideScopes            bool                             `json:"overrideScopes"`
@@ -65,6 +75,51 @@ type Config struct {
 	ForceHTTPS                bool                             `json:"forceHTTPS"`
 	AllowPrivateIPAddresses   bool                             `json:"allowPrivateIPAddresses,omitempty"`
 	MinimalHeaders            bool                             `json:"minimalHeaders,omitempty"`
+	StripAuthCookies          bool                             `json:"stripAuthCookies,omitempty"`
+	EnableBackchannelLogout   bool                             `json:"enableBackchannelLogout,omitempty"`
+	EnableFrontchannelLogout  bool                             `json:"enableFrontchannelLogout,omitempty"`
+	BackchannelLogoutURL      string                           `json:"backchannelLogoutURL,omitempty"`
+	FrontchannelLogoutURL     string                           `json:"frontchannelLogoutURL,omitempty"`
+	// CACertPath is an optional filesystem path to a PEM-encoded CA bundle used
+	// to verify the OIDC provider's TLS certificate. Use this when the provider
+	// is signed by an internal/private CA that is not in the system trust store.
+	CACertPath string `json:"caCertPath,omitempty"`
+	// CACertPEM is an optional inline PEM-encoded CA bundle, equivalent to
+	// CACertPath but supplied directly in the middleware configuration. Both
+	// may be set; certificates from both sources are combined.
+	CACertPEM string `json:"caCertPEM,omitempty"`
+	// InsecureSkipVerify disables TLS certificate verification for the OIDC
+	// provider. Intended ONLY for local development against self-signed
+	// providers. Enabling this in production is a security hole — prefer
+	// CACertPath/CACertPEM. Emits a loud warning at startup.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+}
+
+// loadCACertPool assembles an x509.CertPool from CACertPath and CACertPEM.
+// Returns (nil, nil) when neither is configured — callers should fall back to
+// the system trust store. Returns a descriptive error if a PEM source is
+// configured but contains no parseable certificates, so misconfigurations
+// surface at startup rather than as unexplained TLS failures at runtime.
+func (c *Config) loadCACertPool() (*x509.CertPool, error) {
+	if c.CACertPath == "" && c.CACertPEM == "" {
+		return nil, nil
+	}
+	pool := x509.NewCertPool()
+	if c.CACertPath != "" {
+		data, err := os.ReadFile(c.CACertPath)
+		if err != nil {
+			return nil, fmt.Errorf("read caCertPath %q: %w", c.CACertPath, err)
+		}
+		if !pool.AppendCertsFromPEM(data) {
+			return nil, fmt.Errorf("caCertPath %q: no valid PEM certificates found", c.CACertPath)
+		}
+	}
+	if c.CACertPEM != "" {
+		if !pool.AppendCertsFromPEM([]byte(c.CACertPEM)) {
+			return nil, fmt.Errorf("caCertPEM: no valid PEM certificates found")
+		}
+	}
+	return pool, nil
 }
 
 // RedisConfig configures Redis cache backend settings for distributed caching.
@@ -201,6 +256,7 @@ func CreateConfig() *Config {
 		EnablePKCE:                false, // PKCE is opt-in
 		OverrideScopes:            false, // Default to appending scopes, not overriding
 		RefreshGracePeriodSeconds: 60,    // Default grace period of 60 seconds
+		MaxRefreshTokenAgeSeconds: 21600, // 6h - conservative heuristic, see field doc
 		SecurityHeaders:           createDefaultSecurityConfig(),
 		Redis:                     nil, // Redis is disabled by default, configure via Traefik or env vars
 	}
@@ -324,6 +380,11 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("refreshGracePeriodSeconds cannot be negative")
 	}
 
+	// Validate refresh-token max-age heuristic
+	if c.MaxRefreshTokenAgeSeconds < 0 {
+		return fmt.Errorf("maxRefreshTokenAgeSeconds cannot be negative")
+	}
+
 	// Validate audience if specified
 	if c.Audience != "" {
 		// Validate audience format - should be a valid identifier or URL
@@ -729,7 +790,18 @@ func (l *Logger) Errorf(format string, args ...interface{}) {
 	l.logError.Printf(format, args...)
 }
 
+// IsDebug reports whether debug-level logging is enabled.
+// Callers should use this to avoid expensive format-string expansion
+// (e.g. on hot paths under yaegi) when debug output would be discarded.
+func (l *Logger) IsDebug() bool {
+	if l == nil || l.logDebug == nil {
+		return false
+	}
+	return l.logDebug.Writer() != io.Discard
+}
+
 // newNoOpLogger creates a logger that discards all output.
+//
 // Deprecated: Use GetSingletonNoOpLogger() instead for better memory efficiency.
 func newNoOpLogger() *Logger {
 	return GetSingletonNoOpLogger()
@@ -744,15 +816,6 @@ func newNoOpLogger() *Logger {
 //   - code: The HTTP status code for the response.
 //   - logger: The Logger instance to use for logging the error.
 //
-// handleError writes an HTTP error response with the specified status code and message.
-// It logs the error and sets appropriate headers before writing the response.
-//
-//lint:ignore U1000 Kept for potential future error handling
-func handleError(w http.ResponseWriter, message string, code int, logger *Logger) {
-	logger.Error("%s", message)
-	http.Error(w, message, code)
-}
-
 // GetSecurityHeadersApplier returns a function that applies security headers
 func (c *Config) GetSecurityHeadersApplier() func(http.ResponseWriter, *http.Request) {
 	if c.SecurityHeaders == nil || !c.SecurityHeaders.Enabled {
@@ -1058,111 +1121,6 @@ func (rc *RedisConfig) ApplyEnvFallbacks() {
 	}
 }
 
-// LoadRedisConfigFromEnv loads Redis configuration from environment variables.
-// Deprecated: Use RedisConfig.ApplyEnvFallbacks() on an existing config instead.
-// This function is kept for backward compatibility but should not be used directly.
-func LoadRedisConfigFromEnv() *RedisConfig {
-	// Check if Redis is enabled
-	enabledStr := os.Getenv("REDIS_ENABLED")
-	if enabledStr == "" || enabledStr == "false" || enabledStr == "0" {
-		return nil
-	}
-
-	config := &RedisConfig{
-		Enabled: true,
-	}
-
-	// Parse numeric values
-	if dbStr := os.Getenv("REDIS_DB"); dbStr != "" {
-		if db, err := strconv.Atoi(dbStr); err == nil {
-			config.DB = db
-		}
-	}
-
-	if poolSizeStr := os.Getenv("REDIS_POOL_SIZE"); poolSizeStr != "" {
-		if poolSize, err := strconv.Atoi(poolSizeStr); err == nil {
-			config.PoolSize = poolSize
-		}
-	}
-
-	if connectTimeoutStr := os.Getenv("REDIS_CONNECT_TIMEOUT"); connectTimeoutStr != "" {
-		if timeout, err := strconv.Atoi(connectTimeoutStr); err == nil {
-			config.ConnectTimeout = timeout
-		}
-	}
-
-	if readTimeoutStr := os.Getenv("REDIS_READ_TIMEOUT"); readTimeoutStr != "" {
-		if timeout, err := strconv.Atoi(readTimeoutStr); err == nil {
-			config.ReadTimeout = timeout
-		}
-	}
-
-	if writeTimeoutStr := os.Getenv("REDIS_WRITE_TIMEOUT"); writeTimeoutStr != "" {
-		if timeout, err := strconv.Atoi(writeTimeoutStr); err == nil {
-			config.WriteTimeout = timeout
-		}
-	}
-
-	// Parse boolean values
-	if enableTLSStr := os.Getenv("REDIS_ENABLE_TLS"); enableTLSStr == "true" || enableTLSStr == "1" {
-		config.EnableTLS = true
-	}
-
-	if skipVerifyStr := os.Getenv("REDIS_TLS_SKIP_VERIFY"); skipVerifyStr == "true" || skipVerifyStr == "1" {
-		config.TLSSkipVerify = true
-	}
-
-	// Parse hybrid mode settings
-	if l1SizeStr := os.Getenv("REDIS_HYBRID_L1_SIZE"); l1SizeStr != "" {
-		if size, err := strconv.Atoi(l1SizeStr); err == nil {
-			config.HybridL1Size = size
-		}
-	}
-
-	if l1MemoryStr := os.Getenv("REDIS_HYBRID_L1_MEMORY_MB"); l1MemoryStr != "" {
-		if memory, err := strconv.ParseInt(l1MemoryStr, 10, 64); err == nil {
-			config.HybridL1MemoryMB = memory
-		}
-	}
-
-	// Parse circuit breaker settings
-	if enableCBStr := os.Getenv("REDIS_ENABLE_CIRCUIT_BREAKER"); enableCBStr == "false" || enableCBStr == "0" {
-		config.EnableCircuitBreaker = false
-	} else {
-		config.EnableCircuitBreaker = true // Default to enabled
-	}
-
-	if cbThresholdStr := os.Getenv("REDIS_CIRCUIT_BREAKER_THRESHOLD"); cbThresholdStr != "" {
-		if threshold, err := strconv.Atoi(cbThresholdStr); err == nil {
-			config.CircuitBreakerThreshold = threshold
-		}
-	}
-
-	if cbTimeoutStr := os.Getenv("REDIS_CIRCUIT_BREAKER_TIMEOUT"); cbTimeoutStr != "" {
-		if timeout, err := strconv.Atoi(cbTimeoutStr); err == nil {
-			config.CircuitBreakerTimeout = timeout
-		}
-	}
-
-	// Parse health check settings
-	if enableHCStr := os.Getenv("REDIS_ENABLE_HEALTH_CHECK"); enableHCStr == "false" || enableHCStr == "0" {
-		config.EnableHealthCheck = false
-	} else {
-		config.EnableHealthCheck = true // Default to enabled
-	}
-
-	if hcIntervalStr := os.Getenv("REDIS_HEALTH_CHECK_INTERVAL"); hcIntervalStr != "" {
-		if interval, err := strconv.Atoi(hcIntervalStr); err == nil {
-			config.HealthCheckInterval = interval
-		}
-	}
-
-	// Apply defaults after loading from env
-	config.ApplyDefaults()
-
-	return config
-}
-
 func isOriginAllowed(origin string, allowedOrigins []string) bool {
 	for _, allowed := range allowedOrigins {
 		if origin == allowed || allowed == "*" {

singleton_resources.go

@@ -548,17 +548,24 @@ func (gc *GenericCache) Delete(key string) {
 	delete(gc.data, key)
 }
 
-// cleanupRoutine periodically cleans up the cache
+// cleanupRoutine periodically wipes the cache.
+//
+// NOTE: GenericCache does not track per-entry timestamps, so this is a
+// "clear-all on tick" strategy — every `gc.ttl` interval the entire map
+// is replaced, regardless of when each entry was written. This is the
+// intentional (simplified) behavior of GenericCache, which exists mainly
+// as a generic fallback for tests and non-typed caches. Callers that
+// require true per-entry TTL must use UniversalCache / UnifiedCache which
+// track expiry per entry.
 func (gc *GenericCache) cleanupRoutine() {
-	ticker := time.NewTicker(gc.ttl)
-	defer ticker.Stop()
+	wipeTicker := time.NewTicker(gc.ttl)
+	defer wipeTicker.Stop()
 
 	for {
 		select {
-		case <-ticker.C:
+		case <-wipeTicker.C:
 			gc.mu.Lock()
-			// Simple cleanup - clear all data after TTL
-			// In production, you'd track individual entry TTLs
+			// Clear-all on tick, not per-entry TTL (see function doc).
 			gc.data = make(map[string]interface{})
 			gc.mu.Unlock()
 		case <-gc.stopChan:

singleton_resources_test.go

@@ -4,7 +4,10 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"runtime"
 	"sync"
 	"sync/atomic"
@@ -251,6 +254,30 @@ func TestSingletonResourceManager(t *testing.T) {
 	})
 }
 
+// createMockOIDCServer creates a mock OIDC server for testing
+func createMockOIDCServer() *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"issuer":                 "https://example.com",
+				"authorization_endpoint": "https://example.com/authorize",
+				"token_endpoint":         "https://example.com/token",
+				"jwks_uri":               "https://example.com/jwks",
+				"userinfo_endpoint":      "https://example.com/userinfo",
+			})
+		case "/jwks":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"keys": []interface{}{},
+			})
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	}))
+}
+
 // TestContextAwareGoroutineManagement tests context-aware goroutine management
 func TestContextAwareGoroutineManagement(t *testing.T) {
 	t.Run("GoroutineCleanupOnContextCancel", func(t *testing.T) {
@@ -259,13 +286,17 @@ func TestContextAwareGoroutineManagement(t *testing.T) {
 		ResetUniversalCacheManagerForTesting()
 		defer ResetUniversalCacheManagerForTesting()
 
+		// Create mock OIDC server
+		mockServer := createMockOIDCServer()
+		defer mockServer.Close()
+
 		initialGoroutines := runtime.NumGoroutine()
 
 		ctx, cancel := context.WithCancel(context.Background())
 
 		// Create a TraefikOidc instance with context
 		config := &Config{
-			ProviderURL:  "https://example.com",
+			ProviderURL:  mockServer.URL,
 			ClientID:     "test-client",
 			ClientSecret: "test-secret",
 		}
@@ -308,12 +339,20 @@ func TestContextAwareGoroutineManagement(t *testing.T) {
 		ResetUniversalCacheManagerForTesting()
 		defer ResetUniversalCacheManagerForTesting()
 
+		// Create mock OIDC servers
+		mockServer1 := createMockOIDCServer()
+		defer mockServer1.Close()
+		mockServer2 := createMockOIDCServer()
+		defer mockServer2.Close()
+		mockServer3 := createMockOIDCServer()
+		defer mockServer3.Close()
+
 		initialGoroutines := runtime.NumGoroutine()
 
 		configs := []Config{
-			{ProviderURL: "https://example1.com", ClientID: "client1", ClientSecret: "secret1"},
-			{ProviderURL: "https://example2.com", ClientID: "client2", ClientSecret: "secret2"},
-			{ProviderURL: "https://example3.com", ClientID: "client3", ClientSecret: "secret3"},
+			{ProviderURL: mockServer1.URL, ClientID: "client1", ClientSecret: "secret1"},
+			{ProviderURL: mockServer2.URL, ClientID: "client2", ClientSecret: "secret2"},
+			{ProviderURL: mockServer3.URL, ClientID: "client3", ClientSecret: "secret3"},
 		}
 
 		var plugins []*TraefikOidc
@@ -366,6 +405,13 @@ func TestContextAwareGoroutineManagement(t *testing.T) {
 		ResetUniversalCacheManagerForTesting()
 		defer ResetUniversalCacheManagerForTesting()
 
+		// Create mock OIDC servers
+		mockServers := make([]*httptest.Server, 3)
+		for i := 0; i < 3; i++ {
+			mockServers[i] = createMockOIDCServer()
+			defer mockServers[i].Close()
+		}
+
 		rm := GetResourceManager()
 
 		// Register singleton cleanup task
@@ -386,7 +432,7 @@ func TestContextAwareGoroutineManagement(t *testing.T) {
 		for i := 0; i < 3; i++ {
 			ctx := context.Background()
 			config := &Config{
-				ProviderURL:  fmt.Sprintf("https://example%d.com", i),
+				ProviderURL:  mockServers[i].URL,
 				ClientID:     fmt.Sprintf("client%d", i),
 				ClientSecret: fmt.Sprintf("secret%d", i),
 			}

test_helpers_adapter_test.go

@@ -22,7 +22,7 @@ func (w *testWriter) Write(p []byte) (n int, err error) {
 // Test helper adapters for the new test files
 
 // resetGlobalState resets all global singletons to prevent test interference
-// nolint:unused // Kept for potential future use in integration tests
+//nolint:unused // Kept for potential future use in integration tests
 /*
 func resetGlobalState() {
 	// Reset global task registry first to stop all background tasks
@@ -137,7 +137,7 @@ func (tc *testCleanup) cleanupAll() {
 }
 
 // createTestConfig creates a config with all required fields populated for testing
-// nolint:unused // Kept for potential future use in integration tests
+//nolint:unused // Kept for potential future use in integration tests
 /*
 func createTestConfig() *Config {
 	config := CreateConfig()
@@ -151,7 +151,7 @@ func createTestConfig() *Config {
 */
 
 // setupTestOIDCMiddleware creates a test OIDC middleware instance with mock servers
-// nolint:unused // Kept for potential future use in integration tests
+//nolint:unused // Kept for potential future use in integration tests
 /*
 func setupTestOIDCMiddleware(t *testing.T, config *Config) (*TraefikOidc, *httptest.Server) {
 	// Reset global state to ensure test isolation
@@ -339,7 +339,7 @@ func setupTestOIDCMiddleware(t *testing.T, config *Config) (*TraefikOidc, *httpt
 */
 
 // createMockJWT creates a mock JWT token for testing - adapter for existing tests
-// nolint:unused // Kept for potential future use in integration tests
+//nolint:unused // Kept for potential future use in integration tests
 /*
 func createMockJWT(t *testing.T, sub, email string) string {
 	return ValidIDToken
@@ -361,7 +361,7 @@ func createTestSession() *SessionData {
 }
 
 // injectSessionIntoRequest saves the session and adds the resulting cookies to the request
-// nolint:unused // Kept for potential future use in integration tests
+//nolint:unused // Kept for potential future use in integration tests
 /*
 func injectSessionIntoRequest(t *testing.T, req *http.Request, session *SessionData) {
 	// Create a response recorder to capture cookies

token_manager.go

@@ -46,6 +46,17 @@ func (t *TraefikOidc) VerifyToken(token string) error {
 		}
 	}
 
+	// Hot-path fast-return: a previously-verified token has already passed
+	// signature, claims, and replay checks. Skipping the parseJWT cost here
+	// matters under bursty traffic (e.g. 10+ concurrent panel requests on
+	// every Grafana dashboard refresh) where the same token is validated
+	// dozens of times per second by validateStandardTokens.
+	if t.tokenCache != nil {
+		if claims, exists := t.tokenCache.Get(token); exists && len(claims) > 0 {
+			return nil
+		}
+	}
+
 	parsedJWT, parseErr := parseJWT(token)
 	if parseErr != nil {
 		return fmt.Errorf("failed to parse JWT for blacklist check: %w", parseErr)
@@ -63,12 +74,6 @@ func (t *TraefikOidc) VerifyToken(token string) error {
 		}
 	}
 
-	// Check token cache FIRST - if token is already verified and cached, return immediately
-	// This prevents false positives when multiple goroutines validate the same token concurrently
-	if claims, exists := t.tokenCache.Get(token); exists && len(claims) > 0 {
-		return nil
-	}
-
 	// Only check JTI blacklist for tokens that aren't already in the cache
 	// This is for FIRST-TIME validation to detect replay attacks
 	if jti, ok := parsedJWT.Claims["jti"].(string); ok && jti != "" {
@@ -315,15 +320,6 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 	jwksURL := t.jwksURL
 	t.metadataMu.RUnlock()
 
-	jwks, err := t.jwkCache.GetJWKS(context.Background(), jwksURL, t.httpClient)
-	if err != nil {
-		return fmt.Errorf("failed to get JWKS: %w", err)
-	}
-
-	if !t.suppressDiagnosticLogs && jwks != nil {
-		t.safeLogDebugf("DIAGNOSTIC: Retrieved JWKS with %d keys from URL: %s", len(jwks.Keys), jwksURL)
-	}
-
 	kid, ok := jwt.Header["kid"].(string)
 	if !ok {
 		return fmt.Errorf("missing key ID in token header")
@@ -337,38 +333,12 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 		t.safeLogDebugf("DIAGNOSTIC: Looking for kid=%s, alg=%s in JWKS", kid, alg)
 	}
 
-	if jwks == nil {
-		return fmt.Errorf("JWKS is nil, cannot verify token")
-	}
-
-	// Find the matching key in JWKS
-	var matchingKey *JWK
-	availableKids := make([]string, 0, len(jwks.Keys))
-	for _, key := range jwks.Keys {
-		availableKids = append(availableKids, key.Kid)
-		if key.Kid == kid {
-			matchingKey = &key
-			break
-		}
-	}
-
-	if matchingKey == nil {
-		if !t.suppressDiagnosticLogs {
-			t.safeLogErrorf("DIAGNOSTIC: No matching key found for kid=%s. Available kids: %v", kid, availableKids)
-		}
-		return fmt.Errorf("no matching public key found for kid: %s", kid)
-	}
-
-	if !t.suppressDiagnosticLogs {
-		t.safeLogDebugf("DIAGNOSTIC: Found matching key for kid=%s, key type: %s", kid, matchingKey.Kty)
-	}
-
-	publicKeyPEM, err := jwkToPEM(matchingKey)
+	pubKey, err := t.jwkCache.GetPublicKey(context.Background(), jwksURL, kid, t.httpClient)
 	if err != nil {
-		return fmt.Errorf("failed to convert JWK to PEM: %w", err)
+		return fmt.Errorf("failed to get public key: %w", err)
 	}
 
-	if err := verifySignature(token, publicKeyPEM, alg); err != nil {
+	if err := verifySignatureWithKey(token, pubKey, alg); err != nil {
 		if !t.suppressDiagnosticLogs {
 			t.safeLogErrorf("DIAGNOSTIC: Signature verification failed for kid=%s, alg=%s: %v", kid, alg, err)
 		}
@@ -451,10 +421,9 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 	}
 	t.logger.Debugf("Attempting refresh with token starting with %s...", tokenPrefix)
 
-	newToken, err := t.tokenExchanger.GetNewTokenWithRefreshToken(initialRefreshToken)
+	newToken, err := t.coordinatedTokenRefresh(req, initialRefreshToken)
 	if err != nil {
 		errMsg := err.Error()
-		//nolint:gocritic // Complex error handling with provider-specific conditions
 		if strings.Contains(errMsg, "invalid_grant") || strings.Contains(errMsg, "token expired") {
 			t.logger.Debug("Refresh token expired or revoked: %v", err)
 			// Clear all tokens and authentication state when refresh token is invalid
@@ -554,6 +523,91 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 	return true
 }
 
+// coordinatedTokenRefresh routes a refresh-token grant through the
+// RefreshCoordinator so that concurrent requests sharing the same refresh
+// token coalesce into a single upstream call. This prevents the thundering
+// herd that yields invalid_grant when the IdP rotates refresh tokens.
+//
+// Falls back to a direct call when the coordinator is nil, which only
+// happens in tests that build TraefikOidc literals without going through
+// NewWithContext.
+func (t *TraefikOidc) coordinatedTokenRefresh(req *http.Request, refreshToken string) (*TokenResponse, error) {
+	if t.refreshCoordinator == nil {
+		return t.tokenExchanger.GetNewTokenWithRefreshToken(refreshToken)
+	}
+
+	parentCtx := context.Background()
+	if req != nil {
+		parentCtx = req.Context()
+	}
+	ctx, cancel := context.WithTimeout(parentCtx, refreshCoordinatorWaitTimeout)
+	defer cancel()
+
+	sessionID := refreshCoordinatorSessionID(refreshToken)
+
+	return t.refreshCoordinator.CoordinateRefresh(
+		ctx,
+		sessionID,
+		refreshToken,
+		func() (*TokenResponse, error) {
+			// Cross-replica dedup. The in-process coordinator already
+			// collapses concurrent grants on this pod; this Redis-backed
+			// short-TTL cache covers the (rare) case of a failover or
+			// load-balancer reroute mid-refresh, where two pods would
+			// otherwise both POST the same refresh_token to the IdP.
+			if cached, ok := t.lookupCachedRefreshResult(sessionID); ok {
+				return cached, nil
+			}
+			resp, err := t.tokenExchanger.GetNewTokenWithRefreshToken(refreshToken)
+			if err == nil && resp != nil {
+				t.cacheRefreshResult(sessionID, resp)
+			}
+			return resp, err
+		},
+	)
+}
+
+// lookupCachedRefreshResult returns a previously-stored TokenResponse for the
+// given refresh-token hash, if one exists and is still within its short TTL.
+// The cache wraps the universal cache, which is Redis-backed in production -
+// so a "hit" here means another Traefik replica refreshed this same token
+// within the last few seconds.
+func (t *TraefikOidc) lookupCachedRefreshResult(sessionID string) (*TokenResponse, bool) {
+	if t.refreshResultCache == nil {
+		return nil, false
+	}
+	v, ok := t.refreshResultCache.Get(refreshResultCacheKey(sessionID))
+	if !ok || v == nil {
+		return nil, false
+	}
+	if tr, ok := v.(*TokenResponse); ok && tr != nil {
+		return tr, true
+	}
+	return nil, false
+}
+
+// cacheRefreshResult stores the new TokenResponse under the refresh-token
+// hash for a short window. TTL is intentionally tight: the rotated refresh
+// token cannot be re-presented to the IdP, and any peer waiting longer than
+// this window has almost certainly given up via its own coordinator timeout.
+func (t *TraefikOidc) cacheRefreshResult(sessionID string, resp *TokenResponse) {
+	if t.refreshResultCache == nil || resp == nil {
+		return
+	}
+	t.refreshResultCache.Set(refreshResultCacheKey(sessionID), resp, refreshResultCacheTTL)
+}
+
+// refreshResultCacheKey namespaces refresh-result entries inside the shared
+// cache namespace.
+func refreshResultCacheKey(sessionID string) string {
+	return "rt-result:" + sessionID
+}
+
+// refreshResultCacheTTL bounds how long a peer can lean on the dedup cache.
+// Long enough for a sibling replica to observe the result, short enough that
+// a stale entry never re-supplies a token after the IdP has already moved on.
+const refreshResultCacheTTL = 5 * time.Second
+
 // RevokeToken revokes a token locally by adding it to the blacklist cache.
 // It removes the token from the verification cache and adds both the token
 // and its JTI (if present) to the blacklist to prevent future use.

types.go

@@ -95,6 +95,7 @@ type TraefikOidc struct {
 	cancelFunc                 context.CancelFunc
 	errorRecoveryManager       *ErrorRecoveryManager
 	tokenResilienceManager     *TokenResilienceManager
+	refreshCoordinator         *RefreshCoordinator
 	goroutineWG                *sync.WaitGroup
 	dcrConfig                  *DynamicClientRegistrationConfig
 	dynamicClientRegistrar     *DynamicClientRegistrar
@@ -119,14 +120,22 @@ type TraefikOidc struct {
 	clientID                   string
 	clientSecret               string
 	registrationURL            string
+	backchannelLogoutPath      string
+	frontchannelLogoutPath     string
 	scopesSupported            []string
 	scopes                     []string
 	refreshGracePeriod         time.Duration
+	maxRefreshTokenAge         time.Duration
 	metadataMu                 sync.RWMutex
 	shutdownOnce               sync.Once
 	metadataRetryMutex         sync.Mutex
 	firstRequestMutex          sync.Mutex
+	sessionInvalidationCache   CacheInterface
+	refreshResultCache         CacheInterface
 	minimalHeaders             bool
+	stripAuthCookies           bool
+	enableBackchannelLogout    bool
+	enableFrontchannelLogout   bool
 	firstRequestReceived       bool
 	requireTokenIntrospection  bool
 	metadataRefreshStarted     bool

universal_cache.go

@@ -21,6 +21,10 @@ const (
 	CacheTypeJWK      CacheType = "jwk"
 	CacheTypeSession  CacheType = "session"
 	CacheTypeGeneral  CacheType = "general"
+
+	// maxCacheEntrySize defines the maximum size for a single cache entry (64 MiB)
+	// This prevents integer overflow when allocating memory for serialization
+	maxCacheEntrySize = 64 * 1024 * 1024
 )
 
 // UniversalCacheConfig provides configuration for the universal cache
@@ -302,8 +306,10 @@ func (c *UniversalCache) Set(key string, value interface{}, ttl time.Duration) e
 		c.currentMemory += size
 	}
 
-	c.logger.Debugf("UniversalCache[%s]: Set key=%s, ttl=%v, size=%d bytes",
-		c.config.Type, key, ttl, size)
+	if c.logger.IsDebug() {
+		c.logger.Debugf("UniversalCache[%s]: Set key=%s, ttl=%v, size=%d bytes",
+			c.config.Type, key, ttl, size)
+	}
 
 	return nil
 }
@@ -327,15 +333,41 @@ func (c *UniversalCache) Get(key string) (interface{}, bool) {
 				// Fall through to local cache
 			} else {
 				atomic.AddInt64(&c.hits, 1)
-				// Update local cache with backend value
-				go func() {
-					_ = c.updateLocalCache(key, value, c.config.DefaultTTL)
-				}()
+				// Update local cache with backend value synchronously.
+				// Under yaegi, goroutine spawn is 5-10x costlier than compiled Go,
+				// and this path fires per-request on cold local cache.
+				// updateLocalCache is cheap (map write under mutex).
+				_ = c.updateLocalCache(key, value, c.config.DefaultTTL)
 				return value, true
 			}
 		}
 	}
 
+	// Fast read path for caches whose eviction is dominated by TTL rather than
+	// access-recency (token, JWK, session). Holding only an RLock here lets all
+	// concurrent readers verify cached tokens in parallel — under yaegi the
+	// previous unconditional Lock serialized every JWT verify on a single
+	// mutex and pinned a CPU under load.
+	switch c.config.Type {
+	case CacheTypeToken, CacheTypeJWK, CacheTypeSession:
+		c.mu.RLock()
+		item, exists := c.items[key]
+		if !exists {
+			c.mu.RUnlock()
+			atomic.AddInt64(&c.misses, 1)
+			return nil, false
+		}
+		if !time.Now().After(item.ExpiresAt) {
+			value := item.Value
+			c.mu.RUnlock()
+			atomic.AddInt64(&c.hits, 1)
+			return value, true
+		}
+		c.mu.RUnlock()
+		// Expired — fall through to the write-locked slow path below to
+		// remove the entry under exclusive access.
+	}
+
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -536,7 +568,9 @@ func (c *UniversalCache) evictOldest() {
 		if item, exists := c.items[key]; exists {
 			c.removeItem(key, item)
 			atomic.AddInt64(&c.evictions, 1)
-			c.logger.Debugf("UniversalCache[%s]: Evicted key=%s", c.config.Type, key)
+			if c.logger.IsDebug() {
+				c.logger.Debugf("UniversalCache[%s]: Evicted key=%s", c.config.Type, key)
+			}
 		}
 	}
 }
@@ -720,22 +754,6 @@ func (c *UniversalCache) SetWithMetadata(key string, value interface{}, ttl time
 	return nil
 }
 
-// GetTyped retrieves a typed value from the cache
-func GetTyped[T any](c *UniversalCache, key string) (T, bool) {
-	var zero T
-	value, exists := c.Get(key)
-	if !exists {
-		return zero, false
-	}
-
-	typed, ok := value.(T)
-	if !ok {
-		return zero, false
-	}
-
-	return typed, true
-}
-
 // TokenCacheOperations provides token-specific operations
 func (c *UniversalCache) BlacklistToken(token string, ttl time.Duration) error {
 	if c.config.Type != CacheTypeToken {
@@ -784,14 +802,81 @@ func (c *UniversalCache) Strategy() CacheStrategy {
 
 // serialize converts a value to bytes for backend storage
 func (c *UniversalCache) serialize(value interface{}) ([]byte, error) {
-	// Use JSON for serialization - simple and universal
-	return json.Marshal(value)
+	// If value is already a byte slice (e.g., pre-marshaled JSON from metadata_cache),
+	// store it directly with a marker to prevent double-encoding.
+	// This fixes the issue where []byte was being JSON-marshaled, causing Base64 encoding.
+	if bytes, ok := value.([]byte); ok {
+		// Validate size to prevent integer overflow
+		if len(bytes) > maxCacheEntrySize {
+			return nil, fmt.Errorf("cache entry size %d exceeds maximum allowed size %d", len(bytes), maxCacheEntrySize)
+		}
+		// Check for potential overflow when adding marker byte
+		if len(bytes) == maxCacheEntrySize {
+			return nil, fmt.Errorf("cache entry size would overflow when adding marker byte")
+		}
+
+		// Prepend marker byte 0x00 to indicate raw bytes (not JSON-encoded)
+		result := make([]byte, len(bytes)+1)
+		result[0] = 0x00
+		copy(result[1:], bytes)
+		return result, nil
+	}
+
+	// For all other types (maps, strings, etc.), use JSON encoding
+	// Prepend marker byte 0x01 to indicate JSON-encoded data
+	jsonData, err := json.Marshal(value)
+	if err != nil {
+		return nil, err
+	}
+
+	// Validate size to prevent integer overflow
+	if len(jsonData) > maxCacheEntrySize {
+		return nil, fmt.Errorf("serialized cache entry size %d exceeds maximum allowed size %d", len(jsonData), maxCacheEntrySize)
+	}
+	// Check for potential overflow when adding marker byte
+	if len(jsonData) == maxCacheEntrySize {
+		return nil, fmt.Errorf("serialized cache entry size would overflow when adding marker byte")
+	}
+
+	result := make([]byte, len(jsonData)+1)
+	result[0] = 0x01
+	copy(result[1:], jsonData)
+	return result, nil
 }
 
 // deserialize converts bytes from backend storage to a value
 func (c *UniversalCache) deserialize(data []byte, value interface{}) error {
-	// Use JSON for deserialization
-	return json.Unmarshal(data, value)
+	if len(data) == 0 {
+		return fmt.Errorf("cannot deserialize empty data")
+	}
+
+	// Check for type marker (added by serialize)
+	if data[0] == 0x00 {
+		// Raw bytes - strip marker and return as-is
+		rawBytes := data[1:]
+		if ptr, ok := value.(*interface{}); ok {
+			*ptr = rawBytes
+			return nil
+		}
+		return fmt.Errorf("cannot deserialize raw bytes into %T", value)
+	}
+
+	if data[0] == 0x01 {
+		// JSON-encoded - strip marker and unmarshal
+		return json.Unmarshal(data[1:], value)
+	}
+
+	// Legacy data without marker (for backward compatibility)
+	// Try to unmarshal as JSON
+	if err := json.Unmarshal(data, value); err != nil {
+		// If unmarshal fails, treat as raw bytes
+		if ptr, ok := value.(*interface{}); ok {
+			*ptr = data
+			return nil
+		}
+		return err
+	}
+	return nil
 }
 
 // prefixKey adds a cache type prefix to the key for backend storage

universal_cache_serialization_test.go

@@ -0,0 +1,517 @@
+package traefikoidc
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/alicebob/miniredis/v2"
+	"github.com/lukaszraczylo/traefikoidc/internal/cache/backends"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestUniversalCache_SerializeDeserialize tests the fix for issue #116
+// where metadata was stored as Base64-encoded JSON but read as plain JSON
+func TestUniversalCache_SerializeDeserialize(t *testing.T) {
+	t.Parallel()
+
+	t.Run("RawBytesPreserved", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Test data: pre-marshaled JSON bytes (like metadata_cache uses)
+		testData := []byte(`{"issuer":"https://example.com","jwks_uri":"https://example.com/jwks"}`)
+
+		// Serialize
+		serialized, err := cache.serialize(testData)
+		require.NoError(t, err)
+		assert.NotNil(t, serialized)
+
+		// Should have marker byte
+		assert.Equal(t, byte(0x00), serialized[0], "Should have raw bytes marker")
+		assert.Equal(t, testData, serialized[1:], "Data should be preserved after marker")
+
+		// Deserialize
+		var result interface{}
+		err = cache.deserialize(serialized, &result)
+		require.NoError(t, err)
+
+		// Should get back []byte
+		resultBytes, ok := result.([]byte)
+		require.True(t, ok, "Result should be []byte")
+		assert.Equal(t, testData, resultBytes, "Deserialized data should match original")
+	})
+
+	t.Run("JSONEncodedTypes", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		testCases := []struct {
+			name  string
+			value interface{}
+		}{
+			{
+				name:  "Map",
+				value: map[string]interface{}{"key": "value", "number": 42.0},
+			},
+			{
+				name:  "String",
+				value: "test-string",
+			},
+			{
+				name:  "Number",
+				value: 123.456,
+			},
+			{
+				name:  "Array",
+				value: []interface{}{"a", "b", "c"},
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				// Serialize
+				serialized, err := cache.serialize(tc.value)
+				require.NoError(t, err)
+				assert.NotNil(t, serialized)
+
+				// Should have JSON marker byte
+				assert.Equal(t, byte(0x01), serialized[0], "Should have JSON marker")
+
+				// Verify the JSON portion is valid
+				var checkJSON interface{}
+				err = json.Unmarshal(serialized[1:], &checkJSON)
+				require.NoError(t, err, "Should be valid JSON after marker")
+
+				// Deserialize
+				var result interface{}
+				err = cache.deserialize(serialized, &result)
+				require.NoError(t, err)
+
+				// Compare results (using JSON round-trip for consistent comparison)
+				expectedJSON, _ := json.Marshal(tc.value)
+				resultJSON, _ := json.Marshal(result)
+				assert.JSONEq(t, string(expectedJSON), string(resultJSON), "Deserialized data should match original")
+			})
+		}
+	})
+
+	t.Run("LegacyDataCompatibility", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Simulate legacy data (JSON without marker byte)
+		legacyData := []byte(`{"legacy":"data"}`)
+
+		var result interface{}
+		err := cache.deserialize(legacyData, &result)
+		require.NoError(t, err)
+
+		// Should successfully unmarshal as JSON
+		resultMap, ok := result.(map[string]interface{})
+		require.True(t, ok, "Should unmarshal legacy JSON data")
+		assert.Equal(t, "data", resultMap["legacy"])
+	})
+
+	t.Run("EmptyDataHandling", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		var result interface{}
+		err := cache.deserialize([]byte{}, &result)
+		assert.Error(t, err, "Should error on empty data")
+		assert.Contains(t, err.Error(), "empty data")
+	})
+
+	t.Run("OverflowProtection_LargeBytes", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Create a byte slice that exceeds maxCacheEntrySize (64 MiB)
+		oversizedBytes := make([]byte, 65*1024*1024) // 65 MiB
+
+		// Attempt to serialize - should fail with overflow error
+		_, err := cache.serialize(oversizedBytes)
+		require.Error(t, err, "Should error on oversized byte slice")
+		assert.Contains(t, err.Error(), "exceeds maximum allowed size")
+	})
+
+	t.Run("OverflowProtection_ExactMaxSize", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Create a byte slice exactly at maxCacheEntrySize
+		// This should fail because adding marker byte would overflow
+		exactMaxBytes := make([]byte, 64*1024*1024) // Exactly 64 MiB
+
+		_, err := cache.serialize(exactMaxBytes)
+		require.Error(t, err, "Should error when adding marker would overflow")
+		assert.Contains(t, err.Error(), "would overflow when adding marker byte")
+	})
+
+	t.Run("OverflowProtection_SafeSize", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Create a byte slice well within limits
+		safeBytes := make([]byte, 1024*1024) // 1 MiB - safe size
+
+		serialized, err := cache.serialize(safeBytes)
+		require.NoError(t, err, "Should succeed with safe size")
+		assert.NotNil(t, serialized)
+		assert.Equal(t, len(safeBytes)+1, len(serialized), "Should add marker byte")
+	})
+
+	t.Run("OverflowProtection_JSONData", func(t *testing.T) {
+		cache := NewUniversalCache(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		})
+		defer cache.Close()
+
+		// Create a very large map that will exceed limits when JSON-encoded
+		largeMap := make(map[string]string)
+		// Each entry is roughly 50 bytes, so we need ~1.3M entries to exceed 64 MiB
+		for i := 0; i < 1400000; i++ {
+			key := fmt.Sprintf("key_%d", i)
+			largeMap[key] = "value_with_some_content_to_make_it_larger"
+		}
+
+		_, err := cache.serialize(largeMap)
+		require.Error(t, err, "Should error when JSON serialization exceeds size limit")
+		assert.Contains(t, err.Error(), "exceeds maximum allowed size")
+	})
+}
+
+// TestUniversalCache_RedisIntegration_Issue116 tests the complete fix for issue #116
+// with actual Redis backend to ensure metadata cache works correctly
+func TestUniversalCache_RedisIntegration_Issue116(t *testing.T) {
+	t.Parallel()
+
+	// Start miniredis server
+	mr, err := miniredis.Run()
+	require.NoError(t, err)
+	defer mr.Close()
+
+	// Create Redis backend
+	redisConfig := backends.DefaultRedisConfig(mr.Addr())
+	redisConfig.RedisPrefix = "test:"
+	backend, err := backends.NewRedisBackend(redisConfig)
+	require.NoError(t, err)
+	defer backend.Close()
+
+	t.Run("MetadataCache_StoreAndRetrieve", func(t *testing.T) {
+		// Create cache with Redis backend
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeMetadata,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		// Simulate metadata_cache.Set behavior:
+		// 1. Marshal metadata to JSON
+		metadata := ProviderMetadata{
+			Issuer:   "https://example.com",
+			JWKSURL:  "https://example.com/jwks",
+			TokenURL: "https://example.com/token",
+			AuthURL:  "https://example.com/authorize",
+		}
+		jsonData, err := json.Marshal(metadata)
+		require.NoError(t, err)
+
+		// 2. Store the JSON bytes
+		key := "v2:https://example.com"
+		err = cache.Set(key, jsonData, 1*time.Hour)
+		require.NoError(t, err)
+
+		// 3. Retrieve the data
+		retrieved, exists := cache.Get(key)
+		require.True(t, exists, "Data should exist in cache")
+
+		// 4. Should get back []byte (not a string or map)
+		retrievedBytes, ok := retrieved.([]byte)
+		require.True(t, ok, "Retrieved value should be []byte, got %T", retrieved)
+
+		// 5. Should be able to unmarshal as JSON
+		var retrievedMetadata ProviderMetadata
+		err = json.Unmarshal(retrievedBytes, &retrievedMetadata)
+		require.NoError(t, err, "Should be able to unmarshal retrieved bytes as JSON")
+
+		// 6. Verify data integrity
+		assert.Equal(t, metadata.Issuer, retrievedMetadata.Issuer)
+		assert.Equal(t, metadata.JWKSURL, retrievedMetadata.JWKSURL)
+		assert.Equal(t, metadata.TokenURL, retrievedMetadata.TokenURL)
+	})
+
+	t.Run("MetadataCache_NoBase64Encoding", func(t *testing.T) {
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeMetadata,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		// Store JSON bytes
+		jsonData := []byte(`{"issuer":"https://test.com"}`)
+		key := "v2:https://test.com"
+		err = cache.Set(key, jsonData, 1*time.Hour)
+		require.NoError(t, err)
+
+		// Retrieve
+		retrieved, exists := cache.Get(key)
+		require.True(t, exists)
+
+		retrievedBytes, ok := retrieved.([]byte)
+		require.True(t, ok)
+
+		// The retrieved data should NOT start with "eyJ" (Base64 encoding of "{")
+		// This was the bug in issue #116
+		assert.NotEqual(t, []byte("eyJ"), retrievedBytes[:3], "Data should not be Base64 encoded")
+
+		// Should be valid JSON
+		var checkJSON map[string]interface{}
+		err = json.Unmarshal(retrievedBytes, &checkJSON)
+		require.NoError(t, err, "Data should be valid JSON")
+		assert.Equal(t, "https://test.com", checkJSON["issuer"])
+	})
+
+	t.Run("TokenCache_MapValues", func(t *testing.T) {
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeToken,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		// Store a map (like TokenCache does)
+		claims := map[string]interface{}{
+			"sub":   "user123",
+			"exp":   1234567890.0,
+			"scope": "read write",
+		}
+		key := "token:abc123"
+		err = cache.Set(key, claims, 10*time.Minute)
+		require.NoError(t, err)
+
+		// Retrieve
+		retrieved, exists := cache.Get(key)
+		require.True(t, exists)
+
+		// Should get back a map
+		retrievedMap, ok := retrieved.(map[string]interface{})
+		require.True(t, ok, "Retrieved value should be map[string]interface{}")
+		assert.Equal(t, "user123", retrievedMap["sub"])
+		assert.Equal(t, 1234567890.0, retrievedMap["exp"])
+	})
+
+	t.Run("MixedTypes_SameCache", func(t *testing.T) {
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		// Store different types
+		jsonBytes := []byte(`{"type":"json-bytes"}`)
+		err = cache.Set("key1", jsonBytes, 1*time.Hour)
+		require.NoError(t, err)
+
+		mapData := map[string]interface{}{"type": "map"}
+		err = cache.Set("key2", mapData, 1*time.Hour)
+		require.NoError(t, err)
+
+		stringData := "plain-string"
+		err = cache.Set("key3", stringData, 1*time.Hour)
+		require.NoError(t, err)
+
+		// Retrieve and verify each type
+		val1, exists := cache.Get("key1")
+		require.True(t, exists)
+		bytes1, ok := val1.([]byte)
+		require.True(t, ok)
+		assert.Equal(t, jsonBytes, bytes1)
+
+		val2, exists := cache.Get("key2")
+		require.True(t, exists)
+		map2, ok := val2.(map[string]interface{})
+		require.True(t, ok)
+		assert.Equal(t, "map", map2["type"])
+
+		val3, exists := cache.Get("key3")
+		require.True(t, exists)
+		str3, ok := val3.(string)
+		require.True(t, ok)
+		assert.Equal(t, stringData, str3)
+	})
+}
+
+// TestUniversalCache_BackwardCompatibility tests that old cached data is handled gracefully
+func TestUniversalCache_BackwardCompatibility(t *testing.T) {
+	t.Parallel()
+
+	mr, err := miniredis.Run()
+	require.NoError(t, err)
+	defer mr.Close()
+
+	redisConfig := backends.DefaultRedisConfig(mr.Addr())
+	backend, err := backends.NewRedisBackend(redisConfig)
+	require.NoError(t, err)
+	defer backend.Close()
+
+	ctx := context.Background()
+
+	t.Run("LegacyJSONData", func(t *testing.T) {
+		// Manually insert legacy data (plain JSON without marker)
+		legacyKey := "general:legacy-key"
+		legacyData := []byte(`{"old":"format"}`)
+		err = backend.Set(ctx, legacyKey, legacyData, 1*time.Hour)
+		require.NoError(t, err)
+
+		// Try to retrieve via UniversalCache
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		retrieved, exists := cache.Get("legacy-key")
+		require.True(t, exists, "Should retrieve legacy data")
+
+		// Should deserialize as JSON map
+		retrievedMap, ok := retrieved.(map[string]interface{})
+		require.True(t, ok, "Should unmarshal legacy JSON")
+		assert.Equal(t, "format", retrievedMap["old"])
+	})
+
+	t.Run("LegacyCorruptData", func(t *testing.T) {
+		// Insert corrupt/invalid data
+		corruptKey := "general:corrupt-key"
+		corruptData := []byte("not json and no marker")
+		err = backend.Set(ctx, corruptKey, corruptData, 1*time.Hour)
+		require.NoError(t, err)
+
+		cache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+			Type:    CacheTypeGeneral,
+			MaxSize: 100,
+		}, backend)
+		defer cache.Close()
+
+		retrieved, exists := cache.Get("corrupt-key")
+		require.True(t, exists)
+
+		// Should return as raw bytes (fallback)
+		retrievedBytes, ok := retrieved.([]byte)
+		require.True(t, ok, "Should return corrupt data as raw bytes")
+		assert.Equal(t, corruptData, retrievedBytes)
+	})
+}
+
+// TestMetadataCache_Issue116_Regression is the main regression test for issue #116
+// This specifically tests the scenario described in the GitHub issue
+func TestMetadataCache_Issue116_Regression(t *testing.T) {
+	t.Parallel()
+
+	mr, err := miniredis.Run()
+	require.NoError(t, err)
+	defer mr.Close()
+
+	// Create Redis backend
+	redisConfig := backends.DefaultRedisConfig(mr.Addr())
+	redisConfig.RedisPrefix = "traefik:"
+	backend, err := backends.NewRedisBackend(redisConfig)
+	require.NoError(t, err)
+	defer backend.Close()
+
+	// Create a simple logger
+	logger := GetSingletonNoOpLogger()
+
+	// Create metadata cache instance
+	metadataCache := NewUniversalCacheWithBackend(UniversalCacheConfig{
+		Type:            CacheTypeMetadata,
+		MaxSize:         100,
+		Logger:          logger,
+		SkipAutoCleanup: true,
+	}, backend)
+	defer metadataCache.Close()
+
+	// Use the actual MetadataCache wrapper
+	wg := &sync.WaitGroup{}
+	mc := &MetadataCache{
+		cache:  metadataCache,
+		logger: logger,
+		wg:     wg,
+	}
+
+	// Test: Store and retrieve metadata (the scenario from issue #116)
+	providerURL := "https://example.com"
+	metadata := &ProviderMetadata{
+		Issuer:         "https://example.com",
+		AuthURL:        "https://example.com/authorize",
+		TokenURL:       "https://example.com/token",
+		JWKSURL:        "https://example.com/jwks",
+		RevokeURL:      "https://example.com/revoke",
+		EndSessionURL:  "https://example.com/logout",
+		RegistrationURL: "https://example.com/register",
+		ScopesSupported: []string{"openid", "profile", "email"},
+	}
+
+	// Store metadata
+	err = mc.Set(providerURL, metadata, 1*time.Hour)
+	require.NoError(t, err, "Should store metadata without error")
+
+	// Retrieve metadata
+	retrieved, exists := mc.Get(providerURL)
+	require.True(t, exists, "Should retrieve stored metadata")
+	require.NotNil(t, retrieved, "Retrieved metadata should not be nil")
+
+	// Verify no corruption - this was failing in issue #116 with "invalid character 'e'" error
+	assert.Equal(t, metadata.Issuer, retrieved.Issuer)
+	assert.Equal(t, metadata.AuthURL, retrieved.AuthURL)
+	assert.Equal(t, metadata.TokenURL, retrieved.TokenURL)
+	assert.Equal(t, metadata.JWKSURL, retrieved.JWKSURL)
+
+	// Verify the data is not Base64-encoded in Redis
+	// This checks the root cause mentioned in the issue
+	ctx := context.Background()
+	rawData, _, exists, err := backend.Get(ctx, "metadata:v2:"+providerURL)
+	require.NoError(t, err)
+	require.True(t, exists)
+
+	// Strip the marker byte
+	require.Greater(t, len(rawData), 1, "Data should have marker byte")
+	dataWithoutMarker := rawData[1:]
+
+	// Should not start with "eyJ" (Base64 encoding of "{")
+	if len(dataWithoutMarker) >= 3 {
+		assert.NotEqual(t, "eyJ", string(dataWithoutMarker[:3]), "Data should not be Base64-encoded")
+	}
+
+	// Should be valid JSON
+	var checkMetadata ProviderMetadata
+	err = json.Unmarshal(dataWithoutMarker, &checkMetadata)
+	require.NoError(t, err, "Stored data should be valid JSON, not Base64")
+	assert.Equal(t, metadata.Issuer, checkMetadata.Issuer)
+}

universal_cache_singleton.go

@@ -13,21 +13,23 @@ import (
 // It runs a single consolidated cleanup goroutine for all caches, reducing
 // goroutine count and CPU overhead compared to per-cache cleanup routines.
 type UniversalCacheManager struct {
-	sharedBackend       backends.CacheBackend
-	ctx                 context.Context
-	tokenTypeCache      *UniversalCache
-	jwkCache            *UniversalCache
-	sessionCache        *UniversalCache
-	introspectionCache  *UniversalCache
-	tokenCache          *UniversalCache
-	metadataCache       *UniversalCache
-	dcrCredentialsCache *UniversalCache // DCR credentials storage for distributed environments
-	logger              *Logger
-	blacklistCache      *UniversalCache
-	cancel              context.CancelFunc
-	wg                  sync.WaitGroup
-	mu                  sync.RWMutex
-	cleanupStarted      bool
+	sharedBackend            backends.CacheBackend
+	ctx                      context.Context
+	tokenTypeCache           *UniversalCache
+	jwkCache                 *UniversalCache
+	sessionCache             *UniversalCache
+	introspectionCache       *UniversalCache
+	tokenCache               *UniversalCache
+	metadataCache            *UniversalCache
+	dcrCredentialsCache      *UniversalCache // DCR credentials storage for distributed environments
+	sessionInvalidationCache *UniversalCache // Session invalidation cache for backchannel/front-channel logout
+	refreshResultCache       *UniversalCache // Short-lived cross-replica refresh-result dedup (paired with RefreshCoordinator)
+	logger                   *Logger
+	blacklistCache           *UniversalCache
+	cancel                   context.CancelFunc
+	wg                       sync.WaitGroup
+	mu                       sync.RWMutex
+	cleanupStarted           bool
 }
 
 var (
@@ -170,6 +172,28 @@ func initializeDefaultCaches(manager *UniversalCacheManager, logger *Logger) {
 		Logger:          logger,
 		SkipAutoCleanup: true, // Managed cleanup
 	})
+
+	// Initialize session invalidation cache for backchannel/front-channel logout
+	// This cache stores invalidated session IDs and subjects to revoke sessions
+	manager.sessionInvalidationCache = NewUniversalCache(UniversalCacheConfig{
+		Type:            CacheTypeSession,
+		MaxSize:         5000,           // Support many concurrent invalidations
+		DefaultTTL:      25 * time.Hour, // Slightly longer than session max age (24h)
+		Logger:          logger,
+		SkipAutoCleanup: true, // Managed cleanup
+	})
+
+	// Refresh-result cache: short-lived store keyed by sha256(refreshToken).
+	// In Redis-backed mode this gives cross-replica dedup of refresh grants;
+	// in memory-only mode it's effectively redundant with RefreshCoordinator
+	// but safe and cheap to keep.
+	manager.refreshResultCache = NewUniversalCache(UniversalCacheConfig{
+		Type:            CacheTypeToken,
+		MaxSize:         1000,
+		DefaultTTL:      5 * time.Second,
+		Logger:          logger,
+		SkipAutoCleanup: true, // Managed cleanup
+	})
 }
 
 // initializeCachesWithRedis initializes caches with Redis/Hybrid backends based on configuration
@@ -363,6 +387,34 @@ func initializeCachesWithRedis(manager *UniversalCacheManager, logger *Logger, r
 		createBackend("dcr"),
 	)
 
+	// Session invalidation cache - CRITICAL for distributed backchannel/front-channel logout
+	// Uses Redis backend to share session invalidations across all Traefik replicas
+	manager.sessionInvalidationCache = NewUniversalCacheWithBackend(
+		UniversalCacheConfig{
+			Type:            CacheTypeSession,
+			MaxSize:         5000,           // Support many concurrent invalidations
+			DefaultTTL:      25 * time.Hour, // Slightly longer than session max age (24h)
+			Logger:          logger,
+			SkipAutoCleanup: true, // Managed cleanup
+		},
+		createBackend("session_invalidation"),
+	)
+
+	// Refresh-result cache - shared via Redis so concurrent refreshes across
+	// Traefik replicas can dedup their grants. The 5s TTL is long enough for
+	// peers to observe a recent refresh and short enough that a stale entry
+	// can't be replayed against a now-rotated refresh token.
+	manager.refreshResultCache = NewUniversalCacheWithBackend(
+		UniversalCacheConfig{
+			Type:            CacheTypeToken,
+			MaxSize:         1000,
+			DefaultTTL:      5 * time.Second,
+			Logger:          logger,
+			SkipAutoCleanup: true, // Managed cleanup
+		},
+		createBackend("refresh_result"),
+	)
+
 	logger.Infof("Cache manager initialized with %s backend configuration", redisConfig.CacheMode)
 }
 
@@ -411,6 +463,8 @@ func (m *UniversalCacheManager) performConsolidatedCleanup() {
 		m.introspectionCache,
 		m.tokenTypeCache,
 		m.dcrCredentialsCache,
+		m.sessionInvalidationCache,
+		m.refreshResultCache,
 	}
 	m.mu.RUnlock()
 
@@ -452,13 +506,6 @@ func (m *UniversalCacheManager) GetJWKCache() *UniversalCache {
 	return m.jwkCache
 }
 
-// GetSessionCache returns the session cache
-func (m *UniversalCacheManager) GetSessionCache() *UniversalCache {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	return m.sessionCache
-}
-
 // GetIntrospectionCache returns the token introspection cache
 func (m *UniversalCacheManager) GetIntrospectionCache() *UniversalCache {
 	m.mu.RLock()
@@ -473,6 +520,21 @@ func (m *UniversalCacheManager) GetTokenTypeCache() *UniversalCache {
 	return m.tokenTypeCache
 }
 
+// GetSessionInvalidationCache returns the session invalidation cache for backchannel/front-channel logout
+func (m *UniversalCacheManager) GetSessionInvalidationCache() *UniversalCache {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.sessionInvalidationCache
+}
+
+// GetRefreshResultCache returns the short-lived refresh-result cache used to
+// coalesce refresh-token grants across Traefik replicas.
+func (m *UniversalCacheManager) GetRefreshResultCache() *UniversalCache {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.refreshResultCache
+}
+
 // GetDCRCredentialsCache returns the DCR credentials cache for distributed storage
 func (m *UniversalCacheManager) GetDCRCredentialsCache() *UniversalCache {
 	m.mu.RLock()
@@ -495,7 +557,7 @@ func (m *UniversalCacheManager) Close() error {
 
 	// Close all caches first (they won't close the shared backend)
 	for _, cache := range []*UniversalCache{
-		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache,
+		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache, m.sessionInvalidationCache, m.refreshResultCache,
 	} {
 		if cache != nil {
 			_ = cache.Close() // Safe to ignore: best effort cache cleanup
@@ -516,35 +578,6 @@ func (m *UniversalCacheManager) Close() error {
 	return nil
 }
 
-// InitializeCacheManagerFromConfig initializes the cache manager with configuration
-// This should be called early in the application startup with the loaded configuration
-func InitializeCacheManagerFromConfig(config *Config) *UniversalCacheManager {
-	logger := NewLogger(config.LogLevel)
-
-	// Initialize Redis config if not present
-	if config.Redis == nil {
-		config.Redis = &RedisConfig{}
-	}
-
-	// Apply environment variable fallbacks for fields not set in config
-	// This allows env vars to be used as optional overrides only when
-	// the config field is not explicitly set through Traefik
-	config.Redis.ApplyEnvFallbacks()
-
-	// Apply defaults after env fallbacks
-	config.Redis.ApplyDefaults()
-
-	// Log cache backend selection
-	if config.Redis != nil && config.Redis.Enabled {
-		logger.Infof("Initializing cache backend with Redis: mode=%s, address=%s",
-			config.Redis.CacheMode, config.Redis.Address)
-	} else {
-		logger.Info("Initializing cache backend with memory-only mode")
-	}
-
-	return GetUniversalCacheManagerWithConfig(logger, config.Redis)
-}
-
 // ResetUniversalCacheManagerForTesting resets the singleton for testing purposes only
 // This should only be called in test code to ensure proper cleanup between tests
 func ResetUniversalCacheManagerForTesting() {

utilities.go

@@ -250,6 +250,11 @@ func (t *TraefikOidc) Close() error {
 			t.safeLogDebug("metadataRefreshStopChan closed")
 		}
 
+		if t.refreshCoordinator != nil {
+			t.refreshCoordinator.Shutdown()
+			t.safeLogDebug("refreshCoordinator shut down")
+		}
+
 		if t.goroutineWG != nil {
 			done := make(chan struct{})
 			go func() {

vendor/github.com/alicebob/miniredis/v2/gopher-json/json.go

@@ -10,7 +10,7 @@ import (
 // Preload adds json to the given Lua state's package.preload table. After it
 // has been preloaded, it can be loaded using require:
 //
-//	local json = require("json")
+//  local json = require("json")
 func Preload(L *lua.LState) {
 	L.PreloadModule("json", Loader)
 }

vendor/github.com/davecgh/go-spew/spew/bypass.go

@@ -18,7 +18,6 @@
 // tag is deprecated and thus should not be used.
 // Go versions prior to 1.4 are disabled because they use a different layout
 // for interfaces which make the implementation of unsafeReflectValue more complex.
-//go:build !js && !appengine && !safe && !disableunsafe && go1.4
 // +build !js,!appengine,!safe,!disableunsafe,go1.4
 
 package spew

vendor/github.com/davecgh/go-spew/spew/bypasssafe.go

@@ -16,7 +16,6 @@
 // when the code is running on Google App Engine, compiled by GopherJS, or
 // "-tags safe" is added to the go build command line.  The "disableunsafe"
 // tag is deprecated and thus should not be used.
-//go:build js || appengine || safe || disableunsafe || !go1.4
 // +build js appengine safe disableunsafe !go1.4
 
 package spew

vendor/github.com/davecgh/go-spew/spew/config.go

@@ -254,15 +254,15 @@ pointer addresses used to indirect to the final value.  It provides the
 following features over the built-in printing facilities provided by the fmt
 package:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output
 
 The configuration options are controlled by modifying the public members
 of c.  See ConfigState for options documentation.
@@ -295,12 +295,12 @@ func (c *ConfigState) convertArgs(args []interface{}) (formatters []interface{})
 
 // NewDefaultConfig returns a ConfigState with the following default settings.
 //
-//	Indent: " "
-//	MaxDepth: 0
-//	DisableMethods: false
-//	DisablePointerMethods: false
-//	ContinueOnMethod: false
-//	SortKeys: false
+// 	Indent: " "
+// 	MaxDepth: 0
+// 	DisableMethods: false
+// 	DisablePointerMethods: false
+// 	ContinueOnMethod: false
+// 	SortKeys: false
 func NewDefaultConfig() *ConfigState {
 	return &ConfigState{Indent: " "}
 }

vendor/github.com/davecgh/go-spew/spew/doc.go

@@ -21,36 +21,35 @@ debugging.
 A quick overview of the additional features spew provides over the built-in
 printing facilities for Go data types are as follows:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output (only when using
-    Dump style)
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output (only when using
+	  Dump style)
 
 There are two different approaches spew allows for dumping Go data structures:
 
-  - Dump style which prints with newlines, customizable indentation,
-    and additional debug information such as types and all pointer addresses
-    used to indirect to the final value
-  - A custom Formatter interface that integrates cleanly with the standard fmt
-    package and replaces %v, %+v, %#v, and %#+v to provide inline printing
-    similar to the default %v while providing the additional functionality
-    outlined above and passing unsupported format verbs such as %x and %q
-    along to fmt
+	* Dump style which prints with newlines, customizable indentation,
+	  and additional debug information such as types and all pointer addresses
+	  used to indirect to the final value
+	* A custom Formatter interface that integrates cleanly with the standard fmt
+	  package and replaces %v, %+v, %#v, and %#+v to provide inline printing
+	  similar to the default %v while providing the additional functionality
+	  outlined above and passing unsupported format verbs such as %x and %q
+	  along to fmt
 
-# Quick Start
+Quick Start
 
 This section demonstrates how to quickly get started with spew.  See the
 sections below for further details on formatting and configuration options.
 
 To dump a variable with full newlines, indentation, type, and pointer
 information use Dump, Fdump, or Sdump:
-
 	spew.Dump(myVar1, myVar2, ...)
 	spew.Fdump(someWriter, myVar1, myVar2, ...)
 	str := spew.Sdump(myVar1, myVar2, ...)
@@ -59,13 +58,12 @@ Alternatively, if you would prefer to use format strings with a compacted inline
 printing style, use the convenience wrappers Printf, Fprintf, etc with
 %v (most compact), %+v (adds pointer addresses), %#v (adds types), or
 %#+v (adds types and pointer addresses):
-
 	spew.Printf("myVar1: %v -- myVar2: %+v", myVar1, myVar2)
 	spew.Printf("myVar3: %#v -- myVar4: %#+v", myVar3, myVar4)
 	spew.Fprintf(someWriter, "myVar1: %v -- myVar2: %+v", myVar1, myVar2)
 	spew.Fprintf(someWriter, "myVar3: %#v -- myVar4: %#+v", myVar3, myVar4)
 
-# Configuration Options
+Configuration Options
 
 Configuration of spew is handled by fields in the ConfigState type.  For
 convenience, all of the top-level functions use a global state available
@@ -76,52 +74,51 @@ equivalent to the top-level functions.  This allows concurrent configuration
 options.  See the ConfigState documentation for more details.
 
 The following configuration options are available:
+	* Indent
+		String to use for each indentation level for Dump functions.
+		It is a single space by default.  A popular alternative is "\t".
 
-  - Indent
-    String to use for each indentation level for Dump functions.
-    It is a single space by default.  A popular alternative is "\t".
+	* MaxDepth
+		Maximum number of levels to descend into nested data structures.
+		There is no limit by default.
 
-  - MaxDepth
-    Maximum number of levels to descend into nested data structures.
-    There is no limit by default.
+	* DisableMethods
+		Disables invocation of error and Stringer interface methods.
+		Method invocation is enabled by default.
 
-  - DisableMethods
-    Disables invocation of error and Stringer interface methods.
-    Method invocation is enabled by default.
+	* DisablePointerMethods
+		Disables invocation of error and Stringer interface methods on types
+		which only accept pointer receivers from non-pointer variables.
+		Pointer method invocation is enabled by default.
 
-  - DisablePointerMethods
-    Disables invocation of error and Stringer interface methods on types
-    which only accept pointer receivers from non-pointer variables.
-    Pointer method invocation is enabled by default.
+	* DisablePointerAddresses
+		DisablePointerAddresses specifies whether to disable the printing of
+		pointer addresses. This is useful when diffing data structures in tests.
 
-  - DisablePointerAddresses
-    DisablePointerAddresses specifies whether to disable the printing of
-    pointer addresses. This is useful when diffing data structures in tests.
+	* DisableCapacities
+		DisableCapacities specifies whether to disable the printing of
+		capacities for arrays, slices, maps and channels. This is useful when
+		diffing data structures in tests.
 
-  - DisableCapacities
-    DisableCapacities specifies whether to disable the printing of
-    capacities for arrays, slices, maps and channels. This is useful when
-    diffing data structures in tests.
+	* ContinueOnMethod
+		Enables recursion into types after invoking error and Stringer interface
+		methods. Recursion after method invocation is disabled by default.
 
-  - ContinueOnMethod
-    Enables recursion into types after invoking error and Stringer interface
-    methods. Recursion after method invocation is disabled by default.
+	* SortKeys
+		Specifies map keys should be sorted before being printed. Use
+		this to have a more deterministic, diffable output.  Note that
+		only native types (bool, int, uint, floats, uintptr and string)
+		and types which implement error or Stringer interfaces are
+		supported with other types sorted according to the
+		reflect.Value.String() output which guarantees display
+		stability.  Natural map order is used by default.
 
-  - SortKeys
-    Specifies map keys should be sorted before being printed. Use
-    this to have a more deterministic, diffable output.  Note that
-    only native types (bool, int, uint, floats, uintptr and string)
-    and types which implement error or Stringer interfaces are
-    supported with other types sorted according to the
-    reflect.Value.String() output which guarantees display
-    stability.  Natural map order is used by default.
+	* SpewKeys
+		Specifies that, as a last resort attempt, map keys should be
+		spewed to strings and sorted by those strings.  This is only
+		considered if SortKeys is true.
 
-  - SpewKeys
-    Specifies that, as a last resort attempt, map keys should be
-    spewed to strings and sorted by those strings.  This is only
-    considered if SortKeys is true.
-
-# Dump Usage
+Dump Usage
 
 Simply call spew.Dump with a list of variables you want to dump:
 
@@ -136,7 +133,7 @@ A third option is to call spew.Sdump to get the formatted output as a string:
 
 	str := spew.Sdump(myVar1, myVar2, ...)
 
-# Sample Dump Output
+Sample Dump Output
 
 See the Dump example for details on the setup of the types and variables being
 shown here.
@@ -153,14 +150,13 @@ shown here.
 
 Byte (and uint8) arrays and slices are displayed uniquely like the hexdump -C
 command as shown.
-
 	([]uint8) (len=32 cap=32) {
 	 00000000  11 12 13 14 15 16 17 18  19 1a 1b 1c 1d 1e 1f 20  |............... |
 	 00000010  21 22 23 24 25 26 27 28  29 2a 2b 2c 2d 2e 2f 30  |!"#$%&'()*+,-./0|
 	 00000020  31 32                                             |12|
 	}
 
-# Custom Formatter
+Custom Formatter
 
 Spew provides a custom formatter that implements the fmt.Formatter interface
 so that it integrates cleanly with standard fmt package printing functions. The
@@ -174,7 +170,7 @@ standard fmt package for formatting.  In addition, the custom formatter ignores
 the width and precision arguments (however they will still work on the format
 specifiers not handled by the custom formatter).
 
-# Custom Formatter Usage
+Custom Formatter Usage
 
 The simplest way to make use of the spew custom formatter is to call one of the
 convenience functions such as spew.Printf, spew.Println, or spew.Printf.  The
@@ -188,17 +184,15 @@ functions have syntax you are most likely already familiar with:
 
 See the Index for the full list convenience functions.
 
-# Sample Formatter Output
+Sample Formatter Output
 
 Double pointer to a uint8:
-
 	  %v: <**>5
 	 %+v: <**>(0xf8400420d0->0xf8400420c8)5
 	 %#v: (**uint8)5
 	%#+v: (**uint8)(0xf8400420d0->0xf8400420c8)5
 
 Pointer to circular struct with a uint8 field and a pointer to itself:
-
 	  %v: <*>{1 <*><shown>}
 	 %+v: <*>(0xf84003e260){ui8:1 c:<*>(0xf84003e260)<shown>}
 	 %#v: (*main.circular){ui8:(uint8)1 c:(*main.circular)<shown>}
@@ -207,7 +201,7 @@ Pointer to circular struct with a uint8 field and a pointer to itself:
 See the Printf example for details on the setup of variables being shown
 here.
 
-# Errors
+Errors
 
 Since it is possible for custom Stringer/error interfaces to panic, spew
 detects them and handles them internally by printing the panic information

vendor/github.com/davecgh/go-spew/spew/dump.go

@@ -488,15 +488,15 @@ pointer addresses used to indirect to the final value.  It provides the
 following features over the built-in printing facilities provided by the fmt
 package:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output
 
 The configuration options are controlled by an exported package global,
 spew.Config.  See ConfigState for options documentation.

vendor/github.com/google/uuid/CHANGELOG.md

@@ -1,41 +0,0 @@
-# Changelog
-
-## [1.6.0](https://github.com/google/uuid/compare/v1.5.0...v1.6.0) (2024-01-16)
-
-
-### Features
-
-* add Max UUID constant ([#149](https://github.com/google/uuid/issues/149)) ([c58770e](https://github.com/google/uuid/commit/c58770eb495f55fe2ced6284f93c5158a62e53e3))
-
-
-### Bug Fixes
-
-* fix typo in version 7 uuid documentation ([#153](https://github.com/google/uuid/issues/153)) ([016b199](https://github.com/google/uuid/commit/016b199544692f745ffc8867b914129ecb47ef06))
-* Monotonicity in UUIDv7 ([#150](https://github.com/google/uuid/issues/150)) ([a2b2b32](https://github.com/google/uuid/commit/a2b2b32373ff0b1a312b7fdf6d38a977099698a6))
-
-## [1.5.0](https://github.com/google/uuid/compare/v1.4.0...v1.5.0) (2023-12-12)
-
-
-### Features
-
-* Validate UUID without creating new UUID ([#141](https://github.com/google/uuid/issues/141)) ([9ee7366](https://github.com/google/uuid/commit/9ee7366e66c9ad96bab89139418a713dc584ae29))
-
-## [1.4.0](https://github.com/google/uuid/compare/v1.3.1...v1.4.0) (2023-10-26)
-
-
-### Features
-
-* UUIDs slice type with Strings() convenience method ([#133](https://github.com/google/uuid/issues/133)) ([cd5fbbd](https://github.com/google/uuid/commit/cd5fbbdd02f3e3467ac18940e07e062be1f864b4))
-
-### Fixes
-
-* Clarify that Parse's job is to parse but not necessarily validate strings. (Documents current behavior)
-
-## [1.3.1](https://github.com/google/uuid/compare/v1.3.0...v1.3.1) (2023-08-18)
-
-
-### Bug Fixes
-
-* Use .EqualFold() to parse urn prefixed UUIDs ([#118](https://github.com/google/uuid/issues/118)) ([574e687](https://github.com/google/uuid/commit/574e6874943741fb99d41764c705173ada5293f0))
-
-## Changelog

vendor/github.com/google/uuid/CONTRIBUTING.md

@@ -1,26 +0,0 @@
-# How to contribute
-
-We definitely welcome patches and contribution to this project!
-
-### Tips
-
-Commits must be formatted according to the [Conventional Commits Specification](https://www.conventionalcommits.org).
-
-Always try to include a test case! If it is not possible or not necessary,
-please explain why in the pull request description.
-
-### Releasing
-
-Commits that would precipitate a SemVer change, as described in the Conventional
-Commits Specification, will trigger [`release-please`](https://github.com/google-github-actions/release-please-action)
-to create a release candidate pull request. Once submitted, `release-please`
-will create a release.
-
-For tips on how to work with `release-please`, see its documentation.
-
-### Legal requirements
-
-In order to protect both you and ourselves, you will need to sign the
-[Contributor License Agreement](https://cla.developers.google.com/clas).
-
-You may have already signed it for other Google projects.

vendor/github.com/google/uuid/CONTRIBUTORS

@@ -1,9 +0,0 @@
-Paul Borman <borman@google.com>
-bmatsuo
-shawnps
-theory
-jboverfelt
-dsymonds
-cd1
-wallclockbuilder
-dansouza

vendor/github.com/google/uuid/LICENSE

@@ -1,27 +0,0 @@
-Copyright (c) 2009,2014 Google Inc. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/google/uuid/README.md

@@ -1,21 +0,0 @@
-# uuid
-The uuid package generates and inspects UUIDs based on
-[RFC 4122](https://datatracker.ietf.org/doc/html/rfc4122)
-and DCE 1.1: Authentication and Security Services. 
-
-This package is based on the github.com/pborman/uuid package (previously named
-code.google.com/p/go-uuid).  It differs from these earlier packages in that
-a UUID is a 16 byte array rather than a byte slice.  One loss due to this
-change is the ability to represent an invalid UUID (vs a NIL UUID).
-
-###### Install
-```sh
-go get github.com/google/uuid
-```
-
-###### Documentation 
-[![Go Reference](https://pkg.go.dev/badge/github.com/google/uuid.svg)](https://pkg.go.dev/github.com/google/uuid)
-
-Full `go doc` style documentation for the package can be viewed online without
-installing this package by using the GoDoc site here: 
-http://pkg.go.dev/github.com/google/uuid

vendor/github.com/google/uuid/dce.go

@@ -1,80 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-	"fmt"
-	"os"
-)
-
-// A Domain represents a Version 2 domain
-type Domain byte
-
-// Domain constants for DCE Security (Version 2) UUIDs.
-const (
-	Person = Domain(0)
-	Group  = Domain(1)
-	Org    = Domain(2)
-)
-
-// NewDCESecurity returns a DCE Security (Version 2) UUID.
-//
-// The domain should be one of Person, Group or Org.
-// On a POSIX system the id should be the users UID for the Person
-// domain and the users GID for the Group.  The meaning of id for
-// the domain Org or on non-POSIX systems is site defined.
-//
-// For a given domain/id pair the same token may be returned for up to
-// 7 minutes and 10 seconds.
-func NewDCESecurity(domain Domain, id uint32) (UUID, error) {
-	uuid, err := NewUUID()
-	if err == nil {
-		uuid[6] = (uuid[6] & 0x0f) | 0x20 // Version 2
-		uuid[9] = byte(domain)
-		binary.BigEndian.PutUint32(uuid[0:], id)
-	}
-	return uuid, err
-}
-
-// NewDCEPerson returns a DCE Security (Version 2) UUID in the person
-// domain with the id returned by os.Getuid.
-//
-//  NewDCESecurity(Person, uint32(os.Getuid()))
-func NewDCEPerson() (UUID, error) {
-	return NewDCESecurity(Person, uint32(os.Getuid()))
-}
-
-// NewDCEGroup returns a DCE Security (Version 2) UUID in the group
-// domain with the id returned by os.Getgid.
-//
-//  NewDCESecurity(Group, uint32(os.Getgid()))
-func NewDCEGroup() (UUID, error) {
-	return NewDCESecurity(Group, uint32(os.Getgid()))
-}
-
-// Domain returns the domain for a Version 2 UUID.  Domains are only defined
-// for Version 2 UUIDs.
-func (uuid UUID) Domain() Domain {
-	return Domain(uuid[9])
-}
-
-// ID returns the id for a Version 2 UUID. IDs are only defined for Version 2
-// UUIDs.
-func (uuid UUID) ID() uint32 {
-	return binary.BigEndian.Uint32(uuid[0:4])
-}
-
-func (d Domain) String() string {
-	switch d {
-	case Person:
-		return "Person"
-	case Group:
-		return "Group"
-	case Org:
-		return "Org"
-	}
-	return fmt.Sprintf("Domain%d", int(d))
-}

vendor/github.com/google/uuid/doc.go

@@ -1,12 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package uuid generates and inspects UUIDs.
-//
-// UUIDs are based on RFC 4122 and DCE 1.1: Authentication and Security
-// Services.
-//
-// A UUID is a 16 byte (128 bit) array.  UUIDs may be used as keys to
-// maps or compared directly.
-package uuid

vendor/github.com/google/uuid/hash.go

@@ -1,59 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"crypto/md5"
-	"crypto/sha1"
-	"hash"
-)
-
-// Well known namespace IDs and UUIDs
-var (
-	NameSpaceDNS  = Must(Parse("6ba7b810-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceURL  = Must(Parse("6ba7b811-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceOID  = Must(Parse("6ba7b812-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceX500 = Must(Parse("6ba7b814-9dad-11d1-80b4-00c04fd430c8"))
-	Nil           UUID // empty UUID, all zeros
-
-	// The Max UUID is special form of UUID that is specified to have all 128 bits set to 1.
-	Max = UUID{
-		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-	}
-)
-
-// NewHash returns a new UUID derived from the hash of space concatenated with
-// data generated by h.  The hash should be at least 16 byte in length.  The
-// first 16 bytes of the hash are used to form the UUID.  The version of the
-// UUID will be the lower 4 bits of version.  NewHash is used to implement
-// NewMD5 and NewSHA1.
-func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID {
-	h.Reset()
-	h.Write(space[:]) //nolint:errcheck
-	h.Write(data)     //nolint:errcheck
-	s := h.Sum(nil)
-	var uuid UUID
-	copy(uuid[:], s)
-	uuid[6] = (uuid[6] & 0x0f) | uint8((version&0xf)<<4)
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // RFC 4122 variant
-	return uuid
-}
-
-// NewMD5 returns a new MD5 (Version 3) UUID based on the
-// supplied name space and data.  It is the same as calling:
-//
-//  NewHash(md5.New(), space, data, 3)
-func NewMD5(space UUID, data []byte) UUID {
-	return NewHash(md5.New(), space, data, 3)
-}
-
-// NewSHA1 returns a new SHA1 (Version 5) UUID based on the
-// supplied name space and data.  It is the same as calling:
-//
-//  NewHash(sha1.New(), space, data, 5)
-func NewSHA1(space UUID, data []byte) UUID {
-	return NewHash(sha1.New(), space, data, 5)
-}

vendor/github.com/google/uuid/marshal.go

@@ -1,38 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "fmt"
-
-// MarshalText implements encoding.TextMarshaler.
-func (uuid UUID) MarshalText() ([]byte, error) {
-	var js [36]byte
-	encodeHex(js[:], uuid)
-	return js[:], nil
-}
-
-// UnmarshalText implements encoding.TextUnmarshaler.
-func (uuid *UUID) UnmarshalText(data []byte) error {
-	id, err := ParseBytes(data)
-	if err != nil {
-		return err
-	}
-	*uuid = id
-	return nil
-}
-
-// MarshalBinary implements encoding.BinaryMarshaler.
-func (uuid UUID) MarshalBinary() ([]byte, error) {
-	return uuid[:], nil
-}
-
-// UnmarshalBinary implements encoding.BinaryUnmarshaler.
-func (uuid *UUID) UnmarshalBinary(data []byte) error {
-	if len(data) != 16 {
-		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
-	}
-	copy(uuid[:], data)
-	return nil
-}

vendor/github.com/google/uuid/node.go

@@ -1,90 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"sync"
-)
-
-var (
-	nodeMu sync.Mutex
-	ifname string  // name of interface being used
-	nodeID [6]byte // hardware for version 1 UUIDs
-	zeroID [6]byte // nodeID with only 0's
-)
-
-// NodeInterface returns the name of the interface from which the NodeID was
-// derived.  The interface "user" is returned if the NodeID was set by
-// SetNodeID.
-func NodeInterface() string {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	return ifname
-}
-
-// SetNodeInterface selects the hardware address to be used for Version 1 UUIDs.
-// If name is "" then the first usable interface found will be used or a random
-// Node ID will be generated.  If a named interface cannot be found then false
-// is returned.
-//
-// SetNodeInterface never fails when name is "".
-func SetNodeInterface(name string) bool {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	return setNodeInterface(name)
-}
-
-func setNodeInterface(name string) bool {
-	iname, addr := getHardwareInterface(name) // null implementation for js
-	if iname != "" && addr != nil {
-		ifname = iname
-		copy(nodeID[:], addr)
-		return true
-	}
-
-	// We found no interfaces with a valid hardware address.  If name
-	// does not specify a specific interface generate a random Node ID
-	// (section 4.1.6)
-	if name == "" {
-		ifname = "random"
-		randomBits(nodeID[:])
-		return true
-	}
-	return false
-}
-
-// NodeID returns a slice of a copy of the current Node ID, setting the Node ID
-// if not already set.
-func NodeID() []byte {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	nid := nodeID
-	return nid[:]
-}
-
-// SetNodeID sets the Node ID to be used for Version 1 UUIDs.  The first 6 bytes
-// of id are used.  If id is less than 6 bytes then false is returned and the
-// Node ID is not set.
-func SetNodeID(id []byte) bool {
-	if len(id) < 6 {
-		return false
-	}
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	copy(nodeID[:], id)
-	ifname = "user"
-	return true
-}
-
-// NodeID returns the 6 byte node id encoded in uuid.  It returns nil if uuid is
-// not valid.  The NodeID is only well defined for version 1 and 2 UUIDs.
-func (uuid UUID) NodeID() []byte {
-	var node [6]byte
-	copy(node[:], uuid[10:])
-	return node[:]
-}

vendor/github.com/google/uuid/node_js.go

@@ -1,12 +0,0 @@
-// Copyright 2017 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build js
-
-package uuid
-
-// getHardwareInterface returns nil values for the JS version of the code.
-// This removes the "net" dependency, because it is not used in the browser.
-// Using the "net" library inflates the size of the transpiled JS code by 673k bytes.
-func getHardwareInterface(name string) (string, []byte) { return "", nil }

vendor/github.com/google/uuid/node_net.go

@@ -1,33 +0,0 @@
-// Copyright 2017 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !js
-
-package uuid
-
-import "net"
-
-var interfaces []net.Interface // cached list of interfaces
-
-// getHardwareInterface returns the name and hardware address of interface name.
-// If name is "" then the name and hardware address of one of the system's
-// interfaces is returned.  If no interfaces are found (name does not exist or
-// there are no interfaces) then "", nil is returned.
-//
-// Only addresses of at least 6 bytes are returned.
-func getHardwareInterface(name string) (string, []byte) {
-	if interfaces == nil {
-		var err error
-		interfaces, err = net.Interfaces()
-		if err != nil {
-			return "", nil
-		}
-	}
-	for _, ifs := range interfaces {
-		if len(ifs.HardwareAddr) >= 6 && (name == "" || name == ifs.Name) {
-			return ifs.Name, ifs.HardwareAddr
-		}
-	}
-	return "", nil
-}

vendor/github.com/google/uuid/null.go

@@ -1,118 +0,0 @@
-// Copyright 2021 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"bytes"
-	"database/sql/driver"
-	"encoding/json"
-	"fmt"
-)
-
-var jsonNull = []byte("null")
-
-// NullUUID represents a UUID that may be null.
-// NullUUID implements the SQL driver.Scanner interface so
-// it can be used as a scan destination:
-//
-//  var u uuid.NullUUID
-//  err := db.QueryRow("SELECT name FROM foo WHERE id=?", id).Scan(&u)
-//  ...
-//  if u.Valid {
-//     // use u.UUID
-//  } else {
-//     // NULL value
-//  }
-//
-type NullUUID struct {
-	UUID  UUID
-	Valid bool // Valid is true if UUID is not NULL
-}
-
-// Scan implements the SQL driver.Scanner interface.
-func (nu *NullUUID) Scan(value interface{}) error {
-	if value == nil {
-		nu.UUID, nu.Valid = Nil, false
-		return nil
-	}
-
-	err := nu.UUID.Scan(value)
-	if err != nil {
-		nu.Valid = false
-		return err
-	}
-
-	nu.Valid = true
-	return nil
-}
-
-// Value implements the driver Valuer interface.
-func (nu NullUUID) Value() (driver.Value, error) {
-	if !nu.Valid {
-		return nil, nil
-	}
-	// Delegate to UUID Value function
-	return nu.UUID.Value()
-}
-
-// MarshalBinary implements encoding.BinaryMarshaler.
-func (nu NullUUID) MarshalBinary() ([]byte, error) {
-	if nu.Valid {
-		return nu.UUID[:], nil
-	}
-
-	return []byte(nil), nil
-}
-
-// UnmarshalBinary implements encoding.BinaryUnmarshaler.
-func (nu *NullUUID) UnmarshalBinary(data []byte) error {
-	if len(data) != 16 {
-		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
-	}
-	copy(nu.UUID[:], data)
-	nu.Valid = true
-	return nil
-}
-
-// MarshalText implements encoding.TextMarshaler.
-func (nu NullUUID) MarshalText() ([]byte, error) {
-	if nu.Valid {
-		return nu.UUID.MarshalText()
-	}
-
-	return jsonNull, nil
-}
-
-// UnmarshalText implements encoding.TextUnmarshaler.
-func (nu *NullUUID) UnmarshalText(data []byte) error {
-	id, err := ParseBytes(data)
-	if err != nil {
-		nu.Valid = false
-		return err
-	}
-	nu.UUID = id
-	nu.Valid = true
-	return nil
-}
-
-// MarshalJSON implements json.Marshaler.
-func (nu NullUUID) MarshalJSON() ([]byte, error) {
-	if nu.Valid {
-		return json.Marshal(nu.UUID)
-	}
-
-	return jsonNull, nil
-}
-
-// UnmarshalJSON implements json.Unmarshaler.
-func (nu *NullUUID) UnmarshalJSON(data []byte) error {
-	if bytes.Equal(data, jsonNull) {
-		*nu = NullUUID{}
-		return nil // valid null UUID
-	}
-	err := json.Unmarshal(data, &nu.UUID)
-	nu.Valid = err == nil
-	return err
-}

vendor/github.com/google/uuid/sql.go

@@ -1,59 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"database/sql/driver"
-	"fmt"
-)
-
-// Scan implements sql.Scanner so UUIDs can be read from databases transparently.
-// Currently, database types that map to string and []byte are supported. Please
-// consult database-specific driver documentation for matching types.
-func (uuid *UUID) Scan(src interface{}) error {
-	switch src := src.(type) {
-	case nil:
-		return nil
-
-	case string:
-		// if an empty UUID comes from a table, we return a null UUID
-		if src == "" {
-			return nil
-		}
-
-		// see Parse for required string format
-		u, err := Parse(src)
-		if err != nil {
-			return fmt.Errorf("Scan: %v", err)
-		}
-
-		*uuid = u
-
-	case []byte:
-		// if an empty UUID comes from a table, we return a null UUID
-		if len(src) == 0 {
-			return nil
-		}
-
-		// assumes a simple slice of bytes if 16 bytes
-		// otherwise attempts to parse
-		if len(src) != 16 {
-			return uuid.Scan(string(src))
-		}
-		copy((*uuid)[:], src)
-
-	default:
-		return fmt.Errorf("Scan: unable to scan type %T into UUID", src)
-	}
-
-	return nil
-}
-
-// Value implements sql.Valuer so that UUIDs can be written to databases
-// transparently. Currently, UUIDs map to strings. Please consult
-// database-specific driver documentation for matching types.
-func (uuid UUID) Value() (driver.Value, error) {
-	return uuid.String(), nil
-}

vendor/github.com/google/uuid/time.go

@@ -1,134 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-	"sync"
-	"time"
-)
-
-// A Time represents a time as the number of 100's of nanoseconds since 15 Oct
-// 1582.
-type Time int64
-
-const (
-	lillian    = 2299160          // Julian day of 15 Oct 1582
-	unix       = 2440587          // Julian day of 1 Jan 1970
-	epoch      = unix - lillian   // Days between epochs
-	g1582      = epoch * 86400    // seconds between epochs
-	g1582ns100 = g1582 * 10000000 // 100s of a nanoseconds between epochs
-)
-
-var (
-	timeMu   sync.Mutex
-	lasttime uint64 // last time we returned
-	clockSeq uint16 // clock sequence for this run
-
-	timeNow = time.Now // for testing
-)
-
-// UnixTime converts t the number of seconds and nanoseconds using the Unix
-// epoch of 1 Jan 1970.
-func (t Time) UnixTime() (sec, nsec int64) {
-	sec = int64(t - g1582ns100)
-	nsec = (sec % 10000000) * 100
-	sec /= 10000000
-	return sec, nsec
-}
-
-// GetTime returns the current Time (100s of nanoseconds since 15 Oct 1582) and
-// clock sequence as well as adjusting the clock sequence as needed.  An error
-// is returned if the current time cannot be determined.
-func GetTime() (Time, uint16, error) {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	return getTime()
-}
-
-func getTime() (Time, uint16, error) {
-	t := timeNow()
-
-	// If we don't have a clock sequence already, set one.
-	if clockSeq == 0 {
-		setClockSequence(-1)
-	}
-	now := uint64(t.UnixNano()/100) + g1582ns100
-
-	// If time has gone backwards with this clock sequence then we
-	// increment the clock sequence
-	if now <= lasttime {
-		clockSeq = ((clockSeq + 1) & 0x3fff) | 0x8000
-	}
-	lasttime = now
-	return Time(now), clockSeq, nil
-}
-
-// ClockSequence returns the current clock sequence, generating one if not
-// already set.  The clock sequence is only used for Version 1 UUIDs.
-//
-// The uuid package does not use global static storage for the clock sequence or
-// the last time a UUID was generated.  Unless SetClockSequence is used, a new
-// random clock sequence is generated the first time a clock sequence is
-// requested by ClockSequence, GetTime, or NewUUID.  (section 4.2.1.1)
-func ClockSequence() int {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	return clockSequence()
-}
-
-func clockSequence() int {
-	if clockSeq == 0 {
-		setClockSequence(-1)
-	}
-	return int(clockSeq & 0x3fff)
-}
-
-// SetClockSequence sets the clock sequence to the lower 14 bits of seq.  Setting to
-// -1 causes a new sequence to be generated.
-func SetClockSequence(seq int) {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	setClockSequence(seq)
-}
-
-func setClockSequence(seq int) {
-	if seq == -1 {
-		var b [2]byte
-		randomBits(b[:]) // clock sequence
-		seq = int(b[0])<<8 | int(b[1])
-	}
-	oldSeq := clockSeq
-	clockSeq = uint16(seq&0x3fff) | 0x8000 // Set our variant
-	if oldSeq != clockSeq {
-		lasttime = 0
-	}
-}
-
-// Time returns the time in 100s of nanoseconds since 15 Oct 1582 encoded in
-// uuid.  The time is only defined for version 1, 2, 6 and 7 UUIDs.
-func (uuid UUID) Time() Time {
-	var t Time
-	switch uuid.Version() {
-	case 6:
-		time := binary.BigEndian.Uint64(uuid[:8]) // Ignore uuid[6] version b0110
-		t = Time(time)
-	case 7:
-		time := binary.BigEndian.Uint64(uuid[:8])
-		t = Time((time>>16)*10000 + g1582ns100)
-	default: // forward compatible
-		time := int64(binary.BigEndian.Uint32(uuid[0:4]))
-		time |= int64(binary.BigEndian.Uint16(uuid[4:6])) << 32
-		time |= int64(binary.BigEndian.Uint16(uuid[6:8])&0xfff) << 48
-		t = Time(time)
-	}
-	return t
-}
-
-// ClockSequence returns the clock sequence encoded in uuid.
-// The clock sequence is only well defined for version 1 and 2 UUIDs.
-func (uuid UUID) ClockSequence() int {
-	return int(binary.BigEndian.Uint16(uuid[8:10])) & 0x3fff
-}

vendor/github.com/google/uuid/util.go

@@ -1,43 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"io"
-)
-
-// randomBits completely fills slice b with random data.
-func randomBits(b []byte) {
-	if _, err := io.ReadFull(rander, b); err != nil {
-		panic(err.Error()) // rand should never fail
-	}
-}
-
-// xvalues returns the value of a byte as a hexadecimal digit or 255.
-var xvalues = [256]byte{
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255,
-	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-}
-
-// xtob converts hex characters x1 and x2 into a byte.
-func xtob(x1, x2 byte) (byte, bool) {
-	b1 := xvalues[x1]
-	b2 := xvalues[x2]
-	return (b1 << 4) | b2, b1 != 255 && b2 != 255
-}

vendor/github.com/google/uuid/uuid.go

@@ -1,365 +0,0 @@
-// Copyright 2018 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-	"sync"
-)
-
-// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
-// 4122.
-type UUID [16]byte
-
-// A Version represents a UUID's version.
-type Version byte
-
-// A Variant represents a UUID's variant.
-type Variant byte
-
-// Constants returned by Variant.
-const (
-	Invalid   = Variant(iota) // Invalid UUID
-	RFC4122                   // The variant specified in RFC4122
-	Reserved                  // Reserved, NCS backward compatibility.
-	Microsoft                 // Reserved, Microsoft Corporation backward compatibility.
-	Future                    // Reserved for future definition.
-)
-
-const randPoolSize = 16 * 16
-
-var (
-	rander      = rand.Reader // random function
-	poolEnabled = false
-	poolMu      sync.Mutex
-	poolPos     = randPoolSize     // protected with poolMu
-	pool        [randPoolSize]byte // protected with poolMu
-)
-
-type invalidLengthError struct{ len int }
-
-func (err invalidLengthError) Error() string {
-	return fmt.Sprintf("invalid UUID length: %d", err.len)
-}
-
-// IsInvalidLengthError is matcher function for custom error invalidLengthError
-func IsInvalidLengthError(err error) bool {
-	_, ok := err.(invalidLengthError)
-	return ok
-}
-
-// Parse decodes s into a UUID or returns an error if it cannot be parsed.  Both
-// the standard UUID forms defined in RFC 4122
-// (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and
-// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) are decoded.  In addition,
-// Parse accepts non-standard strings such as the raw hex encoding
-// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and 38 byte "Microsoft style" encodings,
-// e.g.  {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.  Only the middle 36 bytes are
-// examined in the latter case.  Parse should not be used to validate strings as
-// it parses non-standard encodings as indicated above.
-func Parse(s string) (UUID, error) {
-	var uuid UUID
-	switch len(s) {
-	// xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36:
-
-	// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36 + 9:
-		if !strings.EqualFold(s[:9], "urn:uuid:") {
-			return uuid, fmt.Errorf("invalid urn prefix: %q", s[:9])
-		}
-		s = s[9:]
-
-	// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-	case 36 + 2:
-		s = s[1:]
-
-	// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-	case 32:
-		var ok bool
-		for i := range uuid {
-			uuid[i], ok = xtob(s[i*2], s[i*2+1])
-			if !ok {
-				return uuid, errors.New("invalid UUID format")
-			}
-		}
-		return uuid, nil
-	default:
-		return uuid, invalidLengthError{len(s)}
-	}
-	// s is now at least 36 bytes long
-	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
-		return uuid, errors.New("invalid UUID format")
-	}
-	for i, x := range [16]int{
-		0, 2, 4, 6,
-		9, 11,
-		14, 16,
-		19, 21,
-		24, 26, 28, 30, 32, 34,
-	} {
-		v, ok := xtob(s[x], s[x+1])
-		if !ok {
-			return uuid, errors.New("invalid UUID format")
-		}
-		uuid[i] = v
-	}
-	return uuid, nil
-}
-
-// ParseBytes is like Parse, except it parses a byte slice instead of a string.
-func ParseBytes(b []byte) (UUID, error) {
-	var uuid UUID
-	switch len(b) {
-	case 36: // xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36 + 9: // urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-		if !bytes.EqualFold(b[:9], []byte("urn:uuid:")) {
-			return uuid, fmt.Errorf("invalid urn prefix: %q", b[:9])
-		}
-		b = b[9:]
-	case 36 + 2: // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-		b = b[1:]
-	case 32: // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-		var ok bool
-		for i := 0; i < 32; i += 2 {
-			uuid[i/2], ok = xtob(b[i], b[i+1])
-			if !ok {
-				return uuid, errors.New("invalid UUID format")
-			}
-		}
-		return uuid, nil
-	default:
-		return uuid, invalidLengthError{len(b)}
-	}
-	// s is now at least 36 bytes long
-	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	if b[8] != '-' || b[13] != '-' || b[18] != '-' || b[23] != '-' {
-		return uuid, errors.New("invalid UUID format")
-	}
-	for i, x := range [16]int{
-		0, 2, 4, 6,
-		9, 11,
-		14, 16,
-		19, 21,
-		24, 26, 28, 30, 32, 34,
-	} {
-		v, ok := xtob(b[x], b[x+1])
-		if !ok {
-			return uuid, errors.New("invalid UUID format")
-		}
-		uuid[i] = v
-	}
-	return uuid, nil
-}
-
-// MustParse is like Parse but panics if the string cannot be parsed.
-// It simplifies safe initialization of global variables holding compiled UUIDs.
-func MustParse(s string) UUID {
-	uuid, err := Parse(s)
-	if err != nil {
-		panic(`uuid: Parse(` + s + `): ` + err.Error())
-	}
-	return uuid
-}
-
-// FromBytes creates a new UUID from a byte slice. Returns an error if the slice
-// does not have a length of 16. The bytes are copied from the slice.
-func FromBytes(b []byte) (uuid UUID, err error) {
-	err = uuid.UnmarshalBinary(b)
-	return uuid, err
-}
-
-// Must returns uuid if err is nil and panics otherwise.
-func Must(uuid UUID, err error) UUID {
-	if err != nil {
-		panic(err)
-	}
-	return uuid
-}
-
-// Validate returns an error if s is not a properly formatted UUID in one of the following formats:
-//   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-//   urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-//   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-//   {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-// It returns an error if the format is invalid, otherwise nil.
-func Validate(s string) error {
-	switch len(s) {
-	// Standard UUID format
-	case 36:
-
-	// UUID with "urn:uuid:" prefix
-	case 36 + 9:
-		if !strings.EqualFold(s[:9], "urn:uuid:") {
-			return fmt.Errorf("invalid urn prefix: %q", s[:9])
-		}
-		s = s[9:]
-
-	// UUID enclosed in braces
-	case 36 + 2:
-		if s[0] != '{' || s[len(s)-1] != '}' {
-			return fmt.Errorf("invalid bracketed UUID format")
-		}
-		s = s[1 : len(s)-1]
-
-	// UUID without hyphens
-	case 32:
-		for i := 0; i < len(s); i += 2 {
-			_, ok := xtob(s[i], s[i+1])
-			if !ok {
-				return errors.New("invalid UUID format")
-			}
-		}
-
-	default:
-		return invalidLengthError{len(s)}
-	}
-
-	// Check for standard UUID format
-	if len(s) == 36 {
-		if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
-			return errors.New("invalid UUID format")
-		}
-		for _, x := range []int{0, 2, 4, 6, 9, 11, 14, 16, 19, 21, 24, 26, 28, 30, 32, 34} {
-			if _, ok := xtob(s[x], s[x+1]); !ok {
-				return errors.New("invalid UUID format")
-			}
-		}
-	}
-
-	return nil
-}
-
-// String returns the string form of uuid, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-// , or "" if uuid is invalid.
-func (uuid UUID) String() string {
-	var buf [36]byte
-	encodeHex(buf[:], uuid)
-	return string(buf[:])
-}
-
-// URN returns the RFC 2141 URN form of uuid,
-// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,  or "" if uuid is invalid.
-func (uuid UUID) URN() string {
-	var buf [36 + 9]byte
-	copy(buf[:], "urn:uuid:")
-	encodeHex(buf[9:], uuid)
-	return string(buf[:])
-}
-
-func encodeHex(dst []byte, uuid UUID) {
-	hex.Encode(dst, uuid[:4])
-	dst[8] = '-'
-	hex.Encode(dst[9:13], uuid[4:6])
-	dst[13] = '-'
-	hex.Encode(dst[14:18], uuid[6:8])
-	dst[18] = '-'
-	hex.Encode(dst[19:23], uuid[8:10])
-	dst[23] = '-'
-	hex.Encode(dst[24:], uuid[10:])
-}
-
-// Variant returns the variant encoded in uuid.
-func (uuid UUID) Variant() Variant {
-	switch {
-	case (uuid[8] & 0xc0) == 0x80:
-		return RFC4122
-	case (uuid[8] & 0xe0) == 0xc0:
-		return Microsoft
-	case (uuid[8] & 0xe0) == 0xe0:
-		return Future
-	default:
-		return Reserved
-	}
-}
-
-// Version returns the version of uuid.
-func (uuid UUID) Version() Version {
-	return Version(uuid[6] >> 4)
-}
-
-func (v Version) String() string {
-	if v > 15 {
-		return fmt.Sprintf("BAD_VERSION_%d", v)
-	}
-	return fmt.Sprintf("VERSION_%d", v)
-}
-
-func (v Variant) String() string {
-	switch v {
-	case RFC4122:
-		return "RFC4122"
-	case Reserved:
-		return "Reserved"
-	case Microsoft:
-		return "Microsoft"
-	case Future:
-		return "Future"
-	case Invalid:
-		return "Invalid"
-	}
-	return fmt.Sprintf("BadVariant%d", int(v))
-}
-
-// SetRand sets the random number generator to r, which implements io.Reader.
-// If r.Read returns an error when the package requests random data then
-// a panic will be issued.
-//
-// Calling SetRand with nil sets the random number generator to the default
-// generator.
-func SetRand(r io.Reader) {
-	if r == nil {
-		rander = rand.Reader
-		return
-	}
-	rander = r
-}
-
-// EnableRandPool enables internal randomness pool used for Random
-// (Version 4) UUID generation. The pool contains random bytes read from
-// the random number generator on demand in batches. Enabling the pool
-// may improve the UUID generation throughput significantly.
-//
-// Since the pool is stored on the Go heap, this feature may be a bad fit
-// for security sensitive applications.
-//
-// Both EnableRandPool and DisableRandPool are not thread-safe and should
-// only be called when there is no possibility that New or any other
-// UUID Version 4 generation function will be called concurrently.
-func EnableRandPool() {
-	poolEnabled = true
-}
-
-// DisableRandPool disables the randomness pool if it was previously
-// enabled with EnableRandPool.
-//
-// Both EnableRandPool and DisableRandPool are not thread-safe and should
-// only be called when there is no possibility that New or any other
-// UUID Version 4 generation function will be called concurrently.
-func DisableRandPool() {
-	poolEnabled = false
-	defer poolMu.Unlock()
-	poolMu.Lock()
-	poolPos = randPoolSize
-}
-
-// UUIDs is a slice of UUID types.
-type UUIDs []UUID
-
-// Strings returns a string slice containing the string form of each UUID in uuids.
-func (uuids UUIDs) Strings() []string {
-	var uuidStrs = make([]string, len(uuids))
-	for i, uuid := range uuids {
-		uuidStrs[i] = uuid.String()
-	}
-	return uuidStrs
-}

vendor/github.com/google/uuid/version1.go

@@ -1,44 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-)
-
-// NewUUID returns a Version 1 UUID based on the current NodeID and clock
-// sequence, and the current time.  If the NodeID has not been set by SetNodeID
-// or SetNodeInterface then it will be set automatically.  If the NodeID cannot
-// be set NewUUID returns nil.  If clock sequence has not been set by
-// SetClockSequence then it will be set automatically.  If GetTime fails to
-// return the current NewUUID returns nil and an error.
-//
-// In most cases, New should be used.
-func NewUUID() (UUID, error) {
-	var uuid UUID
-	now, seq, err := GetTime()
-	if err != nil {
-		return uuid, err
-	}
-
-	timeLow := uint32(now & 0xffffffff)
-	timeMid := uint16((now >> 32) & 0xffff)
-	timeHi := uint16((now >> 48) & 0x0fff)
-	timeHi |= 0x1000 // Version 1
-
-	binary.BigEndian.PutUint32(uuid[0:], timeLow)
-	binary.BigEndian.PutUint16(uuid[4:], timeMid)
-	binary.BigEndian.PutUint16(uuid[6:], timeHi)
-	binary.BigEndian.PutUint16(uuid[8:], seq)
-
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	copy(uuid[10:], nodeID[:])
-	nodeMu.Unlock()
-
-	return uuid, nil
-}

vendor/github.com/google/uuid/version4.go

@@ -1,76 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "io"
-
-// New creates a new random UUID or panics.  New is equivalent to
-// the expression
-//
-//    uuid.Must(uuid.NewRandom())
-func New() UUID {
-	return Must(NewRandom())
-}
-
-// NewString creates a new random UUID and returns it as a string or panics.
-// NewString is equivalent to the expression
-//
-//    uuid.New().String()
-func NewString() string {
-	return Must(NewRandom()).String()
-}
-
-// NewRandom returns a Random (Version 4) UUID.
-//
-// The strength of the UUIDs is based on the strength of the crypto/rand
-// package.
-//
-// Uses the randomness pool if it was enabled with EnableRandPool.
-//
-// A note about uniqueness derived from the UUID Wikipedia entry:
-//
-//  Randomly generated UUIDs have 122 random bits.  One's annual risk of being
-//  hit by a meteorite is estimated to be one chance in 17 billion, that
-//  means the probability is about 0.00000000006 (6 × 10−11),
-//  equivalent to the odds of creating a few tens of trillions of UUIDs in a
-//  year and having one duplicate.
-func NewRandom() (UUID, error) {
-	if !poolEnabled {
-		return NewRandomFromReader(rander)
-	}
-	return newRandomFromPool()
-}
-
-// NewRandomFromReader returns a UUID based on bytes read from a given io.Reader.
-func NewRandomFromReader(r io.Reader) (UUID, error) {
-	var uuid UUID
-	_, err := io.ReadFull(r, uuid[:])
-	if err != nil {
-		return Nil, err
-	}
-	uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
-	return uuid, nil
-}
-
-func newRandomFromPool() (UUID, error) {
-	var uuid UUID
-	poolMu.Lock()
-	if poolPos == randPoolSize {
-		_, err := io.ReadFull(rander, pool[:])
-		if err != nil {
-			poolMu.Unlock()
-			return Nil, err
-		}
-		poolPos = 0
-	}
-	copy(uuid[:], pool[poolPos:(poolPos+16)])
-	poolPos += 16
-	poolMu.Unlock()
-
-	uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
-	return uuid, nil
-}

vendor/github.com/google/uuid/version6.go

@@ -1,56 +0,0 @@
-// Copyright 2023 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "encoding/binary"
-
-// UUID version 6 is a field-compatible version of UUIDv1, reordered for improved DB locality.
-// It is expected that UUIDv6 will primarily be used in contexts where there are existing v1 UUIDs.
-// Systems that do not involve legacy UUIDv1 SHOULD consider using UUIDv7 instead.
-//
-// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#uuidv6
-//
-// NewV6 returns a Version 6 UUID based on the current NodeID and clock
-// sequence, and the current time. If the NodeID has not been set by SetNodeID
-// or SetNodeInterface then it will be set automatically. If the NodeID cannot
-// be set NewV6 set NodeID is random bits automatically . If clock sequence has not been set by
-// SetClockSequence then it will be set automatically. If GetTime fails to
-// return the current NewV6 returns Nil and an error.
-func NewV6() (UUID, error) {
-	var uuid UUID
-	now, seq, err := GetTime()
-	if err != nil {
-		return uuid, err
-	}
-
-	/*
-	    0                   1                   2                   3
-	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |                           time_high                           |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |           time_mid            |      time_low_and_version     |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |clk_seq_hi_res |  clk_seq_low  |         node (0-1)            |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |                         node (2-5)                            |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	*/
-
-	binary.BigEndian.PutUint64(uuid[0:], uint64(now))
-	binary.BigEndian.PutUint16(uuid[8:], seq)
-
-	uuid[6] = 0x60 | (uuid[6] & 0x0F)
-	uuid[8] = 0x80 | (uuid[8] & 0x3F)
-
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	copy(uuid[10:], nodeID[:])
-	nodeMu.Unlock()
-
-	return uuid, nil
-}

vendor/github.com/google/uuid/version7.go

@@ -1,104 +0,0 @@
-// Copyright 2023 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"io"
-)
-
-// UUID version 7 features a time-ordered value field derived from the widely
-// implemented and well known Unix Epoch timestamp source,
-// the number of milliseconds seconds since midnight 1 Jan 1970 UTC, leap seconds excluded.
-// As well as improved entropy characteristics over versions 1 or 6.
-//
-// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#name-uuid-version-7
-//
-// Implementations SHOULD utilize UUID version 7 over UUID version 1 and 6 if possible.
-//
-// NewV7 returns a Version 7 UUID based on the current time(Unix Epoch).
-// Uses the randomness pool if it was enabled with EnableRandPool.
-// On error, NewV7 returns Nil and an error
-func NewV7() (UUID, error) {
-	uuid, err := NewRandom()
-	if err != nil {
-		return uuid, err
-	}
-	makeV7(uuid[:])
-	return uuid, nil
-}
-
-// NewV7FromReader returns a Version 7 UUID based on the current time(Unix Epoch).
-// it use NewRandomFromReader fill random bits.
-// On error, NewV7FromReader returns Nil and an error.
-func NewV7FromReader(r io.Reader) (UUID, error) {
-	uuid, err := NewRandomFromReader(r)
-	if err != nil {
-		return uuid, err
-	}
-
-	makeV7(uuid[:])
-	return uuid, nil
-}
-
-// makeV7 fill 48 bits time (uuid[0] - uuid[5]), set version b0111 (uuid[6])
-// uuid[8] already has the right version number (Variant is 10)
-// see function NewV7 and NewV7FromReader
-func makeV7(uuid []byte) {
-	/*
-		 0                   1                   2                   3
-		 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|                           unix_ts_ms                          |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|          unix_ts_ms           |  ver  |  rand_a (12 bit seq)  |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|var|                        rand_b                             |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|                            rand_b                             |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	*/
-	_ = uuid[15] // bounds check
-
-	t, s := getV7Time()
-
-	uuid[0] = byte(t >> 40)
-	uuid[1] = byte(t >> 32)
-	uuid[2] = byte(t >> 24)
-	uuid[3] = byte(t >> 16)
-	uuid[4] = byte(t >> 8)
-	uuid[5] = byte(t)
-
-	uuid[6] = 0x70 | (0x0F & byte(s>>8))
-	uuid[7] = byte(s)
-}
-
-// lastV7time is the last time we returned stored as:
-//
-//	52 bits of time in milliseconds since epoch
-//	12 bits of (fractional nanoseconds) >> 8
-var lastV7time int64
-
-const nanoPerMilli = 1000000
-
-// getV7Time returns the time in milliseconds and nanoseconds / 256.
-// The returned (milli << 12 + seq) is guarenteed to be greater than
-// (milli << 12 + seq) returned by any previous call to getV7Time.
-func getV7Time() (milli, seq int64) {
-	timeMu.Lock()
-	defer timeMu.Unlock()
-
-	nano := timeNow().UnixNano()
-	milli = nano / nanoPerMilli
-	// Sequence number is between 0 and 3906 (nanoPerMilli>>8)
-	seq = (nano - milli*nanoPerMilli) >> 8
-	now := milli<<12 + seq
-	if now <= lastV7time {
-		now = lastV7time + 1
-		milli = now >> 12
-		seq = now & 0xfff
-	}
-	lastV7time = now
-	return milli, seq
-}