fix(refresh): honor userIdentifierClaim in token refresh path (#132)

patch-release

The refresh path in token_manager.go hardcoded the "email" claim when
extracting the user identifier from a refreshed ID token, ignoring the
configured userIdentifierClaim. Keycloak users without an email claim
(using sub or another identifier) were kicked out on refresh even
though their initial login worked.

The callback path (auth_flow.go:226-239) already honored
userIdentifierClaim with "sub" fallback; PR #100 (commit a316a98)
added that support but missed the refresh path.

Mirror the callback logic in refreshToken so both paths behave the same.

Cleanup: rename Get/SetEmail to Get/SetUserIdentifier on SessionData
to match the actual semantics. The slot already stored the configured
identifier (email, sub, oid, upn, preferred_username), only the API
name was misleading. Storage key "email" → "user_identifier" and
combinedSessionPayload field E (json:"e") → Ui (json:"ui").

Compat note: existing user sessions invalidate on upgrade — every active
user re-authenticates once after deploying this change.

audience_test.go

@@ -1491,7 +1491,7 @@ func TestAudienceEndToEndScenario(t *testing.T) {
 		if err := session.SetAuthenticated(true); err != nil {
 			t.Fatalf("Failed to set authenticated: %v", err)
 		}
-		session.SetEmail("user@company.com")
+		session.SetUserIdentifier("user@company.com")
 		session.SetIDToken(validJWT)
 		session.SetAccessToken(validJWT)
 

auth_flow.go

@@ -4,8 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-
-	"github.com/google/uuid"
+	"time"
 )
 
 // validateRedirectCount checks if redirect limit is exceeded and handles the error
@@ -44,7 +43,7 @@ func (t *TraefikOidc) generatePKCEParameters() (string, string, error) {
 func (t *TraefikOidc) prepareSessionForAuthentication(session *SessionData, csrfToken, nonce, codeVerifier, incomingPath string) {
 	// Clear all existing session data
 	_ = session.SetAuthenticated(false) // Safe to ignore: clearing authentication state on new flow
-	session.SetEmail("")
+	session.SetUserIdentifier("")
 	session.SetAccessToken("")
 	session.SetRefreshToken("")
 	session.SetIDToken("")
@@ -77,7 +76,12 @@ func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req
 		return
 	}
 
-	csrfToken := uuid.NewString()
+	csrfToken, err := newUUIDv4()
+	if err != nil {
+		t.logger.Errorf("Failed to generate CSRF token: %v", err)
+		http.Error(rw, "Failed to generate CSRF token", http.StatusInternalServerError)
+		return
+	}
 	nonce, err := generateNonce()
 	if err != nil {
 		t.logger.Errorf("Failed to generate nonce: %v", err)
@@ -246,7 +250,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request,
 		t.sendErrorResponse(rw, req, "Failed to update session", http.StatusInternalServerError)
 		return
 	}
-	session.SetEmail(userIdentifier) // SetEmail stores the user identifier (email or other claim)
+	session.SetUserIdentifier(userIdentifier)
 	session.SetIDToken(tokenResponse.IDToken)
 	session.SetAccessToken(tokenResponse.AccessToken)
 	session.SetRefreshToken(tokenResponse.RefreshToken)
@@ -286,7 +290,7 @@ func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Reque
 	session.SetIDToken("")
 	session.SetAccessToken("")
 	session.SetRefreshToken("")
-	session.SetEmail("")
+	session.SetUserIdentifier("")
 	// Clear CSRF tokens to prevent replay attacks
 	session.SetCSRF("")
 	session.SetNonce("")
@@ -334,9 +338,54 @@ func (t *TraefikOidc) isAjaxRequest(req *http.Request) bool {
 		strings.Contains(accept, "application/json")
 }
 
-// isRefreshTokenExpired checks if refresh token is likely expired (older than 6 hours)
-func (t *TraefikOidc) isRefreshTokenExpired(session *SessionData) bool {
-	// This is a heuristic check - actual implementation would depend on
-	// the specific provider and token metadata
-	return false // Placeholder implementation
+// isNonNavigationRequest reports whether the request is a browser
+// sub-resource (script, image, stylesheet, fetch, serviceWorker) rather than
+// a top-level HTML navigation. Non-navigation requests MUST NOT trigger an
+// OIDC redirect flow: several sub-resource loads happening in parallel would
+// each call defaultInitiateAuthentication, each overwriting the session's
+// CSRF/nonce, breaking the eventual callback (issue #129).
+//
+// Detection prefers Sec-Fetch-Mode, which all modern browsers send
+// (Chrome/Edge/Firefox/Safari). For older or non-browser clients we fall
+// back to Accept: if Accept is present and does not list text/html, treat
+// it as a sub-resource. An empty/missing Accept is assumed to be navigation
+// (safer to redirect than 401 on an ambiguous request).
+func (t *TraefikOidc) isNonNavigationRequest(req *http.Request) bool {
+	if mode := req.Header.Get("Sec-Fetch-Mode"); mode != "" {
+		return mode != "navigate"
+	}
+	accept := req.Header.Get("Accept")
+	if accept == "" || accept == "*/*" {
+		return false
+	}
+	return !strings.Contains(accept, "text/html")
+}
+
+// isRefreshTokenExpired checks whether the stored refresh token is likely
+// past its useful lifetime, using the cookie-side issued_at timestamp set by
+// SetRefreshToken. IdPs do not expose RT TTL on the wire, so this is a
+// conservative heuristic gated by t.maxRefreshTokenAge (default 6h, set via
+// MaxRefreshTokenAgeSeconds; 0 disables the check).
+//
+// The point of this check is to short-circuit the refresh path BEFORE the
+// thundering herd hits the IdP for a token the provider has almost certainly
+// revoked. Together with the RefreshCoordinator wireup, it keeps Grafana-
+// style polling clients from looping on invalid_grant after a long pause.
+func (t *TraefikOidc) isRefreshTokenExpired(session *SessionData) bool {
+	if t == nil || session == nil {
+		return false
+	}
+	if t.maxRefreshTokenAge <= 0 {
+		return false
+	}
+
+	issuedAt := session.GetRefreshTokenIssuedAt()
+	if issuedAt.IsZero() {
+		// No timestamp recorded (legacy session pre-dating the issued_at
+		// field). Don't force a re-auth - attempt refresh once and let the
+		// IdP be the source of truth.
+		return false
+	}
+
+	return time.Since(issuedAt) > t.maxRefreshTokenAge
 }

auth_flow_behaviour_test.go

@@ -192,7 +192,7 @@ func (s *AuthFlowBehaviourSuite) TestPrepareSessionForAuthentication() {
 
 	// Pre-populate session with old data
 	_ = session.SetAuthenticated(true)
-	session.SetEmail("old@example.com")
+	session.SetUserIdentifier("old@example.com")
 	session.SetAccessToken("old-access-token-with-many-characters")
 	session.SetRefreshToken("old-refresh-token-with-many-characters")
 	session.SetIDToken("eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.signature")
@@ -207,7 +207,7 @@ func (s *AuthFlowBehaviourSuite) TestPrepareSessionForAuthentication() {
 
 	// Verify old data is cleared
 	s.False(session.GetAuthenticated())
-	s.Empty(session.GetEmail())
+	s.Empty(session.GetUserIdentifier())
 
 	// Verify new data is set
 	s.Equal(csrfToken, session.GetCSRF())
@@ -305,6 +305,90 @@ func (s *AuthFlowBehaviourSuite) TestIsAjaxRequest() {
 	}
 }
 
+// TestIsNonNavigationRequest verifies browser sub-resource detection used to
+// suppress OIDC redirects on parallel static-asset loads (issue #129).
+func (s *AuthFlowBehaviourSuite) TestIsNonNavigationRequest() {
+	testCases := []struct {
+		headers             map[string]string
+		name                string
+		expectNonNavigation bool
+	}{
+		{
+			name:                "Sec-Fetch-Mode navigate",
+			headers:             map[string]string{"Sec-Fetch-Mode": "navigate"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "Sec-Fetch-Mode no-cors",
+			headers:             map[string]string{"Sec-Fetch-Mode": "no-cors"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Sec-Fetch-Mode cors",
+			headers:             map[string]string{"Sec-Fetch-Mode": "cors"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Sec-Fetch-Mode same-origin (fetch in page)",
+			headers:             map[string]string{"Sec-Fetch-Mode": "same-origin"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept text/html (fallback)",
+			headers:             map[string]string{"Accept": "text/html,application/xhtml+xml"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "Accept image/png (fallback)",
+			headers:             map[string]string{"Accept": "image/png,image/*;q=0.8"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept application/javascript (fallback)",
+			headers:             map[string]string{"Accept": "application/javascript"},
+			expectNonNavigation: true,
+		},
+		{
+			name:                "Accept */* treated as navigation",
+			headers:             map[string]string{"Accept": "*/*"},
+			expectNonNavigation: false,
+		},
+		{
+			name:                "No Accept header assumed navigation",
+			headers:             map[string]string{},
+			expectNonNavigation: false,
+		},
+		{
+			name: "Sec-Fetch-Mode beats Accept (navigate wins)",
+			headers: map[string]string{
+				"Sec-Fetch-Mode": "navigate",
+				"Accept":         "application/javascript",
+			},
+			expectNonNavigation: false,
+		},
+		{
+			name: "Sec-Fetch-Mode beats Accept (no-cors wins)",
+			headers: map[string]string{
+				"Sec-Fetch-Mode": "no-cors",
+				"Accept":         "text/html",
+			},
+			expectNonNavigation: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		s.Run(tc.name, func() {
+			req := httptest.NewRequest(http.MethodGet, "/_static/asset.js", nil)
+			for key, value := range tc.headers {
+				req.Header.Set(key, value)
+			}
+
+			result := s.tOidc.isNonNavigationRequest(req)
+			s.Equal(tc.expectNonNavigation, result)
+		})
+	}
+}
+
 // TestHandleCallback_MissingState tests callback with missing state parameter
 func (s *AuthFlowBehaviourSuite) TestHandleCallback_MissingState() {
 	sessionManager, err := NewSessionManager(
@@ -627,7 +711,7 @@ func (s *AuthFlowBehaviourSuite) TestHandleExpiredToken() {
 	session, err := sessionManager.GetSession(req)
 	s.Require().NoError(err)
 	_ = session.SetAuthenticated(true)
-	session.SetEmail("test@example.com")
+	session.SetUserIdentifier("test@example.com")
 	session.SetIDToken("eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.signature")
 	session.mainSession.Values["redirect_count"] = 3
 
@@ -636,7 +720,7 @@ func (s *AuthFlowBehaviourSuite) TestHandleExpiredToken() {
 
 	// Session should be cleared
 	s.False(session.GetAuthenticated())
-	s.Empty(session.GetEmail())
+	s.Empty(session.GetUserIdentifier())
 	s.Empty(session.GetIDToken())
 
 	// Redirect count should be reset to 0 and then incremented by defaultInitiateAuthentication

background_tasks_ultra_test.go

@@ -29,8 +29,9 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		pressure := monitor.GetMemoryPressure()
 		assert.Equal(t, MemoryPressureNone, pressure)
 
-		// Collect stats to populate lastStats
-		monitor.GetCurrentStats()
+		// Explicitly sample to populate lastStats; GetCurrentStats is now a
+		// cached read and no longer forces a runtime.ReadMemStats.
+		monitor.Refresh()
 
 		// Now should return a valid pressure level
 		pressure = monitor.GetMemoryPressure()
@@ -46,11 +47,13 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
-		// Start monitoring should not panic
+		// Start monitoring should not panic. Interval is clamped to the
+		// minimum (30s); we rely on Refresh() when we need a synchronous
+		// sample instead of waiting for a tick.
 		assert.NotPanics(t, func() {
 			ctx := context.Background()
-			monitor.StartMonitoring(ctx, 100*time.Millisecond)
-			time.Sleep(GetTestDuration(50 * time.Millisecond))
+			monitor.StartMonitoring(ctx, 0)
+			monitor.Refresh()
 		})
 
 		// Clean up
@@ -117,6 +120,9 @@ func TestMemoryMonitorComprehensive(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		// Refresh forces a synchronous sample; GetCurrentStats is a cached
+		// read, so we sample first to guarantee fresh data.
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 		assert.NotNil(t, stats)
 		assert.Greater(t, stats.HeapAllocBytes, uint64(0))
@@ -450,12 +456,12 @@ func TestMemoryMonitorIntegration(t *testing.T) {
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 		defer monitor.StopMonitoring()
 
-		// Start monitoring
+		// Start monitoring. The interval is clamped to the minimum (30s) so
+		// the ticker won't fire during the test; drive the sample manually via
+		// Refresh() instead.
 		ctx := context.Background()
-		monitor.StartMonitoring(ctx, 50*time.Millisecond)
-
-		// Wait for at least one check
-		time.Sleep(GetTestDuration(150 * time.Millisecond))
+		monitor.StartMonitoring(ctx, 0)
+		monitor.Refresh()
 
 		// Get pressure (should be a valid pressure level)
 		pressure := monitor.GetMemoryPressure()
@@ -488,6 +494,7 @@ func TestMemoryStatsCollection(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 
 		assert.NotNil(t, stats)
@@ -501,6 +508,7 @@ func TestMemoryStatsCollection(t *testing.T) {
 		thresholds := DefaultMemoryAlertThresholds()
 		monitor := NewMemoryMonitor(newNoOpLogger(), thresholds)
 
+		monitor.Refresh()
 		stats := monitor.GetCurrentStats()
 
 		// Should calculate and include pressure level
@@ -521,13 +529,14 @@ func TestMemoryStatsCollection(t *testing.T) {
 		// Allocate some memory
 		_ = make([]byte, 1024*1024) // 1MB
 
-		// Get stats before GC
-		beforeStats := monitor.GetCurrentStats()
+		// Get stats before GC (explicit Refresh so we have a fresh pre-GC
+		// snapshot to compare against, not the constructor baseline).
+		beforeStats := monitor.Refresh()
 
-		// Trigger GC
+		// Trigger GC (internally Refresh()es before and after)
 		monitor.TriggerGC()
 
-		// Get stats after GC
+		// Get stats after GC from cache (TriggerGC already refreshed it)
 		afterStats := monitor.GetCurrentStats()
 
 		// After GC should have different stats

ca_cert_test.go

@@ -0,0 +1,137 @@
+package traefikoidc
+
+import (
+	"encoding/pem"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// testCertPEM returns a valid PEM-encoded certificate harvested from an
+// httptest.NewTLSServer. Using httptest keeps the test free of any
+// handwritten static cert that could expire.
+func testCertPEM(t *testing.T) string {
+	t.Helper()
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}))
+	t.Cleanup(srv.Close)
+
+	cert := srv.Certificate()
+	if cert == nil {
+		t.Fatal("httptest.NewTLSServer did not expose a certificate")
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))
+}
+
+func TestLoadCACertPool_Empty(t *testing.T) {
+	cfg := &Config{}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool when no CA source configured, got %v", pool)
+	}
+}
+
+func TestLoadCACertPool_InlinePEM(t *testing.T) {
+	cfg := &Config{CACertPEM: testCertPEM(t)}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool for valid CACertPEM")
+	}
+}
+
+func TestLoadCACertPool_InlinePEM_Garbage(t *testing.T) {
+	cfg := &Config{CACertPEM: "not a pem"}
+	pool, err := cfg.loadCACertPool()
+	if err == nil {
+		t.Fatal("expected error for garbage CACertPEM, got nil")
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool on error, got %v", pool)
+	}
+	if !strings.Contains(err.Error(), "caCertPEM") {
+		t.Errorf("error should name the failing field, got: %v", err)
+	}
+}
+
+func TestLoadCACertPool_FilePath(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "ca.pem")
+	if err := os.WriteFile(path, []byte(testCertPEM(t)), 0o600); err != nil {
+		t.Fatalf("writing temp PEM: %v", err)
+	}
+
+	cfg := &Config{CACertPath: path}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool for valid CACertPath")
+	}
+}
+
+func TestLoadCACertPool_FilePath_Missing(t *testing.T) {
+	cfg := &Config{CACertPath: "/does/not/exist/ca.pem"}
+	pool, err := cfg.loadCACertPool()
+	if err == nil {
+		t.Fatal("expected error for missing CACertPath, got nil")
+	}
+	if pool != nil {
+		t.Errorf("expected nil pool on error, got %v", pool)
+	}
+}
+
+func TestLoadCACertPool_Combined(t *testing.T) {
+	// Both inline and file sources populated — certificates from both should
+	// be accepted into the same pool.
+	dir := t.TempDir()
+	path := filepath.Join(dir, "ca.pem")
+	if err := os.WriteFile(path, []byte(testCertPEM(t)), 0o600); err != nil {
+		t.Fatalf("writing temp PEM: %v", err)
+	}
+
+	cfg := &Config{CACertPath: path, CACertPEM: testCertPEM(t)}
+	pool, err := cfg.loadCACertPool()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if pool == nil {
+		t.Fatal("expected non-nil pool when both sources set")
+	}
+}
+
+func TestSharedTransportPool_ConfigKeyDistinguishesCAAndSkipVerify(t *testing.T) {
+	p := GetGlobalTransportPool()
+	cfgSystem := DefaultHTTPClientConfig()
+
+	cfgSkip := DefaultHTTPClientConfig()
+	cfgSkip.InsecureSkipVerify = true
+
+	cfgCustomCA := DefaultHTTPClientConfig()
+	pool, err := (&Config{CACertPEM: testCertPEM(t)}).loadCACertPool()
+	if err != nil {
+		t.Fatalf("loadCACertPool: %v", err)
+	}
+	cfgCustomCA.RootCAs = pool
+
+	keys := map[string]string{
+		"system":   p.configKey(cfgSystem),
+		"skip":     p.configKey(cfgSkip),
+		"customCA": p.configKey(cfgCustomCA),
+	}
+	seen := make(map[string]string, len(keys))
+	for name, key := range keys {
+		if dup, ok := seen[key]; ok {
+			t.Errorf("configKey collision: %s and %s share key %q", name, dup, key)
+		}
+		seen[key] = name
+	}
+}

cache_manager.go

@@ -113,6 +113,14 @@ func (cm *CacheManager) GetSharedSessionInvalidationCache() CacheInterface {
 	return &CacheInterfaceWrapper{cache: cm.manager.GetSessionInvalidationCache(), managed: true}
 }
 
+// GetSharedRefreshResultCache returns the short-lived refresh-result cache used
+// by the refresh path to coalesce grants across Traefik replicas via Redis.
+func (cm *CacheManager) GetSharedRefreshResultCache() CacheInterface {
+	cm.mu.RLock()
+	defer cm.mu.RUnlock()
+	return &CacheInterfaceWrapper{cache: cm.manager.GetRefreshResultCache(), managed: true}
+}
+
 // Close gracefully shuts down all cache components
 func (cm *CacheManager) Close() error {
 	cm.mu.Lock()

csrf_session_test.go

@@ -31,7 +31,7 @@ func TestCSRFTokenSessionManagement(t *testing.T) {
 		session.SetCSRF(csrfToken)
 		session.SetNonce("test-nonce")
 		session.SetAuthenticated(true)
-		session.SetEmail("user@example.com")
+		session.SetUserIdentifier("user@example.com")
 		session.SetAccessToken("old-access-token")
 		session.SetRefreshToken("old-refresh-token")
 		session.SetIDToken("old-id-token")
@@ -61,7 +61,7 @@ func TestCSRFTokenSessionManagement(t *testing.T) {
 
 		// Now perform selective clearing (as done in the fix)
 		session2.SetAuthenticated(false)
-		session2.SetEmail("")
+		session2.SetUserIdentifier("")
 		session2.SetAccessToken("")
 		session2.SetRefreshToken("")
 		session2.SetIDToken("")
@@ -303,7 +303,7 @@ func TestRegressionLoginLoop(t *testing.T) {
 
 		// Set initial session data
 		session.SetAuthenticated(true)
-		session.SetEmail("old@example.com")
+		session.SetUserIdentifier("old@example.com")
 		session.SetAccessToken("old-token")
 		session.SetCSRF("existing-csrf")
 
@@ -325,7 +325,7 @@ func TestRegressionLoginLoop(t *testing.T) {
 		// OLD BEHAVIOR: session.Clear() would have been called here, losing CSRF
 		// NEW BEHAVIOR: Selective clearing
 		session2.SetAuthenticated(false)
-		session2.SetEmail("")
+		session2.SetUserIdentifier("")
 		session2.SetAccessToken("")
 		session2.SetRefreshToken("")
 		session2.SetIDToken("")

docs/AUTH0_AUDIENCE_GUIDE.md

@@ -25,7 +25,10 @@ The **audience** (`aud`) claim in a JWT identifies the intended recipient of the
 
 ### Why Does This Matter?
 
-Proper audience validation prevents **token confusion attacks** where a token intended for one API is used to access another API.
+Audience validation rejects access tokens whose `aud` claim does not match the
+expected audience, blocking the trivial form of token confusion where a token
+issued for API A is presented to API B. (Defence in depth — pair with
+short-lived tokens, rotation, and per-API client credentials.)
 
 ---
 
@@ -137,8 +140,8 @@ http:
 **Recommended:** `true` for production
 
 **What it does:**
-- When `true`: Rejects sessions if access token audience doesn't match (prevents Scenario 2)
-- When `false`: Logs warnings but allows fallback to ID token (backward compatible)
+- When `true`: On audience mismatch, the middleware does **not** silently fall back to ID-token validation. It tries to refresh the access token first; if no refresh token is present (or refresh fails), the user is re-authenticated.
+- When `false`: Logs warnings and falls back to ID-token validation (backward compatible).
 
 **Example:**
 ```yaml
@@ -349,7 +352,7 @@ When opaque tokens are detected:
 
 **Cache behavior:**
 - Cache key: Token hash
-- TTL: 5 minutes or token expiry (whichever is shorter)
+- TTL: 5 minutes; if the token's `exp` is sooner, the cache entry expires at `exp` instead. Tokens without `exp` use the flat 5-minute TTL.
 - Reduces introspection requests for frequently used tokens
 
 ---

docs/CONFIGURATION.md

@@ -52,7 +52,7 @@ spec:
 | `logoutURL` | string | `callbackURL + "/logout"` | Path for logout requests |
 | `postLogoutRedirectURI` | string | `/` | Redirect URL after logout |
 | `logLevel` | string | `info` | Logging verbosity (`debug`, `info`, `error`) |
-| `forceHTTPS` | bool | `false` | Force HTTPS for redirect URIs |
+| `forceHTTPS` | bool | `true` | Force HTTPS for redirect URIs (set `false` only for plaintext HTTP local dev) |
 | `rateLimit` | int | `100` | Maximum requests per second |
 | `excludedURLs` | []string | none | Paths that bypass authentication |
 | `revocationURL` | string | auto-discovered | Token revocation endpoint |
@@ -62,13 +62,13 @@ spec:
 
 ### TLS Termination at Load Balancer
 
-If running Traefik behind a load balancer (AWS ALB, Google Cloud LB, Azure App Gateway) that terminates TLS:
+`forceHTTPS` defaults to `true`, so redirect URIs always use `https://`. This is
+the correct default behind any TLS-terminating load balancer (AWS ALB, Google
+Cloud LB, Azure App Gateway) — `X-Forwarded-Proto` cannot be trusted (ALB may
+overwrite it).
 
-```yaml
-forceHTTPS: true  # Required for correct redirect URIs
-```
-
-Without this setting, redirect URIs will use `http://` instead of `https://`, causing OAuth callback failures.
+Set `forceHTTPS: false` only when you serve OIDC over plaintext HTTP (local
+dev). Otherwise leave it at default.
 
 ---
 

docs/DCR.md

@@ -0,0 +1,95 @@
+# Dynamic Client Registration (RFC 7591)
+
+The middleware can register itself with an OIDC provider at startup instead of
+using a pre-provisioned `clientID` / `clientSecret`. Useful for multi-tenant
+deployments, self-service integrations, and ephemeral environments.
+
+## How it works
+
+1. Middleware reads `registration_endpoint` from `.well-known/openid-configuration`.
+2. If `clientID` is empty, it `POST`s `clientMetadata` to the registration endpoint.
+3. Returned `client_id` / `client_secret` are cached, optionally persisted.
+4. Subsequent requests use the registered credentials.
+
+For multi-replica deployments, set `storageBackend: redis` so all replicas
+share one client and avoid registration races.
+
+## Configuration
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-dcr
+  namespace: traefik
+spec:
+  plugin:
+    traefikoidc:
+      providerURL: https://your-oidc-provider.com
+      sessionEncryptionKey: your-secure-encryption-key-min-32-chars
+      callbackURL: /oauth2/callback
+      dynamicClientRegistration:
+        enabled: true
+        persistCredentials: true
+        storageBackend: redis        # file | redis | auto
+        initialAccessToken: ""        # optional, for protected endpoints
+        registrationEndpoint: ""      # optional, override discovery
+        credentialsFile: /tmp/oidc-client-credentials.json
+        redisKeyPrefix: "dcr:creds:"
+        clientMetadata:
+          redirect_uris:
+            - https://app.example.com/oauth2/callback
+          client_name: My Application
+          application_type: web
+          grant_types: [authorization_code, refresh_token]
+          response_types: [code]
+          token_endpoint_auth_method: client_secret_basic
+          contacts: [admin@example.com]
+```
+
+## Parameters
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `enabled` | `false` | Enable DCR. |
+| `persistCredentials` | `false` | Save returned credentials for reuse across restarts. |
+| `storageBackend` | `auto` | `file`, `redis`, or `auto` (Redis if available, else file). |
+| `credentialsFile` | `/tmp/oidc-client-credentials.json` | Path for file-backed storage. Mode `0600`. |
+| `redisKeyPrefix` | (none — set explicitly) | Key prefix for Redis-backed storage. The code does not inject a default; if unset, keys have no prefix. `dcr:creds:` is a sensible convention. |
+| `registrationEndpoint` | discovered | Override the discovered endpoint. |
+| `initialAccessToken` | none | Bearer token for protected registration endpoints. |
+| `clientMetadata.redirect_uris` | required | Callback URIs for the OAuth flow. |
+| `clientMetadata.client_name` | none | Human-readable client name. |
+| `clientMetadata.application_type` | `web` | `web` or `native`. |
+| `clientMetadata.grant_types` | `[authorization_code, refresh_token]` | OAuth grant types. |
+| `clientMetadata.response_types` | `[code]` | OAuth response types. |
+| `clientMetadata.token_endpoint_auth_method` | `client_secret_basic` | `client_secret_basic`, `client_secret_post`, or `none`. |
+| `clientMetadata.scope` | none | Space-separated scopes. |
+| `clientMetadata.contacts` | none | Admin email addresses. |
+| `clientMetadata.logo_uri` | none | Logo URL for consent screens. |
+| `clientMetadata.client_uri` | none | Client homepage URL. |
+| `clientMetadata.policy_uri` | none | Privacy policy URL. |
+| `clientMetadata.tos_uri` | none | Terms of service URL. |
+
+## Provider support
+
+The middleware does not gate DCR by provider — if the provider exposes a
+`registration_endpoint` in its discovery document (or you set
+`registrationEndpoint` explicitly), DCR will attempt registration. The table
+below is informational guidance based on each provider's published support.
+
+| Provider | DCR | Notes |
+|----------|-----|-------|
+| Keycloak | Yes | Enable in realm settings. |
+| Auth0 | Yes | Requires Management API token. |
+| Okta | Yes | Enable Dynamic Client Registration in admin console. |
+| Azure AD | Limited | Use App Registration API instead. |
+| Google | No | Manual registration required. |
+| AWS Cognito | No | Manual registration required. |
+
+## Security notes
+
+- Registration endpoints must be HTTPS (loopback excepted for local dev).
+- Use `initialAccessToken` in production to gate registration.
+- File-backed credentials use `0600`; protect the mount path.
+- The plugin marks credentials invalid when within ~5 min of `client_secret_expires_at` but does **not** automatically re-register. If your provider sets a non-zero expiry, schedule manual rotation (delete the credentials file or Redis entry, restart) before that time.

docs/DEVELOPMENT.md

@@ -16,9 +16,8 @@ Guide for local development, testing, and contributing to the Traefik OIDC middl
 
 ## Prerequisites
 
-- **Go 1.23+** for plugin compilation
-- **Docker & Docker Compose** for local testing
-- **OIDC Provider** credentials (Google, Azure, etc.)
+- **Go 1.24+** (matches `go.mod`; CI runs Go 1.24.11)
+- **OIDC Provider** credentials (Google, Azure, etc.) for any end-to-end test against a real provider
 
 ### Required Development Tools
 
@@ -40,110 +39,32 @@ go install golang.org/x/vuln/cmd/govulncheck@latest
 
 ## Local Development Setup
 
-### Docker Compose Environment
-
-The repository includes a Docker Compose setup for testing the plugin locally.
-
-#### 1. Host Configuration
-
-Add to `/etc/hosts`:
+### Build and unit tests
 
 ```bash
-127.0.0.1 hello.localhost
-127.0.0.1 traefik.localhost
+go mod tidy
+go build ./...
+go test ./... -short          # fast loop, < 30 s
+go test -race -timeout=15m ./...
 ```
 
-#### 2. Plugin Configuration
+### Sample plugin configurations
 
-The plugin is loaded using Traefik's **local plugins mode**:
+Working middleware/Traefik configs live in [`examples/`](../examples/):
 
-- Plugin source: Parent directory (`../`)
-- Mount path: `/plugins-local/src/github.com/lukaszraczylo/traefikoidc`
-- Configuration: `experimental.localPlugins` in `traefik.yml`
+- `complete-traefik-config.yaml` — full middleware example
+- `redis-config.yaml` — Redis cache configuration
 
-#### 3. OIDC Provider Setup
+To run the plugin against a real Traefik instance, drop the project on disk
+and load it via `experimental.localPlugins` in your Traefik static config —
+see the [README install section](../README.md#install).
 
-Edit `docker/dynamic.yml` with your provider details:
+### Integration tests
 
-**Google:**
-```yaml
-http:
-  middlewares:
-    oidc-auth:
-      plugin:
-        traefikoidc:
-          providerURL: "https://accounts.google.com"
-          clientID: "your-client-id.apps.googleusercontent.com"
-          clientSecret: "your-google-client-secret"
-          sessionEncryptionKey: "your-32-character-encryption-key"
-          callbackURL: "/oauth2/callback"
-          logoutURL: "/oauth2/logout"
-          scopes:
-            - "openid"
-            - "email"
-            - "profile"
-```
-
-**Azure AD:**
-```yaml
-http:
-  middlewares:
-    oidc-auth:
-      plugin:
-        traefikoidc:
-          providerURL: "https://login.microsoftonline.com/your-tenant-id/v2.0"
-          clientID: "your-azure-client-id"
-          clientSecret: "your-azure-client-secret"
-          sessionEncryptionKey: "your-32-character-encryption-key"
-          callbackURL: "/oauth2/callback"
-          scopes:
-            - "openid"
-            - "email"
-            - "profile"
-```
-
-#### 4. Start Environment
+Integration tests live in `integration/`. Run them explicitly:
 
 ```bash
-cd docker
-docker-compose up -d
-```
-
-#### 5. Test Plugin
-
-- **Protected App**: http://hello.localhost (redirects to OIDC)
-- **Traefik Dashboard**: http://traefik.localhost:8080
-
-### Development Workflow
-
-1. **Edit plugin code** in the project root
-2. **Build and test** (optional syntax check):
-   ```bash
-   go mod tidy
-   go build .
-   go test ./...
-   ```
-3. **Restart Traefik** to reload plugin:
-   ```bash
-   docker-compose restart traefik
-   ```
-4. **Test changes** at http://hello.localhost
-
-### Debugging
-
-**View plugin logs:**
-```bash
-docker-compose logs -f traefik | grep traefikoidc
-```
-
-**Check plugin loading:**
-```bash
-docker-compose logs traefik | grep -i plugin
-```
-
-**Verify plugin directory:**
-```bash
-docker-compose exec traefik ls -la /plugins-local/src/github.com/lukaszraczylo/traefikoidc/
+go test ./integration/... -run Integration -v
 ```
 
 ---
@@ -299,7 +220,7 @@ The repository uses GitHub Actions for comprehensive validation with 20+ paralle
 
 #### Testing (9 suites)
 - Race Detector
-- Coverage (75% threshold)
+- Coverage (70% threshold, enforced in `pr.yaml`)
 - Memory Leaks
 - Integration Tests
 - Regression Tests
@@ -323,13 +244,13 @@ Tests run in parallel for:
 #### Performance & Build (3 checks)
 - Benchmarks
 - Multi-platform Build (linux/darwin x amd64/arm64)
-- Go Version Compatibility (Go 1.23 & 1.24)
+- Go Version Compatibility (currently Go 1.24.11 in CI)
 
 ### Quality Gates
 
 All PRs must pass:
 - All parallel checks
-- 75% test coverage minimum
+- 70% test coverage minimum
 - Zero security vulnerabilities
 - No race conditions
 - No memory leaks

docs/PROVIDERS.md

@@ -23,10 +23,10 @@ Configuration reference for each supported OIDC provider.
 | Provider | OIDC Support | Refresh Tokens | Auto-Detection | ID Tokens |
 |----------|-------------|----------------|----------------|-----------|
 | Google | Full | Yes | `accounts.google.com` | Yes |
-| Azure AD | Full | Yes | `login.microsoftonline.com` | Yes |
+| Azure AD | Full | Yes | `login.microsoftonline.com`, `sts.windows.net` | Yes |
 | Auth0 | Full | Yes | `*.auth0.com` | Yes |
-| Okta | Full | Yes | `*.okta.com` | Yes |
-| Keycloak | Full | Yes | `/auth/realms/` path | Yes |
+| Okta | Full | Yes | `*.okta.com`, `*.oktapreview.com`, `*.okta-emea.com` | Yes |
+| Keycloak | Full | Yes | host containing `keycloak`, or `/realms/` in path (matches both `/auth/realms/` legacy and `/realms/` modern) | Yes |
 | AWS Cognito | Full | Yes | `cognito-idp.*.amazonaws.com` | Yes |
 | GitLab | Full | Yes | `gitlab.com` | Yes |
 | GitHub | OAuth 2.0 Only | No | `github.com` | No |

docs/REDIS.md

@@ -109,11 +109,11 @@ redis:
 | `writeTimeout` | int | `3` | Write timeout (seconds) |
 | `enableTLS` | bool | `false` | Enable TLS for connections |
 | `tlsSkipVerify` | bool | `false` | Skip TLS certificate verification |
-| `enableCircuitBreaker` | bool | `true` | Enable circuit breaker |
-| `circuitBreakerThreshold` | int | `5` | Failures before circuit opens |
-| `circuitBreakerTimeout` | int | `60` | Circuit reset timeout (seconds) |
-| `enableHealthCheck` | bool | `true` | Enable periodic health checks |
-| `healthCheckInterval` | int | `30` | Health check interval (seconds) |
+| `enableCircuitBreaker` | bool | `false` | Wrap the Redis backend with a circuit breaker. **Recommended `true` in production.** |
+| `circuitBreakerThreshold` | int | `5` | Consecutive failures before the circuit opens (only when `enableCircuitBreaker: true`). |
+| `circuitBreakerTimeout` | int | `60` | Seconds the circuit stays open before allowing a probe (only when `enableCircuitBreaker: true`). |
+| `enableHealthCheck` | bool | `false` | Wrap the Redis backend with periodic health checks. **Recommended `true` in production.** |
+| `healthCheckInterval` | int | `30` | Health check interval in seconds (only when `enableHealthCheck: true`). |
 | `hybridL1Size` | int | `500` | Max items in L1 cache (hybrid mode) |
 | `hybridL1MemoryMB` | int64 | `10` | Max memory for L1 cache in MB |
 
@@ -134,13 +134,21 @@ REDIS_READ_TIMEOUT=3
 REDIS_WRITE_TIMEOUT=3
 REDIS_ENABLE_TLS=false
 REDIS_TLS_SKIP_VERIFY=false
+REDIS_HYBRID_L1_SIZE=500
+REDIS_HYBRID_L1_MEMORY_MB=10
 ```
 
+> Resilience fields (`enableCircuitBreaker`, `enableHealthCheck`,
+> `circuitBreakerThreshold`, `circuitBreakerTimeout`, `healthCheckInterval`)
+> have no environment variable fallback — set them in plugin configuration.
+
+Invalid `cacheMode` values are rejected at plugin startup.
+
 ---
 
 ## Cache Modes
 
-### Memory Mode (Default without Redis)
+### Memory Mode (used when Redis is disabled)
 
 ```yaml
 redis:

docs/TESTING.md

@@ -6,8 +6,8 @@ Comprehensive testing infrastructure for traefikoidc.
 
 | Metric | Value |
 |--------|-------|
-| Test files | 99 |
-| Lines of test code | ~65,500 |
+| Test files | 110 |
+| Lines of test code | ~72,000 |
 | Code coverage | 71.0% |
 | Race conditions | None (all pass with `-race`) |
 

enhanced_mocks_test.go

@@ -2,6 +2,8 @@ package traefikoidc
 
 import (
 	"context"
+	"crypto"
+	"fmt"
 	"net/http"
 	"sync"
 	"sync/atomic"
@@ -40,6 +42,31 @@ func (m *EnhancedMockJWKCache) GetJWKS(ctx context.Context, jwksURL string, http
 	return m.JWKS, m.Err
 }
 
+func (m *EnhancedMockJWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	jwks, err := m.GetJWKS(ctx, jwksURL, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	if jwks == nil {
+		return nil, fmt.Errorf("JWKS is nil")
+	}
+	for i := range jwks.Keys {
+		k := &jwks.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		default:
+			return nil, fmt.Errorf("unsupported key type: %s", k.Kty)
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (m *EnhancedMockJWKCache) Cleanup() {
 	atomic.AddInt32(&m.CleanupCalls, 1)
 	m.mu.Lock()

go.mod

@@ -4,7 +4,6 @@ go 1.24.0
 
 require (
 	github.com/alicebob/miniredis/v2 v2.35.0
-	github.com/google/uuid v1.6.0
 	github.com/gorilla/sessions v1.3.0
 	github.com/redis/go-redis/v9 v9.17.2
 	github.com/stretchr/testify v1.10.0

go.sum

@@ -12,8 +12,6 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.3.0 h1:XYlkq7KcpOB2ZhHBPv5WpjMIxrQosiZanfoy1HLZFzg=

helpers.go

@@ -17,6 +17,21 @@ import (
 	"github.com/lukaszraczylo/traefikoidc/internal/utils"
 )
 
+// newUUIDv4 returns an RFC 4122 v4 UUID string (e.g.
+// "f47ac10b-58cc-4372-a567-0e02b2c3d479") backed by crypto/rand. Used for CSRF
+// tokens and other opaque random identifiers — replaces github.com/google/uuid
+// to keep the plugin stdlib-only on the production path.
+func newUUIDv4() (string, error) {
+	var b [16]byte
+	if _, err := rand.Read(b[:]); err != nil {
+		return "", fmt.Errorf("could not generate UUID: %w", err)
+	}
+	b[6] = (b[6] & 0x0f) | 0x40 // version 4
+	b[8] = (b[8] & 0x3f) | 0x80 // RFC 4122 variant
+	return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",
+		b[0:4], b[4:6], b[6:8], b[8:10], b[10:16]), nil
+}
+
 // generateNonce creates a cryptographically secure random nonce for OIDC flows.
 // The nonce is used to prevent replay attacks and associate client sessions with ID tokens.
 // Returns:

helpers_test.go

@@ -0,0 +1,29 @@
+package traefikoidc
+
+import (
+	"regexp"
+	"testing"
+)
+
+// TestNewUUIDv4 verifies the in-house UUID v4 generator produces RFC 4122
+// compliant identifiers. Locks in the replacement for github.com/google/uuid
+// — a regression here would weaken the CSRF token used in the OIDC flow.
+func TestNewUUIDv4(t *testing.T) {
+	rfc4122v4 := regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$`)
+
+	const samples = 1000
+	seen := make(map[string]struct{}, samples)
+	for i := 0; i < samples; i++ {
+		got, err := newUUIDv4()
+		if err != nil {
+			t.Fatalf("newUUIDv4 failed: %v", err)
+		}
+		if !rfc4122v4.MatchString(got) {
+			t.Fatalf("UUID %q does not match RFC 4122 v4 format", got)
+		}
+		if _, dup := seen[got]; dup {
+			t.Fatalf("duplicate UUID emitted within %d samples: %q", samples, got)
+		}
+		seen[got] = struct{}{}
+	}
+}

http_client_factory.go

@@ -3,6 +3,7 @@ package traefikoidc
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -25,10 +26,16 @@ type HTTPClientConfig struct {
 	Timeout               time.Duration
 	MaxConnsPerHost       int
 	WriteBufferSize       int
-	UseCookieJar          bool
-	ForceHTTP2            bool
-	DisableKeepAlives     bool
-	DisableCompression    bool
+	// RootCAs is an optional certificate pool used for TLS verification.
+	// A nil pool means "use the system trust store" (default behavior).
+	RootCAs *x509.CertPool
+	// InsecureSkipVerify disables TLS certificate verification.
+	// ONLY set this for local development against self-signed certificates.
+	InsecureSkipVerify bool
+	UseCookieJar       bool
+	ForceHTTP2         bool
+	DisableKeepAlives  bool
+	DisableCompression bool
 }
 
 // DefaultHTTPClientConfig returns the default configuration for general use
@@ -203,7 +210,8 @@ func (f *HTTPClientFactory) CreateHTTPClient(config HTTPClientConfig) *http.Clie
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			},
 			PreferServerCipherSuites: true,
-			InsecureSkipVerify:       false, // Always verify certificates
+			RootCAs:                  config.RootCAs,
+			InsecureSkipVerify:       config.InsecureSkipVerify, //nolint:gosec // opt-in, loud warning emitted at plugin startup
 		},
 		ForceAttemptHTTP2:     config.ForceHTTP2,
 		TLSHandshakeTimeout:   config.TLSHandshakeTimeout,

http_client_pool.go

@@ -3,6 +3,7 @@ package traefikoidc
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"net/http"
 	"sync"
@@ -103,7 +104,8 @@ func (p *SharedTransportPool) GetOrCreateTransport(config HTTPClientConfig) *htt
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			},
 			PreferServerCipherSuites: true,
-			InsecureSkipVerify:       false,
+			RootCAs:                  config.RootCAs,
+			InsecureSkipVerify:       config.InsecureSkipVerify, //nolint:gosec // opt-in, loud warning emitted at plugin startup
 		},
 		ForceAttemptHTTP2:     config.ForceHTTP2,
 		TLSHandshakeTimeout:   config.TLSHandshakeTimeout,
@@ -205,8 +207,21 @@ func (p *SharedTransportPool) performCleanup() {
 
 // configKey generates a unique key for a config
 func (p *SharedTransportPool) configKey(config HTTPClientConfig) string {
-	// Simple key based on main parameters
-	return string(rune(config.MaxConnsPerHost)) + string(rune(config.MaxIdleConnsPerHost))
+	// Pool transports by the parameters that change TLS or connection
+	// behavior. RootCAs and InsecureSkipVerify MUST be part of the key:
+	// otherwise a middleware configured with a custom CA would share a
+	// transport with one using the system store, silently bypassing its
+	// CA configuration.
+	skip := "0"
+	if config.InsecureSkipVerify {
+		skip = "1"
+	}
+	return fmt.Sprintf("%d|%d|%p|%s",
+		config.MaxConnsPerHost,
+		config.MaxIdleConnsPerHost,
+		config.RootCAs,
+		skip,
+	)
 }
 
 // Cleanup closes all transports and stops the cleanup goroutine

internal/cache/backends/hybrid.go

@@ -20,6 +20,7 @@ type HybridBackend struct {
 	ctx                 context.Context
 	syncWriteCacheTypes map[string]bool
 	asyncWriteBuffer    chan *asyncWriteItem
+	l1BackfillBuffer    chan *l1BackfillItem
 	cancel              context.CancelFunc
 	wg                  sync.WaitGroup
 	l1Hits              atomic.Int64
@@ -28,6 +29,7 @@ type HybridBackend struct {
 	l1Writes            atomic.Int64
 	misses              atomic.Int64
 	l2Hits              atomic.Int64
+	l1BackfillDrops     atomic.Int64
 	fallbackMode        atomic.Bool
 }
 
@@ -39,6 +41,15 @@ type asyncWriteItem struct {
 	ttl   time.Duration
 }
 
+// l1BackfillItem represents a deferred write of an L2-resolved value back into
+// L1. Backfills run on a single bounded worker so a burst of L2 hits cannot
+// detonate the goroutine count (issue: ~1000% CPU under sustained polling).
+type l1BackfillItem struct {
+	key   string
+	value []byte
+	ttl   time.Duration
+}
+
 // Logger interface for structured logging
 type Logger interface {
 	Debugf(format string, args ...interface{})
@@ -114,6 +125,7 @@ func NewHybridBackend(config *HybridConfig) (*HybridBackend, error) {
 		secondary:           config.Secondary,
 		syncWriteCacheTypes: config.SyncWriteCacheTypes,
 		asyncWriteBuffer:    make(chan *asyncWriteItem, config.AsyncBufferSize),
+		l1BackfillBuffer:    make(chan *l1BackfillItem, config.AsyncBufferSize),
 		ctx:                 ctx,
 		cancel:              cancel,
 		logger:              config.Logger,
@@ -123,6 +135,11 @@ func NewHybridBackend(config *HybridConfig) (*HybridBackend, error) {
 	h.wg.Add(1)
 	go h.asyncWriteWorker()
 
+	// Start L1 backfill worker (single goroutine) to bound goroutine growth on
+	// L2 hits regardless of request rate.
+	h.wg.Add(1)
+	go h.l1BackfillWorker()
+
 	// Start health monitoring
 	h.wg.Add(1)
 	go h.healthMonitor()
@@ -223,18 +240,10 @@ func (h *HybridBackend) Get(ctx context.Context, key string) ([]byte, time.Durat
 
 	h.l2Hits.Add(1)
 
-	// Populate L1 cache with value from L2 (write-through on read)
-	// Use goroutine to avoid blocking the read path
-	go func() {
-		writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-		defer cancel()
-
-		if err := h.primary.Set(writeCtx, key, value, ttl); err != nil {
-			h.logger.Debugf("Failed to populate L1 cache from L2 for key %s: %v", key, err)
-		} else {
-			h.logger.Debugf("Populated L1 cache from L2 for key: %s", key)
-		}
-	}()
+	// Populate L1 cache with value from L2 (write-through on read).
+	// Hand off to the bounded backfill worker instead of spawning a goroutine
+	// per read - under burst that would mint thousands of goroutines.
+	h.queueL1Backfill(key, value, ttl)
 
 	return value, ttl, true, nil
 }
@@ -371,6 +380,7 @@ func (h *HybridBackend) Close() error {
 
 	// Close async write channel
 	close(h.asyncWriteBuffer)
+	close(h.l1BackfillBuffer)
 
 	// Wait for workers to finish with timeout
 	done := make(chan struct{})
@@ -440,13 +450,7 @@ func (h *HybridBackend) GetMany(ctx context.Context, keys []string) (map[string]
 			for key, value := range l2Results {
 				results[key] = value
 				h.l2Hits.Add(1)
-
-				// Asynchronously populate L1
-				go func(k string, v []byte) {
-					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-					defer cancel()
-					_ = h.primary.Set(writeCtx, k, v, 0) // Use default TTL
-				}(key, value)
+				h.queueL1Backfill(key, value, 0) // 0 = primary backend default TTL
 			}
 		}
 	} else {
@@ -455,13 +459,7 @@ func (h *HybridBackend) GetMany(ctx context.Context, keys []string) (map[string]
 			if value, ttl, exists, err := h.secondary.Get(ctx, key); err == nil && exists {
 				results[key] = value
 				h.l2Hits.Add(1)
-
-				// Asynchronously populate L1
-				go func(k string, v []byte, t time.Duration) {
-					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-					defer cancel()
-					_ = h.primary.Set(writeCtx, k, v, t)
-				}(key, value, ttl)
+				h.queueL1Backfill(key, value, ttl)
 			}
 		}
 	}
@@ -538,6 +536,55 @@ func (h *HybridBackend) SetMany(ctx context.Context, items map[string][]byte, tt
 	return nil
 }
 
+// queueL1Backfill enqueues an L2-resolved value for write-through into L1.
+// Drops on full buffer to keep the read path constant-time; the next L2 hit
+// for the same key simply re-queues it.
+func (h *HybridBackend) queueL1Backfill(key string, value []byte, ttl time.Duration) {
+	select {
+	case h.l1BackfillBuffer <- &l1BackfillItem{key: key, value: value, ttl: ttl}:
+	default:
+		h.l1BackfillDrops.Add(1)
+		h.logger.Debugf("L1 backfill buffer full, dropping for key: %s", key)
+	}
+}
+
+// l1BackfillWorker drains the backfill queue serially. Single worker is
+// intentional - L1 writes are local and cheap, and serializing them keeps
+// goroutine count bounded under any read rate.
+func (h *HybridBackend) l1BackfillWorker() {
+	defer h.wg.Done()
+
+	for {
+		select {
+		case <-h.ctx.Done():
+			// Drain remaining items best-effort then exit.
+			for len(h.l1BackfillBuffer) > 0 {
+				select {
+				case item := <-h.l1BackfillBuffer:
+					writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+					_ = h.primary.Set(writeCtx, item.key, item.value, item.ttl)
+					cancel()
+				default:
+					return
+				}
+			}
+			return
+
+		case item, ok := <-h.l1BackfillBuffer:
+			if !ok {
+				return
+			}
+			writeCtx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+			if err := h.primary.Set(writeCtx, item.key, item.value, item.ttl); err != nil {
+				h.logger.Debugf("Failed to populate L1 cache from L2 for key %s: %v", item.key, err)
+			} else {
+				h.logger.Debugf("Populated L1 cache from L2 for key: %s", item.key)
+			}
+			cancel()
+		}
+	}
+}
+
 // asyncWriteWorker processes asynchronous writes to L2
 func (h *HybridBackend) asyncWriteWorker() {
 	defer h.wg.Done()

internal/cache/backends/hybrid_l1_backfill_test.go

@@ -0,0 +1,112 @@
+//go:build !yaegi
+
+package backends
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestHybridBackend_L1BackfillBounded verifies that a burst of L2 hits does
+// not detonate the goroutine count. Pre-fix the code spawned one goroutine
+// per Get() L2 hit; post-fix all backfills funnel through a single worker.
+func TestHybridBackend_L1BackfillBounded(t *testing.T) {
+	primary := newMockBackend()
+	secondary := newMockBackend()
+
+	hybrid, err := NewHybridBackend(&HybridConfig{
+		Primary:         primary,
+		Secondary:       secondary,
+		AsyncBufferSize: 256,
+	})
+	require.NoError(t, err)
+	defer hybrid.Close()
+
+	ctx := context.Background()
+	const burst = 1000
+
+	// Pre-populate L2 with `burst` distinct keys so each Get triggers a
+	// fresh L1 backfill enqueue.
+	for i := 0; i < burst; i++ {
+		require.NoError(t, secondary.Set(ctx, fmt.Sprintf("k:%d", i), []byte("v"), time.Minute))
+	}
+
+	baseline := runtime.NumGoroutine()
+
+	// Issue the burst as fast as possible; the backfill worker MUST be the
+	// only goroutine doing L1 writes. Allow brief slack for the test runtime
+	// scheduling but anything north of +20 means goroutine leakage.
+	peak := baseline
+	for i := 0; i < burst; i++ {
+		_, _, exists, err := hybrid.Get(ctx, fmt.Sprintf("k:%d", i))
+		require.NoError(t, err)
+		require.True(t, exists)
+		if g := runtime.NumGoroutine(); g > peak {
+			peak = g
+		}
+	}
+
+	delta := peak - baseline
+	if delta > 20 {
+		t.Fatalf("goroutine count grew by %d during burst (baseline=%d peak=%d); backfill worker not bounding goroutines",
+			delta, baseline, peak)
+	}
+
+	// L1 must eventually catch up via the worker. Worker drains serially so
+	// give it a generous window proportional to the burst size.
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		var populated int
+		for i := 0; i < burst; i++ {
+			if _, _, ok, _ := primary.Get(ctx, fmt.Sprintf("k:%d", i)); ok {
+				populated++
+			}
+		}
+		// Be lenient: drops are acceptable under buffer pressure, just want
+		// most of the keys to make it.
+		if populated >= burst-int(hybrid.l1BackfillDrops.Load()) {
+			return
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	t.Fatalf("L1 not backfilled within deadline: l2Hits=%d l1Writes=%d drops=%d",
+		hybrid.l2Hits.Load(), hybrid.l1Writes.Load(), hybrid.l1BackfillDrops.Load())
+}
+
+// TestHybridBackend_L1BackfillFullDrops verifies the drop semantics when the
+// buffer is saturated. Drops must be counted, never block, never spawn a
+// goroutine.
+func TestHybridBackend_L1BackfillFullDrops(t *testing.T) {
+	primary := newMockBackend()
+	secondary := newMockBackend()
+
+	// Tiny buffer + slow primary writes via failSet so the worker stays
+	// blocked enough to overflow the buffer.
+	hybrid, err := NewHybridBackend(&HybridConfig{
+		Primary:         primary,
+		Secondary:       secondary,
+		AsyncBufferSize: 4,
+	})
+	require.NoError(t, err)
+	defer hybrid.Close()
+
+	// Stop the worker from draining: cancel the underlying context so the
+	// worker bails out, leaving us with a cold buffer and the queue method
+	// itself responsible for drop accounting.
+	hybrid.cancel()
+	// Wait for worker to exit so it can't drain.
+	time.Sleep(50 * time.Millisecond)
+
+	for i := 0; i < 50; i++ {
+		hybrid.queueL1Backfill(fmt.Sprintf("k:%d", i), []byte("v"), time.Minute)
+	}
+
+	assert.Greater(t, hybrid.l1BackfillDrops.Load(), int64(0),
+		"expected some drops when buffer is saturated and worker is stopped")
+}

internal/cache/backends/redis_pool_test.go

@@ -3,6 +3,7 @@ package backends
 import (
 	"context"
 	"errors"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -617,4 +618,33 @@ func TestRedisConn_TooManyArguments(t *testing.T) {
 			assert.NotContains(t, err.Error(), "too many arguments")
 		}
 	})
+
+}
+
+// TestRedisConn_RejectOversizedArgumentBytes is a regression test for CodeQL
+// alert #10 (go/allocation-size-overflow). A single argument larger than
+// maxTotalArgBytes (64 MiB) must be rejected by the per-argument overflow
+// guard in Do() before any allocation is attempted.
+func TestRedisConn_RejectOversizedArgumentBytes(t *testing.T) {
+	mr := NewMiniredisServer(t)
+
+	pool, err := NewConnectionPool(&PoolConfig{
+		Address:        mr.GetAddr(),
+		MaxConnections: 1,
+		ConnectTimeout: 5 * time.Second,
+		ReadTimeout:    3 * time.Second,
+		WriteTimeout:   3 * time.Second,
+	})
+	require.NoError(t, err)
+	defer pool.Close()
+
+	conn, err := pool.Get(context.Background())
+	require.NoError(t, err)
+	defer pool.Put(conn)
+
+	largeArg := strings.Repeat("x", (64<<20)+1)
+
+	_, err = conn.Do("SET", "k", largeArg)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "arguments too large")
 }

internal/cache/backends/resp.go

@@ -7,52 +7,34 @@ import (
 	"io"
 	"strconv"
 	"strings"
-	"sync"
 )
 
 // RESP (REdis Serialization Protocol) implementation
 // Pure Go implementation compatible with Yaegi interpreter (no unsafe package)
+//
+// NOTE: sync.Pool was intentionally removed for Yaegi compatibility.
+// Yaegi (Traefik's Go interpreter) has issues with sync.Pool and reflection
+// that cause "reflect: call of reflect.Value.Field on zero Value" panics.
+// See: https://github.com/lukaszraczylo/traefikoidc/issues/120
 
 var (
 	ErrInvalidRESP = errors.New("invalid RESP response")
 	ErrNilResponse = errors.New("nil response")
 )
 
-// Object pools for memory optimization - reduces allocations by 50-70%
-var (
-	readerPool = sync.Pool{
-		New: func() interface{} {
-			return &RESPReader{
-				r: bufio.NewReaderSize(nil, 4096),
-			}
-		},
-	}
-
-	writerPool = sync.Pool{
-		New: func() interface{} {
-			return &RESPWriter{
-				w: nil,
-			}
-		},
-	}
-)
-
 // RESPWriter writes RESP protocol messages
 type RESPWriter struct {
 	w io.Writer
 }
 
-// NewRESPWriter creates a new RESP writer from the pool (memory optimized)
+// NewRESPWriter creates a new RESP writer
 func NewRESPWriter(w io.Writer) *RESPWriter {
-	writer, _ := writerPool.Get().(*RESPWriter)
-	writer.w = w
-	return writer
+	return &RESPWriter{w: w}
 }
 
-// Release returns the writer to the pool for reuse
+// Release is a no-op for API compatibility (pooling removed for Yaegi compatibility)
 func (w *RESPWriter) Release() {
-	w.w = nil
-	writerPool.Put(w)
+	// No-op: pooling removed for Yaegi compatibility
 }
 
 // WriteCommand writes a Redis command in RESP array format
@@ -78,17 +60,16 @@ type RESPReader struct {
 	r *bufio.Reader
 }
 
-// NewRESPReader creates a new RESP reader from the pool (memory optimized)
+// NewRESPReader creates a new RESP reader
 func NewRESPReader(r io.Reader) *RESPReader {
-	reader, _ := readerPool.Get().(*RESPReader)
-	reader.r.Reset(r)
-	return reader
+	return &RESPReader{
+		r: bufio.NewReaderSize(r, 4096),
+	}
 }
 
-// Release returns the reader to the pool for reuse
+// Release is a no-op for API compatibility (pooling removed for Yaegi compatibility)
 func (r *RESPReader) Release() {
-	r.r.Reset(nil)
-	readerPool.Put(r)
+	// No-op: pooling removed for Yaegi compatibility
 }
 
 // ReadResponse reads a RESP response and returns the parsed value

internal/providers/registry.go

@@ -147,7 +147,8 @@ func (r *ProviderRegistry) detectProviderUnsafe(issuerURL string) OIDCProvider {
 				return p
 			}
 		case ProviderTypeKeycloak:
-			if strings.Contains(host, "keycloak") || strings.Contains(normalizedURL.Path, "/auth/realms/") {
+			// Match both Keycloak <17 (`/auth/realms/`) and 17+ (`/realms/`).
+			if strings.Contains(host, "keycloak") || strings.Contains(normalizedURL.Path, "/realms/") {
 				return p
 			}
 		case ProviderTypeAWSCognito:

internal/providers/registry_test.go

@@ -225,10 +225,15 @@ func TestProviderRegistry_DetectProvider(t *testing.T) {
 			expected:  oktaProvider,
 		},
 		{
-			name:      "Keycloak provider detection",
+			name:      "Keycloak provider detection (legacy /auth/realms/)",
 			issuerURL: "https://auth.example.com/auth/realms/master",
 			expected:  keycloakProvider,
 		},
+		{
+			name:      "Keycloak provider detection (modern /realms/, KC 17+)",
+			issuerURL: "https://auth.example.com/realms/master",
+			expected:  keycloakProvider,
+		},
 		{
 			name:      "AWS Cognito provider detection",
 			issuerURL: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",

issue132_regression_test.go

@@ -0,0 +1,135 @@
+package traefikoidc
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+// TestIssue132_RefreshTokenHonorsUserIdentifierClaim reproduces and verifies
+// the fix for issue #132: token refresh path hardcoded the "email" claim and
+// ignored the configured userIdentifierClaim. Keycloak users without an email
+// claim (using sub or another identifier) were being kicked out on refresh
+// even though their initial login worked.
+//
+// The callback path (auth_flow.go) already honored userIdentifierClaim with
+// "sub" fallback. The refresh path (token_manager.go) had drifted out of sync
+// after PR #100 (commit a316a98).
+func TestIssue132_RefreshTokenHonorsUserIdentifierClaim(t *testing.T) {
+	tests := []struct {
+		claims              map[string]any
+		name                string
+		userIdentifierClaim string
+		expectedIdentifier  string
+		expectSuccess       bool
+	}{
+		{
+			name:                "sub claim configured, only sub present (Keycloak no-email case)",
+			userIdentifierClaim: "sub",
+			claims: map[string]any{
+				"sub": "user-uuid-keycloak-12345",
+				"exp": float64(9999999999),
+			},
+			expectSuccess:      true,
+			expectedIdentifier: "user-uuid-keycloak-12345",
+		},
+		{
+			name:                "preferred_username configured, claim present",
+			userIdentifierClaim: "preferred_username",
+			claims: map[string]any{
+				"sub":                "user-uuid-12345",
+				"preferred_username": "alice",
+				"exp":                float64(9999999999),
+			},
+			expectSuccess:      true,
+			expectedIdentifier: "alice",
+		},
+		{
+			name:                "configured claim missing, falls back to sub",
+			userIdentifierClaim: "preferred_username",
+			claims: map[string]any{
+				"sub": "fallback-sub-id",
+				"exp": float64(9999999999),
+			},
+			expectSuccess:      true,
+			expectedIdentifier: "fallback-sub-id",
+		},
+		{
+			name:                "email default, email present (backward compatibility)",
+			userIdentifierClaim: "email",
+			claims: map[string]any{
+				"sub":   "user-uuid-12345",
+				"email": "user@example.com",
+				"exp":   float64(9999999999),
+			},
+			expectSuccess:      true,
+			expectedIdentifier: "user@example.com",
+		},
+		{
+			name:                "email default, no email and no sub - refresh fails",
+			userIdentifierClaim: "email",
+			claims: map[string]any{
+				"exp": float64(9999999999),
+			},
+			expectSuccess:      false,
+			expectedIdentifier: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sessionManager, err := NewSessionManager(
+				"test-encryption-key-32-bytes-long!!",
+				false,
+				"",
+				"",
+				0,
+				NewLogger("error"),
+			)
+			if err != nil {
+				t.Fatalf("session manager: %v", err)
+			}
+			defer sessionManager.Shutdown()
+
+			capturedClaims := tt.claims
+			tOidc := &TraefikOidc{
+				logger:              NewLogger("error"),
+				userIdentifierClaim: tt.userIdentifierClaim,
+				sessionManager:      sessionManager,
+				tokenExchanger: &EnhancedMockTokenExchanger{
+					RefreshResponse: &TokenResponse{
+						AccessToken:  "new-access-token",
+						RefreshToken: "new-refresh-token",
+						IDToken:      "new-id-token-jwt",
+						ExpiresIn:    3600,
+					},
+				},
+				tokenVerifier: &EnhancedMockTokenVerifier{Err: nil},
+				extractClaimsFunc: func(token string) (map[string]any, error) {
+					return capturedClaims, nil
+				},
+			}
+
+			req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+			rw := httptest.NewRecorder()
+
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("get session: %v", err)
+			}
+			defer session.returnToPoolSafely()
+
+			session.SetRefreshToken("initial-refresh-token")
+
+			refreshed := tOidc.refreshToken(rw, req, session)
+
+			if refreshed != tt.expectSuccess {
+				t.Fatalf("refreshToken() = %v, want %v", refreshed, tt.expectSuccess)
+			}
+
+			if got := session.GetUserIdentifier(); got != tt.expectedIdentifier {
+				t.Errorf("session.GetUserIdentifier() = %q, want %q", got, tt.expectedIdentifier)
+			}
+		})
+	}
+}

jwk.go

@@ -2,6 +2,7 @@ package traefikoidc
 
 import (
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
@@ -18,6 +19,18 @@ import (
 	"time"
 )
 
+// parsedKeysSuffix marks the parallel UniversalCache entry that stores
+// pre-parsed public keys for a given JWKS URL.
+const parsedKeysSuffix = ":parsed"
+
+// parsedJWKS holds keys decoded from a JWKSet, indexed by kid. Storing the
+// already-parsed crypto.PublicKey avoids re-running the DER/PEM round trip
+// on every JWT verification — a costly operation under the yaegi interpreter
+// that hosts Traefik plugins.
+type parsedJWKS struct {
+	keys map[string]crypto.PublicKey
+}
+
 // JWK represents a JSON Web Key as defined in RFC 7517.
 // It can represent different key types including RSA, EC, and symmetric keys.
 type JWK struct {
@@ -49,6 +62,7 @@ type JWKCache struct {
 // JWKCacheInterface defines the contract for JWK caching implementations.
 type JWKCacheInterface interface {
 	GetJWKS(ctx context.Context, jwksURL string, httpClient *http.Client) (*JWKSet, error)
+	GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error)
 	Cleanup()
 	Close()
 }
@@ -96,6 +110,62 @@ func (c *JWKCache) GetJWKS(ctx context.Context, jwksURL string, httpClient *http
 	return jwks, nil
 }
 
+// GetPublicKey returns the parsed public key for a given kid, fetching and
+// caching the JWKS plus its derived parsedJWKS on miss. The parsed entry is
+// stored alongside the raw JWKSet under a sibling cache key with the same
+// 1-hour TTL, so both invalidate together when the upstream JWKS rotates.
+func (c *JWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	parsedKey := jwksURL + parsedKeysSuffix
+	if v, found := c.cache.Get(parsedKey); found {
+		if pj, ok := v.(*parsedJWKS); ok {
+			if k, ok := pj.keys[kid]; ok {
+				return k, nil
+			}
+		}
+	}
+
+	jwks, err := c.GetJWKS(ctx, jwksURL, httpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	pj := buildParsedJWKS(jwks)
+	_ = c.cache.Set(parsedKey, pj, 1*time.Hour) // Safe to ignore: cache failures are non-critical
+
+	if k, ok := pj.keys[kid]; ok {
+		return k, nil
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
+// buildParsedJWKS pre-parses every JWK in the set into the matching
+// crypto.PublicKey, indexed by kid. Errors on individual keys are skipped so
+// a single bad key does not block the rest of the keyset.
+func buildParsedJWKS(jwks *JWKSet) *parsedJWKS {
+	out := make(map[string]crypto.PublicKey, len(jwks.Keys))
+	for i := range jwks.Keys {
+		k := &jwks.Keys[i]
+		if k.Kid == "" {
+			continue
+		}
+		var pub crypto.PublicKey
+		var err error
+		switch k.Kty {
+		case "RSA":
+			pub, err = k.ToRSAPublicKey()
+		case "EC":
+			pub, err = k.ToECDSAPublicKey()
+		default:
+			continue
+		}
+		if err != nil {
+			continue
+		}
+		out[k.Kid] = pub
+	}
+	return &parsedJWKS{keys: out}
+}
+
 // Cleanup is a no-op as cleanup is handled by UniversalCache
 func (c *JWKCache) Cleanup() {
 	// Handled internally by UniversalCache

jwt.go

@@ -528,6 +528,21 @@ func verifyNotBefore(notBefore float64) error {
 //   - An error if the key parsing fails, the algorithm is unsupported,
 //     or the signature verification fails
 func verifySignature(tokenString string, publicKeyPEM []byte, alg string) error {
+	block, _ := pem.Decode(publicKeyPEM)
+	if block == nil {
+		return fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+	pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %w", err)
+	}
+	return verifySignatureWithKey(tokenString, pubKey, alg)
+}
+
+// verifySignatureWithKey verifies a JWT signature using an already-parsed
+// public key, skipping the PEM-encode/decode round trip that verifySignature
+// performs. This is the hot path used by VerifyJWTSignatureAndClaims.
+func verifySignatureWithKey(tokenString string, pubKey crypto.PublicKey, alg string) error {
 	parts := strings.Split(tokenString, ".")
 	if len(parts) != 3 {
 		return fmt.Errorf("invalid token format")
@@ -537,14 +552,6 @@ func verifySignature(tokenString string, publicKeyPEM []byte, alg string) error
 	if err != nil {
 		return fmt.Errorf("failed to decode signature: %w", err)
 	}
-	block, _ := pem.Decode(publicKeyPEM)
-	if block == nil {
-		return fmt.Errorf("failed to parse PEM block containing the public key")
-	}
-	pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to parse public key: %w", err)
-	}
 	var hashFunc crypto.Hash
 	switch alg {
 	case "RS256", "PS256", "ES256":

logout_test.go

@@ -2,6 +2,7 @@ package traefikoidc
 
 import (
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -639,6 +640,26 @@ func (m *mockJWKCacheForLogout) GetJWKS(ctx context.Context, jwksURL string, htt
 	}, nil
 }
 
+func (m *mockJWKCacheForLogout) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	jwks, err := m.GetJWKS(ctx, jwksURL, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	for i := range jwks.Keys {
+		k := &jwks.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (m *mockJWKCacheForLogout) Clear()   {}
 func (m *mockJWKCacheForLogout) Cleanup() {}
 func (m *mockJWKCacheForLogout) Close()   {}
@@ -755,6 +776,22 @@ func (s *staticJWKCache) GetJWKS(ctx context.Context, jwksURL string, httpClient
 	return s.jwks, nil
 }
 
+func (s *staticJWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	for i := range s.jwks.Keys {
+		k := &s.jwks.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (s *staticJWKCache) Clear()   {}
 func (s *staticJWKCache) Cleanup() {}
 func (s *staticJWKCache) Close()   {}

main.go

@@ -113,12 +113,26 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 		}
 	}
 	// Setup HTTP client
+	caPool, err := config.loadCACertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load CA certificates: %w", err)
+	}
+	if config.InsecureSkipVerify {
+		logger.Errorf("SECURITY WARNING: InsecureSkipVerify is enabled for the OIDC provider. TLS certificate verification is DISABLED. Do not use in production.")
+	}
 	var httpClient *http.Client
 	if config.HTTPClient != nil {
 		httpClient = config.HTTPClient
 	} else {
-		httpClient = CreateDefaultHTTPClient()
+		defaultCfg := DefaultHTTPClientConfig()
+		defaultCfg.RootCAs = caPool
+		defaultCfg.InsecureSkipVerify = config.InsecureSkipVerify
+		httpClient = CreatePooledHTTPClient(defaultCfg)
 	}
+	tokenCfg := TokenHTTPClientConfig()
+	tokenCfg.RootCAs = caPool
+	tokenCfg.InsecureSkipVerify = config.InsecureSkipVerify
+	tokenHTTPClient := CreatePooledHTTPClient(tokenCfg)
 	goroutineWG := &sync.WaitGroup{}
 	cacheManager := GetGlobalCacheManagerWithConfig(goroutineWG, config)
 
@@ -199,7 +213,7 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 		limiter:               rate.NewLimiter(rate.Every(time.Second), config.RateLimit),
 		tokenCache:            cacheManager.GetSharedTokenCache(),
 		httpClient:            httpClient,
-		tokenHTTPClient:       CreateTokenHTTPClient(),
+		tokenHTTPClient:       tokenHTTPClient,
 		excludedURLs:          createStringMap(config.ExcludedURLs),
 		allowedUserDomains:    createStringMap(config.AllowedUserDomains),
 		allowedUsers:          createCaseInsensitiveStringMap(config.AllowedUsers),
@@ -212,6 +226,13 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 			}
 			return 60 * time.Second
 		}(),
+		maxRefreshTokenAge: func() time.Duration {
+			// 0 (or unset) disables the heuristic; negative is rejected by Validate.
+			if config.MaxRefreshTokenAgeSeconds > 0 {
+				return time.Duration(config.MaxRefreshTokenAgeSeconds) * time.Second
+			}
+			return 0
+		}(),
 		tokenCleanupStopChan:     make(chan struct{}),
 		metadataRefreshStopChan:  make(chan struct{}),
 		ctx:                      pluginCtx,
@@ -222,11 +243,13 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 		dcrConfig:                config.DynamicClientRegistration,
 		allowPrivateIPAddresses:  config.AllowPrivateIPAddresses,
 		minimalHeaders:           config.MinimalHeaders,
+		stripAuthCookies:         config.StripAuthCookies,
 		enableBackchannelLogout:  config.EnableBackchannelLogout,
 		enableFrontchannelLogout: config.EnableFrontchannelLogout,
 		backchannelLogoutPath:    normalizeLogoutPath(config.BackchannelLogoutURL),
 		frontchannelLogoutPath:   normalizeLogoutPath(config.FrontchannelLogoutURL),
 		sessionInvalidationCache: cacheManager.GetSharedSessionInvalidationCache(),
+		refreshResultCache:       cacheManager.GetSharedRefreshResultCache(),
 	}
 
 	// Log audience configuration
@@ -245,6 +268,11 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 	tokenResilienceConfig := DefaultTokenResilienceConfig()
 	t.tokenResilienceManager = NewTokenResilienceManager(tokenResilienceConfig, t.logger)
 
+	// Coalesces concurrent refresh-token grants per refresh_token to one upstream
+	// call, preventing the thundering herd that yields invalid_grant when the IdP
+	// rotates refresh tokens (Zitadel/Authentik default).
+	t.refreshCoordinator = NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), t.logger)
+
 	t.extractClaimsFunc = extractClaims
 	t.initiateAuthenticationFunc = func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
 		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
@@ -292,17 +320,22 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 
 	startReplayCacheCleanup(pluginCtx, logger)
 
-	// Start memory monitoring for leak detection and performance insights
+	// Start memory monitoring for leak detection and performance insights.
+	// The interval is clamped to MinMemoryMonitorInterval (30s) inside
+	// StartMonitoring; tests that need deterministic sampling should call
+	// MemoryMonitor.Refresh() directly instead of waiting on a fast ticker.
 	memoryMonitor := GetGlobalMemoryMonitor()
-	monitorInterval := 60 * time.Second
-	if isTestMode() {
-		monitorInterval = 100 * time.Millisecond // Fast interval for tests
-	}
-	memoryMonitor.StartMonitoring(pluginCtx, monitorInterval)
+	memoryMonitor.StartMonitoring(pluginCtx, DefaultMemoryMonitorInterval)
 	logger.Debug("Started global memory monitoring")
 
 	logger.Debugf("TraefikOidc.New: Final t.scopes initialized to: %v", t.scopes)
 
+	// Log callback URL configuration to help diagnose redirect loop issues.
+	// If callbackURL is a full URL instead of a path, the callback matching
+	// in ServeHTTP will silently fail because req.URL.Path is compared directly.
+	logger.Debugf("TraefikOidc.New: callbackURL (redirURLPath) configured as: %q", t.redirURLPath)
+	logger.Debugf("TraefikOidc.New: logoutURLPath configured as: %q", t.logoutURLPath)
+
 	t.providerURL = config.ProviderURL
 
 	// Use singleton resource manager for metadata initialization

main_servehttp_test.go

@@ -79,34 +79,186 @@ func TestServeHTTP_ExcludedURLs(t *testing.T) {
 	}
 }
 
-// TestServeHTTP_EventStream tests the event-stream bypass functionality
+// TestServeHTTP_EventStream tests the event-stream (SSE) bypass: the
+// handshake must skip the OIDC redirect dance (clients can't follow it
+// mid-stream) but it must STILL require an authenticated session, otherwise
+// any caller could reach the backend by setting Accept: text/event-stream.
 func TestServeHTTP_EventStream(t *testing.T) {
-	nextCalled := false
-	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		nextCalled = true
-		w.WriteHeader(http.StatusOK)
+	sessionManager := createTestSessionManager(t)
+
+	newOidc := func(next http.Handler) *TraefikOidc {
+		oidc := &TraefikOidc{
+			next:                   next,
+			logger:                 NewLogger("debug"),
+			initComplete:           make(chan struct{}),
+			sessionManager:         sessionManager,
+			firstRequestReceived:   true,
+			metadataRefreshStarted: true,
+			issuerURL:              "https://provider.example.com",
+		}
+		close(oidc.initComplete)
+		return oidc
+	}
+
+	t.Run("unauthenticated_request_is_rejected", func(t *testing.T) {
+		nextCalled := false
+		oidc := newOidc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			nextCalled = true
+			w.WriteHeader(http.StatusOK)
+		}))
+
+		req := httptest.NewRequest("GET", "/events", nil)
+		req.Header.Set("Accept", "text/event-stream")
+		rw := httptest.NewRecorder()
+
+		oidc.ServeHTTP(rw, req)
+
+		if rw.Code != http.StatusUnauthorized {
+			t.Errorf("expected 401 for unauthenticated SSE request, got %d", rw.Code)
+		}
+		if nextCalled {
+			t.Error("backend handler must NOT be called for unauthenticated SSE bypass")
+		}
 	})
 
-	oidc := &TraefikOidc{
-		next:                   next,
-		logger:                 NewLogger("debug"),
-		initComplete:           make(chan struct{}),
-		sessionManager:         createTestSessionManager(t),
-		firstRequestReceived:   true,
-		metadataRefreshStarted: true,
-		issuerURL:              "https://provider.example.com",
+	t.Run("authenticated_request_bypasses_to_backend", func(t *testing.T) {
+		nextCalled := false
+		var forwardedUser string
+		oidc := newOidc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			nextCalled = true
+			forwardedUser = r.Header.Get("X-Forwarded-User")
+			w.WriteHeader(http.StatusOK)
+		}))
+
+		req := httptest.NewRequest("GET", "/events", nil)
+		req.Header.Set("Accept", "text/event-stream")
+
+		// Build an authenticated session and inject its cookies onto req.
+		session, err := sessionManager.GetSession(req)
+		if err != nil {
+			t.Fatalf("failed to create test session: %v", err)
+		}
+		session.SetUserIdentifier("user@example.com")
+		if err := session.SetAuthenticated(true); err != nil {
+			t.Fatalf("failed to mark session authenticated: %v", err)
+		}
+		setupRW := httptest.NewRecorder()
+		if err := session.Save(req, setupRW); err != nil {
+			t.Fatalf("failed to save session: %v", err)
+		}
+		for _, c := range setupRW.Result().Cookies() {
+			req.AddCookie(c)
+		}
+
+		rw := httptest.NewRecorder()
+		oidc.ServeHTTP(rw, req)
+
+		if !nextCalled {
+			t.Fatal("expected authenticated SSE request to be forwarded to backend")
+		}
+		if forwardedUser != "user@example.com" {
+			t.Errorf("expected X-Forwarded-User=user@example.com, got %q", forwardedUser)
+		}
+	})
+}
+
+// TestServeHTTP_WebSocketUpgrade mirrors the SSE behavior: WebSocket
+// handshake bypasses the OIDC redirect (clients can't follow it) but the
+// session must already be authenticated, otherwise the backend is exposed
+// to any caller setting `Connection: Upgrade` + `Upgrade: websocket`.
+func TestServeHTTP_WebSocketUpgrade(t *testing.T) {
+	sessionManager := createTestSessionManager(t)
+
+	newOidc := func(next http.Handler) *TraefikOidc {
+		oidc := &TraefikOidc{
+			next:                   next,
+			logger:                 NewLogger("debug"),
+			initComplete:           make(chan struct{}),
+			sessionManager:         sessionManager,
+			firstRequestReceived:   true,
+			metadataRefreshStarted: true,
+			issuerURL:              "https://provider.example.com",
+		}
+		close(oidc.initComplete)
+		return oidc
 	}
-	close(oidc.initComplete)
 
-	req := httptest.NewRequest("GET", "/events", nil)
-	req.Header.Set("Accept", "text/event-stream")
-	rw := httptest.NewRecorder()
+	t.Run("unauthenticated_upgrade_is_rejected", func(t *testing.T) {
+		nextCalled := false
+		oidc := newOidc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			nextCalled = true
+		}))
 
-	oidc.ServeHTTP(rw, req)
+		req := httptest.NewRequest("GET", "/ws", nil)
+		req.Header.Set("Connection", "Upgrade")
+		req.Header.Set("Upgrade", "websocket")
+		rw := httptest.NewRecorder()
 
-	if !nextCalled {
-		t.Error("expected event-stream request to bypass OIDC")
-	}
+		oidc.ServeHTTP(rw, req)
+
+		if rw.Code != http.StatusUnauthorized {
+			t.Errorf("expected 401 for unauthenticated WS upgrade, got %d", rw.Code)
+		}
+		if nextCalled {
+			t.Error("backend handler must NOT be called for unauthenticated WS bypass")
+		}
+	})
+
+	t.Run("authenticated_upgrade_bypasses_to_backend", func(t *testing.T) {
+		nextCalled := false
+		var forwardedUser string
+		oidc := newOidc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			nextCalled = true
+			forwardedUser = r.Header.Get("X-Forwarded-User")
+		}))
+
+		req := httptest.NewRequest("GET", "/ws", nil)
+		// Mixed-case + multi-token Connection header to exercise parsing.
+		req.Header.Set("Connection", "keep-alive, Upgrade")
+		req.Header.Set("Upgrade", "WebSocket")
+
+		session, err := sessionManager.GetSession(req)
+		if err != nil {
+			t.Fatalf("failed to create test session: %v", err)
+		}
+		session.SetUserIdentifier("ws-user@example.com")
+		if err := session.SetAuthenticated(true); err != nil {
+			t.Fatalf("failed to mark session authenticated: %v", err)
+		}
+		setupRW := httptest.NewRecorder()
+		if err := session.Save(req, setupRW); err != nil {
+			t.Fatalf("failed to save session: %v", err)
+		}
+		for _, c := range setupRW.Result().Cookies() {
+			req.AddCookie(c)
+		}
+
+		rw := httptest.NewRecorder()
+		oidc.ServeHTTP(rw, req)
+
+		if !nextCalled {
+			t.Fatal("expected authenticated WS handshake to be forwarded to backend")
+		}
+		if forwardedUser != "ws-user@example.com" {
+			t.Errorf("expected X-Forwarded-User=ws-user@example.com, got %q", forwardedUser)
+		}
+	})
+
+	t.Run("plain_http_does_not_bypass", func(t *testing.T) {
+		// Sanity: requests without Upgrade headers must NOT hit the WS
+		// bypass branch (otherwise the new code path could short-circuit
+		// normal authentication).
+		oidc := newOidc(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			t.Fatal("backend must not be called for unauthenticated plain HTTP")
+		}))
+		req := httptest.NewRequest("GET", "/ws", nil)
+		req.Header.Set("Connection", "keep-alive")
+		rw := httptest.NewRecorder()
+		oidc.ServeHTTP(rw, req)
+		if rw.Code == http.StatusOK {
+			t.Errorf("expected redirect or 401 for plain HTTP without auth, got 200")
+		}
+	})
 }
 
 // TestServeHTTP_InitializationTimeout tests initialization timeout handling
@@ -256,7 +408,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "successful authorization with email",
 			setupSession: func() *MockSessionData {
 				session := &MockSessionData{
-					email:        "user@example.com",
+					userIdentifier: "user@example.com",
 					idToken:      "test-id-token",
 					accessToken:  "test-access-token",
 					isDirty:      false,
@@ -288,7 +440,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "no email triggers reauth",
 			setupSession: func() *MockSessionData {
 				return &MockSessionData{
-					email:       "",
+					userIdentifier: "",
 					idToken:     "test-id-token",
 					accessToken: "test-access-token",
 				}
@@ -309,7 +461,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "roles and groups authorization",
 			setupSession: func() *MockSessionData {
 				return &MockSessionData{
-					email:       "user@example.com",
+					userIdentifier: "user@example.com",
 					idToken:     "test-id-token",
 					accessToken: "test-access-token",
 				}
@@ -342,7 +494,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "unauthorized role/group returns 403",
 			setupSession: func() *MockSessionData {
 				return &MockSessionData{
-					email:       "user@example.com",
+					userIdentifier: "user@example.com",
 					idToken:     "test-id-token",
 					accessToken: "test-access-token",
 				}
@@ -369,7 +521,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "template headers processing",
 			setupSession: func() *MockSessionData {
 				return &MockSessionData{
-					email:       "user@example.com",
+					userIdentifier: "user@example.com",
 					idToken:     "test-id-token",
 					accessToken: "test-access-token",
 					isDirty:     false,
@@ -401,7 +553,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 			name: "OPTIONS request with CORS",
 			setupSession: func() *MockSessionData {
 				return &MockSessionData{
-					email:       "user@example.com",
+					userIdentifier: "user@example.com",
 					idToken:     "test-id-token",
 					accessToken: "test-access-token",
 				}
@@ -452,7 +604,7 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 				manager: &SessionManager{logger: NewLogger("debug")},
 			}
 			// Copy values from mock to concrete session
-			concreteSession.SetEmail(session.email)
+			concreteSession.SetUserIdentifier(session.userIdentifier)
 			concreteSession.SetIDToken(session.idToken)
 			concreteSession.SetAccessToken(session.accessToken)
 			concreteSession.SetRefreshToken(session.refreshToken)
@@ -502,23 +654,23 @@ func TestProcessAuthorizedRequest(t *testing.T) {
 
 // MockSessionData is a test implementation of SessionData interface
 type MockSessionData struct {
-	email         string
-	idToken       string
-	accessToken   string
-	refreshToken  string
-	csrf          string
-	nonce         string
-	codeVerifier  string
-	redirectCount int
-	authenticated bool
-	isDirty       bool
+	userIdentifier string
+	idToken        string
+	accessToken    string
+	refreshToken   string
+	csrf           string
+	nonce          string
+	codeVerifier   string
+	redirectCount  int
+	authenticated  bool
+	isDirty        bool
 }
 
-func (m *MockSessionData) GetEmail() string                                   { return m.email }
+func (m *MockSessionData) GetUserIdentifier() string                          { return m.userIdentifier }
 func (m *MockSessionData) GetIDToken() string                                 { return m.idToken }
 func (m *MockSessionData) GetAccessToken() string                             { return m.accessToken }
 func (m *MockSessionData) GetRefreshToken() string                            { return m.refreshToken }
-func (m *MockSessionData) SetEmail(email string)                              { m.email = email }
+func (m *MockSessionData) SetUserIdentifier(userIdentifier string)            { m.userIdentifier = userIdentifier }
 func (m *MockSessionData) SetIDToken(token string)                            { m.idToken = token }
 func (m *MockSessionData) SetAccessToken(token string)                        { m.accessToken = token }
 func (m *MockSessionData) SetRefreshToken(token string)                       { m.refreshToken = token }
@@ -610,7 +762,7 @@ func TestMinimalHeaders(t *testing.T) {
 			}
 
 			// Set up session data
-			session.SetEmail("user@example.com")
+			session.SetUserIdentifier("user@example.com")
 			session.SetAuthenticated(true)
 
 			// Call processAuthorizedRequest directly
@@ -685,7 +837,7 @@ func TestMinimalHeaders_TokenHeaderNotSet(t *testing.T) {
 		t.Fatalf("Failed to get session: %v", err)
 	}
 
-	session.SetEmail("user@example.com")
+	session.SetUserIdentifier("user@example.com")
 	session.SetAuthenticated(true)
 
 	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
@@ -710,3 +862,344 @@ func TestMinimalHeaders_TokenHeaderNotSet(t *testing.T) {
 		t.Error("expected X-Auth-Request-Redirect to NOT be set with minimalHeaders=true")
 	}
 }
+
+// TestStripAuthCookies tests the stripAuthCookies configuration option.
+// This addresses GitHub issue #122 - OIDC cookies bloating backend requests.
+func TestStripAuthCookies(t *testing.T) {
+	tests := []struct {
+		name              string
+		stripAuthCookies  bool
+		expectOIDCCookies bool
+		expectAppCookies  bool
+	}{
+		{
+			name:              "stripAuthCookies=false (default) forwards all cookies",
+			stripAuthCookies:  false,
+			expectOIDCCookies: true,
+			expectAppCookies:  true,
+		},
+		{
+			name:              "stripAuthCookies=true strips OIDC cookies but keeps app cookies",
+			stripAuthCookies:  true,
+			expectOIDCCookies: false,
+			expectAppCookies:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var capturedCookies []*http.Cookie
+
+			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				capturedCookies = r.Cookies()
+				w.WriteHeader(http.StatusOK)
+			})
+
+			sessionManager := createTestSessionManager(t)
+			cookiePrefix := sessionManager.GetCookiePrefix()
+
+			oidc := &TraefikOidc{
+				next:                   next,
+				logger:                 NewLogger("debug"),
+				initComplete:           make(chan struct{}),
+				sessionManager:         sessionManager,
+				firstRequestReceived:   true,
+				metadataRefreshStarted: true,
+				issuerURL:              "https://provider.example.com",
+				stripAuthCookies:       tt.stripAuthCookies,
+				extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+					return map[string]interface{}{
+						"email": "user@example.com",
+					}, nil
+				},
+			}
+			close(oidc.initComplete)
+
+			req := httptest.NewRequest("GET", "/protected", nil)
+			rw := httptest.NewRecorder()
+
+			// Get a valid session first (before adding fake cookies)
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
+			session.SetUserIdentifier("user@example.com")
+			session.SetAuthenticated(true)
+
+			// Now add OIDC session cookies (simulating what the browser would send)
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "m", Value: "session-data"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_0", Value: "chunk0"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_1", Value: "chunk1"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "a", Value: "access-token"})
+			req.AddCookie(&http.Cookie{Name: cookiePrefix + "r", Value: "refresh-token"})
+
+			// Add non-OIDC application cookies (these must always pass through)
+			req.AddCookie(&http.Cookie{Name: "my_app_session", Value: "app-session-id"})
+			req.AddCookie(&http.Cookie{Name: "theme", Value: "dark"})
+
+			oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+			// Check for OIDC cookies in captured cookies
+			hasOIDCCookie := false
+			hasAppSession := false
+			hasTheme := false
+			for _, c := range capturedCookies {
+				if len(c.Name) >= len(cookiePrefix) && c.Name[:len(cookiePrefix)] == cookiePrefix {
+					hasOIDCCookie = true
+				}
+				if c.Name == "my_app_session" {
+					hasAppSession = true
+				}
+				if c.Name == "theme" {
+					hasTheme = true
+				}
+			}
+
+			if tt.expectOIDCCookies && !hasOIDCCookie {
+				t.Error("expected OIDC cookies to be forwarded to backend")
+			}
+			if !tt.expectOIDCCookies && hasOIDCCookie {
+				t.Error("expected OIDC cookies to be stripped before forwarding to backend")
+			}
+
+			if tt.expectAppCookies && !hasAppSession {
+				t.Error("expected my_app_session cookie to be forwarded to backend")
+			}
+			if tt.expectAppCookies && !hasTheme {
+				t.Error("expected theme cookie to be forwarded to backend")
+			}
+		})
+	}
+}
+
+// TestStripAuthCookies_NoCookies verifies stripping works when the request has no cookies.
+func TestStripAuthCookies_NoCookies(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetUserIdentifier("user@example.com")
+	session.SetAuthenticated(true)
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 0 {
+		t.Errorf("expected no cookies, got %d", len(capturedCookies))
+	}
+}
+
+// TestStripAuthCookies_OnlyOIDCCookies verifies that when all cookies are OIDC cookies,
+// the Cookie header is empty after stripping.
+func TestStripAuthCookies_OnlyOIDCCookies(t *testing.T) {
+	var capturedCookieHeader string
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookieHeader = r.Header.Get("Cookie")
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	cookiePrefix := sessionManager.GetCookiePrefix()
+
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetUserIdentifier("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add only OIDC cookies
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "m", Value: "session-data"})
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "s_0", Value: "chunk0"})
+	req.AddCookie(&http.Cookie{Name: cookiePrefix + "a", Value: "access-token"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 0 {
+		t.Errorf("expected all cookies to be stripped, got %d", len(capturedCookies))
+	}
+	if capturedCookieHeader != "" {
+		t.Errorf("expected empty Cookie header, got %q", capturedCookieHeader)
+	}
+}
+
+// TestStripAuthCookies_OnlyAppCookies verifies that non-OIDC cookies pass through
+// untouched when stripping is enabled.
+func TestStripAuthCookies_OnlyAppCookies(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	sessionManager := createTestSessionManager(t)
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sessionManager,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sessionManager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetUserIdentifier("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add only non-OIDC cookies
+	req.AddCookie(&http.Cookie{Name: "my_app_session", Value: "abc123"})
+	req.AddCookie(&http.Cookie{Name: "lang", Value: "en"})
+	req.AddCookie(&http.Cookie{Name: "theme", Value: "dark"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	if len(capturedCookies) != 3 {
+		t.Errorf("expected 3 cookies, got %d", len(capturedCookies))
+	}
+
+	cookieNames := make(map[string]bool)
+	for _, c := range capturedCookies {
+		cookieNames[c.Name] = true
+	}
+	for _, expected := range []string{"my_app_session", "lang", "theme"} {
+		if !cookieNames[expected] {
+			t.Errorf("expected cookie %q to be forwarded", expected)
+		}
+	}
+}
+
+// TestStripAuthCookies_CustomPrefix verifies stripping works with a custom cookie prefix.
+func TestStripAuthCookies_CustomPrefix(t *testing.T) {
+	var capturedCookies []*http.Cookie
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedCookies = r.Cookies()
+		w.WriteHeader(http.StatusOK)
+	})
+
+	// Create session manager with custom prefix
+	sm, err := NewSessionManager("test-encryption-key-32-characters", false, "", "myapp_oidc_", 0, NewLogger("debug"))
+	if err != nil {
+		t.Fatalf("Failed to create session manager: %v", err)
+	}
+	customPrefix := sm.GetCookiePrefix()
+
+	oidc := &TraefikOidc{
+		next:                   next,
+		logger:                 NewLogger("debug"),
+		initComplete:           make(chan struct{}),
+		sessionManager:         sm,
+		firstRequestReceived:   true,
+		metadataRefreshStarted: true,
+		issuerURL:              "https://provider.example.com",
+		stripAuthCookies:       true,
+		extractClaimsFunc: func(token string) (map[string]interface{}, error) {
+			return map[string]interface{}{"email": "user@example.com"}, nil
+		},
+	}
+	close(oidc.initComplete)
+
+	req := httptest.NewRequest("GET", "/protected", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := sm.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+	session.SetUserIdentifier("user@example.com")
+	session.SetAuthenticated(true)
+
+	// Add cookies with the custom prefix (should be stripped)
+	req.AddCookie(&http.Cookie{Name: customPrefix + "m", Value: "session-data"})
+	req.AddCookie(&http.Cookie{Name: customPrefix + "s_0", Value: "chunk0"})
+
+	// Add default-prefix cookie (should NOT be stripped — different prefix)
+	req.AddCookie(&http.Cookie{Name: "_oidc_raczylo_m", Value: "other-session"})
+
+	// Add app cookie (should NOT be stripped)
+	req.AddCookie(&http.Cookie{Name: "my_app", Value: "val"})
+
+	oidc.processAuthorizedRequest(rw, req, session, "https://example.com/callback")
+
+	cookieNames := make(map[string]bool)
+	for _, c := range capturedCookies {
+		cookieNames[c.Name] = true
+	}
+
+	// Custom prefix cookies should be stripped
+	if cookieNames[customPrefix+"m"] {
+		t.Errorf("expected cookie %q to be stripped", customPrefix+"m")
+	}
+	if cookieNames[customPrefix+"s_0"] {
+		t.Errorf("expected cookie %q to be stripped", customPrefix+"s_0")
+	}
+
+	// Default prefix cookie should pass through (different prefix)
+	if !cookieNames["_oidc_raczylo_m"] {
+		t.Error("expected _oidc_raczylo_m cookie to pass through (different prefix)")
+	}
+
+	// App cookie should pass through
+	if !cookieNames["my_app"] {
+		t.Error("expected my_app cookie to pass through")
+	}
+}

main_test.go

@@ -208,6 +208,32 @@ func (m *MockJWKCache) GetJWKS(ctx context.Context, jwksURL string, httpClient *
 	return m.JWKS, m.Err
 }
 
+func (m *MockJWKCache) GetPublicKey(ctx context.Context, jwksURL, kid string, httpClient *http.Client) (crypto.PublicKey, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	if m.Err != nil {
+		return nil, m.Err
+	}
+	if m.JWKS == nil {
+		return nil, fmt.Errorf("JWKS is nil")
+	}
+	for i := range m.JWKS.Keys {
+		k := &m.JWKS.Keys[i]
+		if k.Kid != kid {
+			continue
+		}
+		switch k.Kty {
+		case "RSA":
+			return k.ToRSAPublicKey()
+		case "EC":
+			return k.ToECDSAPublicKey()
+		default:
+			return nil, fmt.Errorf("unsupported key type: %s", k.Kty)
+		}
+	}
+	return nil, fmt.Errorf("no matching public key found for kid: %s", kid)
+}
+
 func (m *MockJWKCache) Cleanup() {
 	// Mock cleanup is a no-op - we don't want to destroy the mock JWKS data
 	// Real cleanup is for expired entries, not resetting all data
@@ -554,7 +580,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/protected",
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				// Generate a fresh valid token for this test case to avoid replay issues
 				freshToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(1 * time.Hour).Unix(),
@@ -577,7 +603,7 @@ func TestServeHTTP(t *testing.T) {
 				// even if session.SetAuthenticated(true) was called.
 				// We rely on needsRefresh=true and the presence of the refresh token to trigger the refresh attempt.
 				session.SetAuthenticated(true) // Set flag initially, though isUserAuthenticated will override based on token
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				// Create an expired token for this test
 				expiredToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(-1 * time.Hour).Unix(),
@@ -634,7 +660,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/callback/logout", // Match the default logout path set in TestSuite.Setup
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				// Generate a fresh valid token for this test case
 				freshToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(1 * time.Hour).Unix(),
@@ -652,7 +678,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/protected",
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true) // Set flag initially
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				// Create an expired token for this test
 				expiredToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(-1 * time.Hour).Unix(),
@@ -680,7 +706,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/protected",
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true) // Set flag initially
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				// Create an expired token for this test
 				expiredToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(-1 * time.Hour).Unix(),
@@ -715,7 +741,7 @@ func TestServeHTTP(t *testing.T) {
 					"sub": "test-subject", "email": "user@example.com", "jti": generateRandomString(16),
 				})
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				session.SetAccessToken(nearExpiryToken)
 				session.SetRefreshToken("valid-refresh-token-for-near-expiry") // Refresh token MUST exist for proactive refresh
 			},
@@ -746,7 +772,7 @@ func TestServeHTTP(t *testing.T) {
 					"sub": "test-subject", "email": "user@example.com", "jti": generateRandomString(16),
 				})
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 				session.SetAccessToken(validToken)
 				session.SetIDToken(validToken) // Ensure ID token is also set
 				session.SetRefreshToken("should-not-be-used-refresh-token")
@@ -766,7 +792,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/protected",
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@disallowed.com") // Use disallowed domain
+				session.SetUserIdentifier("user@disallowed.com") // Use disallowed domain
 				// Generate a fresh valid token for this test case
 				freshToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(1 * time.Hour).Unix(),
@@ -788,7 +814,7 @@ func TestServeHTTP(t *testing.T) {
 			requestPath: "/protected",
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@disallowed.com") // Use disallowed domain
+				session.SetUserIdentifier("user@disallowed.com") // Use disallowed domain
 				// Generate a fresh valid token for this test case
 				freshToken, _ := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", map[string]interface{}{
 					"iss": "https://test-issuer.com", "aud": "test-client-id", "exp": time.Now().Add(1 * time.Hour).Unix(),
@@ -2153,7 +2179,7 @@ func TestHandleExpiredToken(t *testing.T) {
 					"sub": "test-subject", "email": "test@example.com", "jti": generateRandomString(16),
 				})
 				session.SetAccessToken(expiredToken)
-				session.SetEmail("test@example.com")
+				session.SetUserIdentifier("test@example.com")
 			},
 			expectedPath: "/original/path",
 		},
@@ -2730,7 +2756,7 @@ func TestServeHTTPRolesAndGroups(t *testing.T) {
 			},
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 			},
 			expectedStatus: http.StatusOK,
 			expectedHeaders: map[string]string{
@@ -2756,7 +2782,7 @@ func TestServeHTTPRolesAndGroups(t *testing.T) {
 			},
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 			},
 			expectedStatus: http.StatusOK,
 			expectedHeaders: map[string]string{
@@ -2783,7 +2809,7 @@ func TestServeHTTPRolesAndGroups(t *testing.T) {
 			},
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 			},
 			expectedStatus: http.StatusForbidden,
 		},
@@ -2803,7 +2829,7 @@ func TestServeHTTPRolesAndGroups(t *testing.T) {
 			},
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 			},
 			expectedStatus: http.StatusOK,
 			expectedHeaders: map[string]string{
@@ -2825,7 +2851,7 @@ func TestServeHTTPRolesAndGroups(t *testing.T) {
 			},
 			setupSession: func(session *SessionData) {
 				session.SetAuthenticated(true)
-				session.SetEmail("user@example.com")
+				session.SetUserIdentifier("user@example.com")
 			},
 			expectedStatus:  http.StatusOK,
 			expectedHeaders: map[string]string{},

memory_leak_fixes.go

@@ -9,13 +9,18 @@ import (
 // LazyBackgroundTask wraps BackgroundTask to provide delayed initialization.
 // This prevents memory leaks from unnecessary background tasks by starting
 // them only when actually needed, reducing resource usage in idle scenarios.
+//
+// Lifecycle is one-shot: once Stop has been called the task cannot be
+// restarted. The underlying BackgroundTask uses sync.Once for Start and
+// refuses to re-run after Stop, so restart is not supported by design.
 type LazyBackgroundTask struct {
 	// BackgroundTask is the underlying task implementation
 	*BackgroundTask
-	// started tracks whether the task has been activated
+	// mu guards the started flag against concurrent StartIfNeeded / Stop calls.
+	mu sync.Mutex
+	// started tracks whether the task has been activated.
+	// Only mutated while holding mu.
 	started bool
-	// startOnce ensures single initialization
-	startOnce sync.Once
 }
 
 // NewLazyBackgroundTask creates a background task that doesn't start immediately.
@@ -29,24 +34,28 @@ func NewLazyBackgroundTask(name string, interval time.Duration, taskFunc func(),
 }
 
 // StartIfNeeded starts the background task only if it hasn't been started yet.
-// Uses sync.Once to ensure thread-safe single initialization.
+// Safe to call concurrently. After Stop has been called this is a no-op;
+// the task is not restartable.
 func (lt *LazyBackgroundTask) StartIfNeeded() {
-	lt.startOnce.Do(func() {
-		if !lt.started {
-			lt.BackgroundTask.Start()
-			lt.started = true
-		}
-	})
+	lt.mu.Lock()
+	defer lt.mu.Unlock()
+	if lt.started {
+		return
+	}
+	lt.BackgroundTask.Start()
+	lt.started = true
 }
 
 // Stop stops the background task if it was started.
-// Resets the start state to allow potential future re-initialization.
+// Once stopped, the task cannot be restarted (see type doc).
 func (lt *LazyBackgroundTask) Stop() {
-	if lt.started {
-		lt.BackgroundTask.Stop()
-		lt.started = false
-		lt.startOnce = sync.Once{}
+	lt.mu.Lock()
+	defer lt.mu.Unlock()
+	if !lt.started {
+		return
 	}
+	lt.BackgroundTask.Stop()
+	lt.started = false
 }
 
 // NewLazyCacheWithLogger creates a cache that doesn't start cleanup until first use.

memory_monitor.go

@@ -58,13 +58,21 @@ func (mpl MemoryPressureLevel) String() string {
 	}
 }
 
-// MemoryMonitor provides comprehensive memory monitoring and alerting
+// MemoryMonitor provides comprehensive memory monitoring and alerting.
+//
+// Memory sampling is expensive: runtime.ReadMemStats is a stop-the-world
+// operation. To keep latency predictable the monitor caches the most recent
+// sample and only refreshes it when the background ticker fires, when TriggerGC
+// is invoked, or when a caller explicitly calls Refresh(). GetCurrentStats is a
+// cheap read of that cached sample.
 type MemoryMonitor struct {
 	lastGCTime         time.Time
 	startTime          time.Time
 	lastStats          *MemoryStats
+	cachedMemStats     runtime.MemStats
 	logger             *Logger
 	alertThresholds    MemoryAlertThresholds
+	config             MemoryMonitorConfig
 	baselineGoroutines int
 	baselineHeap       uint64
 	heapGrowthRate     float64
@@ -84,6 +92,30 @@ type MemoryAlertThresholds struct {
 	GCFrequency         float64 // Alert when GC frequency exceeds this per minute
 }
 
+// MemoryMonitorConfig configures the memory monitor's scheduling behavior.
+// Thresholds are kept separate in MemoryAlertThresholds.
+type MemoryMonitorConfig struct {
+	// Interval between background samples. Must be >= MinMemoryMonitorInterval
+	// (30s). Values below the minimum are clamped when monitoring starts.
+	Interval time.Duration
+}
+
+// Default and minimum interval values. The minimum exists because
+// runtime.ReadMemStats is stop-the-world and hammering it on a hot loop causes
+// noticeable latency spikes, especially under yaegi.
+const (
+	DefaultMemoryMonitorInterval = 60 * time.Second
+	MinMemoryMonitorInterval     = 30 * time.Second
+)
+
+// DefaultMemoryMonitorConfig returns a config with sensible production
+// defaults.
+func DefaultMemoryMonitorConfig() MemoryMonitorConfig {
+	return MemoryMonitorConfig{
+		Interval: DefaultMemoryMonitorInterval,
+	}
+}
+
 // DefaultMemoryAlertThresholds returns sensible default alert thresholds
 func DefaultMemoryAlertThresholds() MemoryAlertThresholds {
 	return MemoryAlertThresholds{
@@ -95,35 +127,82 @@ func DefaultMemoryAlertThresholds() MemoryAlertThresholds {
 	}
 }
 
-// NewMemoryMonitor creates a new memory monitor
+// NewMemoryMonitor creates a new memory monitor using default scheduling
+// configuration. See NewMemoryMonitorWithConfig for full control.
 func NewMemoryMonitor(logger *Logger, thresholds MemoryAlertThresholds) *MemoryMonitor {
+	return NewMemoryMonitorWithConfig(logger, thresholds, DefaultMemoryMonitorConfig())
+}
+
+// NewMemoryMonitorWithConfig creates a new memory monitor with an explicit
+// scheduling config.
+//
+// NOTE: the constructor performs a single runtime.ReadMemStats call to capture
+// baseline heap / goroutine / GC counters used for leak and growth detection.
+// This is a one-time stop-the-world cost at startup; all subsequent samples
+// only happen on the monitoring ticker or on explicit Refresh() calls.
+func NewMemoryMonitorWithConfig(logger *Logger, thresholds MemoryAlertThresholds, config MemoryMonitorConfig) *MemoryMonitor {
 	if logger == nil {
 		logger = GetSingletonNoOpLogger()
 	}
 
+	if config.Interval <= 0 {
+		config.Interval = DefaultMemoryMonitorInterval
+	}
+
+	// One-time initial sample to seed baselines used for growth / leak
+	// detection. All subsequent sampling is gated by the monitoring ticker or
+	// explicit Refresh() calls.
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 
-	return &MemoryMonitor{
+	mm := &MemoryMonitor{
 		logger:             logger,
 		startTime:          time.Now(),
 		alertThresholds:    thresholds,
+		config:             config,
 		baselineHeap:       memStats.HeapAlloc,
 		baselineGoroutines: runtime.NumGoroutine(),
 		// #nosec G115 -- LastGC nanoseconds fits in int64 for centuries
 		lastGCTime:  time.Unix(0, int64(memStats.LastGC)),
 		lastGCCount: memStats.NumGC,
 	}
+	mm.cachedMemStats = memStats
+	return mm
 }
 
-// GetCurrentStats collects current memory statistics
+// GetCurrentStats returns the most recently sampled memory statistics.
+//
+// This is a cheap cached read: it does NOT call runtime.ReadMemStats. Samples
+// are refreshed only by the monitoring ticker or by an explicit call to
+// Refresh(). If no sample has been produced yet, stats derived from the
+// constructor-time raw sample are returned (with no additional STW cost).
 func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
+	mm.mu.RLock()
+	stats := mm.lastStats
+	mm.mu.RUnlock()
+	if stats != nil {
+		return stats
+	}
+	return mm.buildStatsFromCache()
+}
+
+// Refresh synchronously samples current memory statistics via
+// runtime.ReadMemStats and updates the cached value. This is the only path
+// (other than the monitoring ticker and TriggerGC) that pays the stop-the-world
+// cost. Use it in tests or in callers that explicitly need a fresh sample.
+func (mm *MemoryMonitor) Refresh() *MemoryStats {
+	return mm.sample()
+}
+
+// sample performs a stop-the-world ReadMemStats, updates the cached raw stats,
+// computes a derived MemoryStats snapshot, and stores it as lastStats.
+func (mm *MemoryMonitor) sample() *MemoryStats {
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 
 	now := time.Now()
 
-	// Calculate GC frequency
+	// Calculate GC frequency relative to the previous snapshot.
 	gcFrequency := 0.0
 	mm.mu.RLock()
 	lastStats := mm.lastStats
@@ -168,6 +247,7 @@ func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
 	mm.updateHeapGrowthTracking(stats)
 
 	mm.mu.Lock()
+	mm.cachedMemStats = memStats
 	mm.lastStats = stats
 	mm.lastGCCount = memStats.NumGC
 	mm.mu.Unlock()
@@ -175,6 +255,35 @@ func (mm *MemoryMonitor) GetCurrentStats() *MemoryStats {
 	return stats
 }
 
+// buildStatsFromCache constructs a MemoryStats snapshot from the cached raw
+// runtime.MemStats without issuing a new ReadMemStats call. Used as a fallback
+// when GetCurrentStats is called before the first sample() has completed.
+func (mm *MemoryMonitor) buildStatsFromCache() *MemoryStats {
+	mm.mu.RLock()
+	memStats := mm.cachedMemStats
+	mm.mu.RUnlock()
+
+	stats := &MemoryStats{
+		HeapAllocBytes:    memStats.HeapAlloc,
+		HeapSysBytes:      memStats.HeapSys,
+		HeapIdleBytes:     memStats.HeapIdle,
+		HeapInuseBytes:    memStats.HeapInuse,
+		HeapReleasedBytes: memStats.HeapReleased,
+		HeapObjects:       memStats.HeapObjects,
+		StackInuseBytes:   memStats.StackInuse,
+		StackSysBytes:     memStats.StackSys,
+		GCSysBytes:        memStats.GCSys,
+		NumGoroutines:     runtime.NumGoroutine(),
+		// #nosec G115 -- LastGC nanoseconds fits in int64 for centuries
+		LastGCTime:  time.Unix(0, int64(memStats.LastGC)),
+		GCFrequency: 0.0,
+		Timestamp:   time.Now(),
+	}
+	mm.collectApplicationStats(stats)
+	stats.MemoryPressure = mm.calculateMemoryPressure(stats)
+	return stats
+}
+
 // collectApplicationStats gathers application-specific memory stats
 func (mm *MemoryMonitor) collectApplicationStats(stats *MemoryStats) {
 	// Get session count from ChunkManager if available
@@ -302,7 +411,16 @@ var (
 	globalMonitoringMutex   sync.Mutex
 )
 
-// StartMonitoring starts continuous memory monitoring as a global singleton
+// StartMonitoring starts continuous memory monitoring as a global singleton.
+//
+// The effective interval is resolved as follows:
+//  1. If the caller passes a positive interval, that is used.
+//  2. Otherwise the configured MemoryMonitorConfig.Interval is used.
+//  3. Otherwise the built-in default (60s) is used.
+//
+// The result is then clamped to a minimum of MinMemoryMonitorInterval (30s) to
+// avoid stop-the-world ReadMemStats storms. Callers that need rapid updates in
+// tests should call Refresh() directly instead of spinning the ticker fast.
 func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Duration) {
 	globalMonitoringMutex.Lock()
 	defer globalMonitoringMutex.Unlock()
@@ -316,7 +434,17 @@ func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Dura
 	}
 
 	if interval <= 0 {
-		interval = 30 * time.Second
+		interval = mm.config.Interval
+	}
+	if interval <= 0 {
+		interval = DefaultMemoryMonitorInterval
+	}
+	if interval < MinMemoryMonitorInterval {
+		if !isTestMode() {
+			mm.logger.Debug("Memory monitor interval %v is below minimum %v; clamping",
+				interval, MinMemoryMonitorInterval)
+		}
+		interval = MinMemoryMonitorInterval
 	}
 
 	registry := GetGlobalTaskRegistry()
@@ -325,7 +453,7 @@ func (mm *MemoryMonitor) StartMonitoring(ctx context.Context, interval time.Dura
 		"memory-monitor",
 		interval,
 		func() {
-			stats := mm.GetCurrentStats()
+			stats := mm.sample()
 			mm.LogMemoryStats(stats)
 			mm.checkAlerts(stats)
 		},
@@ -369,14 +497,16 @@ func (mm *MemoryMonitor) checkAlerts(stats *MemoryStats) {
 	}
 }
 
-// TriggerGC forces garbage collection and logs the impact
+// TriggerGC forces garbage collection and logs the impact. Both the before and
+// after measurements are fresh samples (explicit Refresh() calls) because the
+// comparison is meaningless against a stale cached snapshot.
 func (mm *MemoryMonitor) TriggerGC() {
-	before := mm.GetCurrentStats()
+	before := mm.Refresh()
 
 	runtime.GC()
 	runtime.GC() // Run twice to ensure full collection
 
-	after := mm.GetCurrentStats()
+	after := mm.Refresh()
 
 	// #nosec G115 -- heap allocation bytes fit in int64 for practical purposes
 	freedBytes := int64(before.HeapAllocBytes) - int64(after.HeapAllocBytes)

middleware.go

@@ -13,6 +13,99 @@ import (
 	"github.com/lukaszraczylo/traefikoidc/internal/utils"
 )
 
+// bypassReason describes why a request is being forwarded without OIDC auth.
+// It is only used for logging and to decide whether extra side-effects
+// (propagating the user header from an existing session) should run.
+const (
+	bypassReasonExcluded  = "excluded-url"
+	bypassReasonSSE       = "sse"
+	bypassReasonWebSocket = "websocket"
+)
+
+// isWebSocketUpgrade reports whether req is a WebSocket upgrade handshake
+// (RFC 6455). The middleware can only see the handshake; once Traefik
+// completes the upgrade it forwards frames directly, so we never re-process
+// per-frame traffic. We bypass auth on the handshake the same way we do for
+// SSE, because browser WebSocket clients cannot follow an OIDC redirect.
+func isWebSocketUpgrade(req *http.Request) bool {
+	if !strings.EqualFold(req.Header.Get("Upgrade"), "websocket") {
+		return false
+	}
+	for _, token := range strings.Split(req.Header.Get("Connection"), ",") {
+		if strings.EqualFold(strings.TrimSpace(token), "upgrade") {
+			return true
+		}
+	}
+	return false
+}
+
+// shouldBypassAuth decides whether a request must skip OIDC authentication
+// entirely. It returns (true, reason) when either the request path matches a
+// configured excluded URL, the Accept header asks for a text/event-stream
+// response (SSE), or the request is a WebSocket upgrade handshake. The
+// reason lets ServeHTTP apply any side-effects that are unique to the bypass
+// kind (e.g. propagating user headers).
+//
+// This must be called BEFORE waiting on t.initComplete so excluded, SSE and
+// WebSocket traffic is never blocked by a slow/broken provider.
+func (t *TraefikOidc) shouldBypassAuth(req *http.Request) (bool, string) {
+	if t.determineExcludedURL(req.URL.Path) {
+		return true, bypassReasonExcluded
+	}
+	if strings.Contains(req.Header.Get("Accept"), "text/event-stream") {
+		return true, bypassReasonSSE
+	}
+	if isWebSocketUpgrade(req) {
+		return true, bypassReasonWebSocket
+	}
+	return false, ""
+}
+
+// applyBypassUserHeaders enforces authentication on SSE / WebSocket bypass
+// requests and, on success, copies the authenticated user's identity onto
+// the outgoing request so downstream services can see who the user is.
+//
+// Returns true when the request carries a valid authenticated session and
+// the bypass should proceed. Returns false when no usable session is
+// present; callers must then reject the request (typically with 401) to
+// prevent unauthenticated traffic from reaching the backend just by setting
+// `Accept: text/event-stream` or sending a WebSocket upgrade.
+//
+// The check is cookie-only: the session cookie is sealed by our encryption
+// key, so the authenticated flag cannot be forged. We do NOT run full token
+// signature verification here so that SSE/WS keeps working when the OIDC
+// provider is briefly unavailable for JWK fetches.
+func (t *TraefikOidc) applyBypassUserHeaders(req *http.Request, reason string) bool {
+	if t.sessionManager == nil {
+		return false
+	}
+
+	session, err := t.sessionManager.GetSession(req)
+	if err != nil {
+		t.logger.Debugf("%s bypass: unable to load session: %v", reason, err)
+		return false
+	}
+	defer session.returnToPoolSafely()
+
+	if !session.GetAuthenticated() {
+		t.logger.Debugf("%s bypass: rejecting request without authenticated session", reason)
+		return false
+	}
+
+	userIdentifier := session.GetUserIdentifier()
+	if userIdentifier == "" {
+		t.logger.Debugf("%s bypass: rejecting request, session has no user identifier", reason)
+		return false
+	}
+
+	req.Header.Set("X-Forwarded-User", userIdentifier)
+	if !t.minimalHeaders {
+		req.Header.Set("X-Auth-Request-User", userIdentifier)
+	}
+	t.logger.Debugf("%s bypass: forwarded user %s from session", reason, userIdentifier)
+	return true
+}
+
 // ServeHTTP implements the main middleware logic for processing HTTP requests.
 // It handles the complete OIDC authentication flow including:
 //   - Excluded URL bypass
@@ -67,24 +160,43 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		t.firstRequestMutex.Unlock()
 	}
 
-	// Check excluded URLs before waiting for initialization
-	if t.determineExcludedURL(req.URL.Path) {
-		t.logger.Debugf("Request path %s excluded by configuration, bypassing OIDC", req.URL.Path)
-		t.next.ServeHTTP(rw, req)
-		return
-	}
-
-	// Check for SSE requests before waiting for initialization
-	acceptHeader := req.Header.Get("Accept")
-	if strings.Contains(acceptHeader, "text/event-stream") {
-		t.logger.Debugf("Request accepts text/event-stream (%s), bypassing OIDC", acceptHeader)
-		t.next.ServeHTTP(rw, req)
+	// Evaluate auth-bypass once, before waiting for initialization. Excluded
+	// URLs, SSE and WebSocket upgrade requests must not block on provider
+	// init. For SSE/WebSocket we ALSO require an authenticated session
+	// (cookie-only check, no JWK fetch) and otherwise return 401 — clients
+	// of in-flight streams can't follow an OIDC redirect, so forwarding
+	// unauthenticated traffic would silently expose the backend.
+	if bypass, reason := t.shouldBypassAuth(req); bypass {
+		t.logger.Debugf("Bypassing OIDC for %s (%s)", req.URL.Path, reason)
+		switch reason {
+		case bypassReasonExcluded:
+			// Operator-declared excluded URLs forward unconditionally.
+			t.next.ServeHTTP(rw, req)
+		case bypassReasonSSE, bypassReasonWebSocket:
+			// Skip the OIDC redirect dance (clients can't follow it
+			// mid-stream) but still require an authenticated session.
+			// Otherwise an unauthenticated client could hit the backend
+			// just by setting Accept: text/event-stream or sending a
+			// WebSocket upgrade.
+			if !t.applyBypassUserHeaders(req, reason) {
+				t.sendErrorResponse(rw, req, "Authentication required", http.StatusUnauthorized)
+				return
+			}
+			t.next.ServeHTTP(rw, req)
+		default:
+			t.next.ServeHTTP(rw, req)
+		}
 		return
 	}
 
 	// Log waiting for initialization to help diagnose hanging requests
 	t.logger.Debug("Waiting for OIDC provider initialization...")
 
+	// time.NewTimer + Stop avoids leaking a goroutine+channel for 30s on every
+	// request when initComplete fires quickly (would happen with time.After).
+	initTimer := time.NewTimer(30 * time.Second)
+	defer initTimer.Stop()
+
 	select {
 	case <-t.initComplete:
 		// Read issuerURL with RLock
@@ -115,34 +227,13 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		t.logger.Debug("Request canceled while waiting for OIDC initialization")
 		t.sendErrorResponse(rw, req, "Request canceled", http.StatusRequestTimeout)
 		return
-	case <-time.After(30 * time.Second):
+	case <-initTimer.C:
 		t.logger.Error("Timeout waiting for OIDC initialization")
 		t.sendErrorResponse(rw, req, "Timeout waiting for OIDC provider initialization - please try again later", http.StatusServiceUnavailable)
 		return
 	}
 
-	if t.determineExcludedURL(req.URL.Path) {
-		t.logger.Debugf("Request path %s excluded by configuration, bypassing OIDC", req.URL.Path)
-		t.next.ServeHTTP(rw, req)
-		return
-	}
-	acceptHeader = req.Header.Get("Accept")
-	if strings.Contains(acceptHeader, "text/event-stream") {
-		t.logger.Debugf("Request accepts text/event-stream (%s), bypassing OIDC", acceptHeader)
-		// Set forwarded user headers from existing session before bypassing
-		if session, err := t.sessionManager.GetSession(req); err == nil {
-			defer session.returnToPoolSafely()
-			if email := session.GetEmail(); email != "" {
-				req.Header.Set("X-Forwarded-User", email)
-				if !t.minimalHeaders {
-					req.Header.Set("X-Auth-Request-User", email)
-				}
-				t.logger.Debugf("SSE bypass: forwarded user %s from session", email)
-			}
-		}
-		t.next.ServeHTTP(rw, req)
-		return
-	}
+	// Bypass checks already ran before the init wait; no need to repeat them.
 	t.sessionManager.CleanupOldCookies(rw, req)
 
 	session, err := t.sessionManager.GetSession(req)
@@ -160,6 +251,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			t.sendErrorResponse(rw, req, "Critical session error", http.StatusInternalServerError)
 			return
 		}
+		// Sub-resource requests (script/image/fetch/serviceWorker) must not
+		// trigger an OIDC redirect from this path either: they would overwrite
+		// any in-flight CSRF/nonce in the session. Let the next HTML navigation
+		// initiate the flow. See issue #129.
+		if t.isAjaxRequest(req) || t.isNonNavigationRequest(req) {
+			t.sendErrorResponse(rw, req, "Authentication required", http.StatusUnauthorized)
+			return
+		}
 		scheme := utils.DetermineScheme(req, t.forceHTTPS)
 		host := utils.DetermineHost(req)
 		redirectURL := buildFullURL(scheme, host, t.redirURLPath)
@@ -173,10 +272,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	host := utils.DetermineHost(req)
 	redirectURL := buildFullURL(scheme, host, t.redirURLPath)
 
+	// Check if the current request is the OIDC callback
+	t.logger.Debugf("Checking callback URL match: request_path=%q, configured_callback=%q", req.URL.Path, t.redirURLPath)
 	if req.URL.Path == t.redirURLPath {
+		t.logger.Debugf("Callback URL matched, processing OIDC callback (redirect_url=%s)", redirectURL)
 		t.handleCallback(rw, req, redirectURL)
 		return
 	}
+	t.logger.Debugf("Callback URL did not match (request_path=%q != configured=%q), continuing auth flow", req.URL.Path, t.redirURLPath)
 
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)
 
@@ -186,7 +289,7 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	userIdentifier := session.GetEmail() // GetEmail returns the stored user identifier (email or other claim)
+	userIdentifier := session.GetUserIdentifier()
 	// User authorization check
 	if authenticated && userIdentifier != "" {
 		if !t.isAllowedUser(userIdentifier) {
@@ -209,8 +312,12 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	refreshTokenPresent := session.GetRefreshToken() != ""
 
-	// Check if this is an AJAX request that should receive 401 instead of redirect
-	isAjaxRequest := t.isAjaxRequest(req)
+	// Decide whether to answer with 401 instead of a redirect. AJAX requests
+	// cannot follow a 302 into an IdP, and sub-resource loads (script/image/
+	// fetch/serviceWorker) must not trigger a fresh OIDC flow because parallel
+	// loads would each overwrite the session CSRF/nonce (issue #129). Only
+	// top-level HTML navigations should redirect.
+	isAjaxRequest := t.isAjaxRequest(req) || t.isNonNavigationRequest(req)
 
 	// Check if refresh token is likely expired (older than 6 hours)
 	refreshTokenExpired := refreshTokenPresent && t.isRefreshTokenExpired(session)
@@ -254,7 +361,7 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 		refreshed := t.refreshToken(rw, req, session)
 		if refreshed {
-			userIdentifier = session.GetEmail() // GetEmail returns the stored user identifier
+			userIdentifier = session.GetUserIdentifier()
 			if userIdentifier != "" && !t.isAllowedUser(userIdentifier) {
 				t.logger.Infof("User with refreshed token %s is not authorized", userIdentifier)
 				errorMsg := fmt.Sprintf("Access denied: You are not authorized to access this resource. To log out, visit: %s", t.logoutURLPath)
@@ -304,9 +411,9 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 //   - session: The user's session data containing tokens and claims.
 //   - redirectURL: The callback URL for re-authentication if needed.
 func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
-	email := session.GetEmail()
-	if email == "" {
-		t.logger.Info("No email found in session during final processing, initiating re-auth")
+	userIdentifier := session.GetUserIdentifier()
+	if userIdentifier == "" {
+		t.logger.Info("No user identifier found in session during final processing, initiating re-auth")
 		// Reset redirect count to prevent loops when session is invalid
 		session.ResetRedirectCount()
 		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
@@ -319,7 +426,7 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 		if idToken != "" {
 			sid, sub, createdAt := t.extractSessionInfo(idToken)
 			if t.isSessionInvalidated(sid, sub, createdAt) {
-				t.logger.Infof("Session for user %s has been invalidated via IdP-initiated logout", email)
+				t.logger.Infof("Session for user %s has been invalidated via IdP-initiated logout", userIdentifier)
 				// Clear the session and redirect to login
 				if err := session.Clear(req, rw); err != nil {
 					t.logger.Errorf("Error clearing invalidated session: %v", err)
@@ -331,31 +438,52 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 		}
 	}
 
-	tokenForClaims := session.GetIDToken()
-	if tokenForClaims == "" {
-		tokenForClaims = session.GetAccessToken()
-		if tokenForClaims == "" && len(t.allowedRolesAndGroups) > 0 {
-			t.logger.Error("No token available but roles/groups checks are required")
-			// Reset redirect count to prevent loops when token is missing
+	// Resolve ID-token claims at most once per request. SessionData caches
+	// the parsed claims keyed on the raw ID token, so concurrent dashboard
+	// panel requests on the same session don't repeatedly base64-decode and
+	// JSON-unmarshal the same JWT (a real cost under the yaegi interpreter
+	// that hosts Traefik plugins). idClaims is reused below by the
+	// header-templates branch.
+	idToken := session.GetIDToken()
+	var (
+		idClaims    map[string]interface{}
+		idClaimsErr error
+	)
+	if idToken != "" {
+		idClaims, idClaimsErr = session.GetIDTokenClaims(t.extractClaimsFunc)
+	}
+
+	// Choose which claims drive groups/roles extraction. Prefer the ID
+	// token (cached) and fall back to the access token if there is no ID
+	// token in the session — matching the prior behavior for opaque
+	// ID-token providers.
+	var (
+		groupClaims    map[string]interface{}
+		groupClaimsErr error
+	)
+	if idToken != "" {
+		groupClaims, groupClaimsErr = idClaims, idClaimsErr
+	} else if accessToken := session.GetAccessToken(); accessToken != "" {
+		groupClaims, groupClaimsErr = t.extractClaimsFunc(accessToken)
+	} else if len(t.allowedRolesAndGroups) > 0 {
+		t.logger.Error("No token available but roles/groups checks are required")
+		session.ResetRedirectCount()
+		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+		return
+	}
+
+	var groups, roles []string
+
+	if groupClaimsErr == nil && groupClaims != nil {
+		var err error
+		groups, roles, err = t.extractGroupsAndRolesFromClaims(groupClaims)
+		if err != nil && len(t.allowedRolesAndGroups) > 0 {
+			t.logger.Errorf("Failed to extract groups and roles: %v", err)
 			session.ResetRedirectCount()
 			t.defaultInitiateAuthentication(rw, req, session, redirectURL)
 			return
 		}
-	}
-
-	// Initialize empty slices
-	var groups, roles []string
-
-	if tokenForClaims != "" {
-		var err error
-		groups, roles, err = t.extractGroupsAndRoles(tokenForClaims)
-		if err != nil && len(t.allowedRolesAndGroups) > 0 {
-			t.logger.Errorf("Failed to extract groups and roles: %v", err)
-			// Reset redirect count to prevent loops when claim extraction fails
-			session.ResetRedirectCount()
-			t.defaultInitiateAuthentication(rw, req, session, redirectURL)
-			return
-		} else if err == nil {
+		if err == nil {
 			if len(groups) > 0 {
 				req.Header.Set("X-User-Groups", strings.Join(groups, ","))
 			}
@@ -374,51 +502,53 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 			}
 		}
 		if !allowed {
-			t.logger.Infof("User with email %s does not have any allowed roles or groups", email)
+			t.logger.Infof("User %s does not have any allowed roles or groups", userIdentifier)
 			errorMsg := fmt.Sprintf("Access denied: You do not have any of the allowed roles or groups. To log out, visit: %s", t.logoutURLPath)
 			t.sendErrorResponse(rw, req, errorMsg, http.StatusForbidden)
 			return
 		}
 	}
 
-	req.Header.Set("X-Forwarded-User", email)
+	req.Header.Set("X-Forwarded-User", userIdentifier)
 
 	// When minimalHeaders is enabled, skip extra headers to prevent 431 errors
 	if !t.minimalHeaders {
 		req.Header.Set("X-Auth-Request-Redirect", req.URL.RequestURI())
-		req.Header.Set("X-Auth-Request-User", email)
-		if idToken := session.GetIDToken(); idToken != "" {
+		req.Header.Set("X-Auth-Request-User", userIdentifier)
+		if idToken != "" {
 			req.Header.Set("X-Auth-Request-Token", idToken)
 		}
 	}
 
 	if len(t.headerTemplates) > 0 {
-		claims, err := t.extractClaimsFunc(session.GetIDToken())
-		if err != nil {
-			t.logger.Errorf("Failed to extract claims from ID Token for template headers: %v", err)
+		if idClaimsErr != nil {
+			t.logger.Errorf("Failed to extract claims from ID Token for template headers: %v", idClaimsErr)
 		} else {
+			// idClaims may be nil when no ID token is present; templates
+			// referencing .Claims.* will simply produce empty values, which
+			// matches the prior behavior.
 			templateData := map[string]interface{}{
 				"AccessToken":  session.GetAccessToken(),
-				"IDToken":      session.GetIDToken(),
+				"IDToken":      idToken,
 				"RefreshToken": session.GetRefreshToken(),
-				"Claims":       claims,
+				"Claims":       idClaims,
 			}
 
 			for headerName, tmpl := range t.headerTemplates {
 				var buf bytes.Buffer
-
 				if err := tmpl.Execute(&buf, templateData); err != nil {
 					t.logger.Errorf("Failed to execute template for header %s: %v", headerName, err)
 					continue
 				}
 				headerValue := buf.String()
-
 				req.Header.Set(headerName, headerValue)
-
 				t.logger.Debugf("Set templated header %s = %s", headerName, headerValue)
 			}
-			session.MarkDirty()
-			t.logger.Debugf("Session marked dirty after templated header processing.")
+			// NOTE: templates only mutate request headers (not session state),
+			// so we deliberately do NOT MarkDirty / Save here. Previously every
+			// authenticated request with header templates re-encrypted and
+			// rewrote all session cookies, which was a measurable CPU and
+			// Set-Cookie tax on dashboards that poll many panels per second.
 		}
 	}
 
@@ -441,7 +571,23 @@ func (t *TraefikOidc) processAuthorizedRequest(rw http.ResponseWriter, req *http
 		rw.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 	}
 
-	t.logger.Debugf("Request authorized for user %s, forwarding to next handler", email)
+	// Strip OIDC session cookies before forwarding to the backend to prevent
+	// HTTP 431 "Request Header Fields Too Large" errors (GitHub issue #122).
+	if t.stripAuthCookies {
+		prefix := t.sessionManager.GetCookiePrefix()
+		filtered := make([]*http.Cookie, 0, len(req.Cookies()))
+		for _, c := range req.Cookies() {
+			if !strings.HasPrefix(c.Name, prefix) {
+				filtered = append(filtered, c)
+			}
+		}
+		req.Header.Del("Cookie")
+		for _, c := range filtered {
+			req.AddCookie(c)
+		}
+	}
+
+	t.logger.Debugf("Request authorized for user %s, forwarding to next handler", userIdentifier)
 
 	t.next.ServeHTTP(rw, req)
 }

middleware_edge_cases_test.go

@@ -161,7 +161,7 @@ func TestMiddlewareDomainRestrictions(t *testing.T) {
 		// Create authenticated session
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
-		session.SetEmail("user@example.com")
+		session.SetUserIdentifier("user@example.com")
 		session.SetAuthenticated(true)
 		session.SetIDToken("dummy-token")
 		session.Save(req, httptest.NewRecorder())
@@ -203,7 +203,7 @@ func TestMiddlewareDomainRestrictions(t *testing.T) {
 		// Create session with forbidden domain
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
-		session.SetEmail("user@forbidden.com")
+		session.SetUserIdentifier("user@forbidden.com")
 		session.SetAuthenticated(true)
 
 		// Save and inject cookies
@@ -252,7 +252,7 @@ func TestMiddlewareOpaqueTokenHandling(t *testing.T) {
 	// Create session with opaque token
 	req := httptest.NewRequest("GET", "/api/test", nil)
 	session, _ := sessionManager.GetSession(req)
-	session.SetEmail("user@example.com")
+	session.SetUserIdentifier("user@example.com")
 	session.SetAccessToken("sk_live_abcdefghijklmnopqrstuvwxyz")  // Opaque token (no dots)
 	session.SetAuthenticated(true)
 
@@ -291,7 +291,7 @@ func TestMiddlewareProcessAuthorizedRequestEdgeCases(t *testing.T) {
 
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
-		session.SetEmail("") // No email
+		session.SetUserIdentifier("") // No email
 		session.SetIDToken("dummy-token")
 
 		rw := httptest.NewRecorder()
@@ -321,7 +321,7 @@ func TestMiddlewareProcessAuthorizedRequestEdgeCases(t *testing.T) {
 
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
-		session.SetEmail("user@example.com")
+		session.SetUserIdentifier("user@example.com")
 		session.SetIDToken("")     // No ID token
 		session.SetAccessToken("") // No access token
 
@@ -349,7 +349,7 @@ func TestMiddlewareProcessAuthorizedRequestEdgeCases(t *testing.T) {
 
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
-		session.SetEmail("user@example.com")
+		session.SetUserIdentifier("user@example.com")
 		session.SetIDToken("dummy-token")
 
 		rw := httptest.NewRecorder()
@@ -383,7 +383,7 @@ func TestMiddlewareProcessAuthorizedRequestEdgeCases(t *testing.T) {
 		req := httptest.NewRequest("GET", "/api/test", nil)
 		session, _ := sessionManager.GetSession(req)
 		testEmail := "user@example.com"
-		session.SetEmail(testEmail)
+		session.SetUserIdentifier(testEmail)
 		session.SetIDToken("dummy-id-token")
 
 		rw := httptest.NewRecorder()

refresh_coordinator.go

@@ -18,7 +18,6 @@ type RefreshCoordinator struct {
 	inFlightRefreshes      map[string]*refreshOperation
 	cleanupTimers          map[string]*time.Timer
 	sessionRefreshAttempts map[string]*refreshAttemptTracker
-	delayedCleanupQueue    chan delayedCleanupItem
 	circuitBreaker         *RefreshCircuitBreaker
 	metrics                *RefreshMetrics
 	logger                 *Logger
@@ -107,12 +106,6 @@ type RefreshMetrics struct {
 	currentInFlightRefreshes int32
 }
 
-// delayedCleanupItem represents an item scheduled for delayed cleanup
-type delayedCleanupItem struct {
-	cleanupAt time.Time
-	tokenHash string
-}
-
 // RefreshCircuitBreaker implements a circuit breaker specifically for refresh operations
 type RefreshCircuitBreaker struct {
 	lastFailureTime time.Time
@@ -143,7 +136,6 @@ func NewRefreshCoordinator(config RefreshCoordinatorConfig, logger *Logger) *Ref
 		metrics:                &RefreshMetrics{},
 		logger:                 logger,
 		stopChan:               make(chan struct{}),
-		delayedCleanupQueue:    make(chan delayedCleanupItem, 1000), // Buffered channel for cleanup items
 		cleanupTimers:          make(map[string]*time.Timer),
 		circuitBreaker: &RefreshCircuitBreaker{
 			config: RefreshCircuitBreakerConfig{
@@ -158,10 +150,6 @@ func NewRefreshCoordinator(config RefreshCoordinatorConfig, logger *Logger) *Ref
 	rc.wg.Add(1)
 	go rc.cleanupRoutine()
 
-	// Start delayed cleanup processor (single goroutine processes all cleanup timers)
-	rc.wg.Add(1)
-	go rc.processDelayedCleanups()
-
 	return rc
 }
 
@@ -377,35 +365,19 @@ func (rc *RefreshCoordinator) scheduleDelayedCleanup(tokenHash string) {
 	rc.cleanupTimerMu.Unlock()
 }
 
-// performCleanup removes the operation from the in-flight map
+// performCleanup removes the operation from the in-flight map.
+// Idempotent: only decrements the in-flight counter if an entry was actually
+// removed. This guards against any future path accidentally calling cleanup
+// twice for the same tokenHash (which would corrupt the refresh budget).
 func (rc *RefreshCoordinator) performCleanup(tokenHash string) {
 	rc.refreshMutex.Lock()
-	delete(rc.inFlightRefreshes, tokenHash)
+	_, existed := rc.inFlightRefreshes[tokenHash]
+	if existed {
+		delete(rc.inFlightRefreshes, tokenHash)
+	}
 	rc.refreshMutex.Unlock()
-	atomic.AddInt32(&rc.metrics.currentInFlightRefreshes, -1)
-}
-
-// processDelayedCleanups processes delayed cleanup requests from the queue
-// This is a single goroutine that handles all delayed cleanups
-func (rc *RefreshCoordinator) processDelayedCleanups() {
-	defer rc.wg.Done()
-
-	for {
-		select {
-		case item := <-rc.delayedCleanupQueue:
-			// Wait until cleanup time
-			waitDuration := time.Until(item.cleanupAt)
-			if waitDuration > 0 {
-				select {
-				case <-time.After(waitDuration):
-				case <-rc.stopChan:
-					return
-				}
-			}
-			rc.performCleanup(item.tokenHash)
-		case <-rc.stopChan:
-			return
-		}
+	if existed {
+		atomic.AddInt32(&rc.metrics.currentInFlightRefreshes, -1)
 	}
 }
 
@@ -494,15 +466,33 @@ func (rc *RefreshCoordinator) recordRefreshFailure(sessionID string) {
 
 // hashRefreshToken creates a hash of the refresh token for deduplication
 func (rc *RefreshCoordinator) hashRefreshToken(token string) string {
+	return refreshCoordinatorSessionID(token)
+}
+
+// refreshCoordinatorSessionID derives a stable identifier from a refresh token
+// for both deduplication and per-session attempt tracking. Using sha256 of the
+// raw token means each rotation produces a fresh sessionID with its own attempt
+// budget, which is what we want.
+func refreshCoordinatorSessionID(token string) string {
 	hash := sha256.Sum256([]byte(token))
 	return hex.EncodeToString(hash[:])
 }
 
-// isUnderMemoryPressure checks if the system is under memory pressure
+// refreshCoordinatorWaitTimeout caps how long a request may wait for a
+// coordinated refresh result. It is wider than RefreshTimeout so a follower
+// always sees the leader's result instead of timing out independently.
+const refreshCoordinatorWaitTimeout = 35 * time.Second
+
+// isUnderMemoryPressure checks if the system is under memory pressure by
+// consulting the global memory monitor. Returns true when pressure reaches
+// High or Critical, at which point we refuse new refresh operations to
+// avoid aggravating an already-stressed heap.
 func (rc *RefreshCoordinator) isUnderMemoryPressure() bool {
-	// This is a simplified check - in production you'd want to use runtime.MemStats
-	// or system-specific memory monitoring
-	return false // Placeholder - implement actual memory check
+	monitor := GetGlobalMemoryMonitor()
+	if monitor == nil {
+		return false
+	}
+	return monitor.GetMemoryPressure() >= MemoryPressureHigh
 }
 
 // cleanupRoutine periodically cleans up stale tracking entries

refresh_coordinator_wireup_test.go

@@ -0,0 +1,164 @@
+package traefikoidc
+
+import (
+	"context"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+// stubTokenExchanger lets us count how many upstream refresh-token grants
+// happen for a given refresh_token across concurrent middleware-level calls.
+type stubTokenExchanger struct {
+	calls int32
+	delay time.Duration
+	resp  *TokenResponse
+}
+
+func (s *stubTokenExchanger) ExchangeCodeForToken(_ context.Context, _, _, _, _ string) (*TokenResponse, error) {
+	return nil, nil
+}
+
+func (s *stubTokenExchanger) GetNewTokenWithRefreshToken(_ string) (*TokenResponse, error) {
+	atomic.AddInt32(&s.calls, 1)
+	if s.delay > 0 {
+		time.Sleep(s.delay)
+	}
+	return s.resp, nil
+}
+
+func (s *stubTokenExchanger) RevokeTokenWithProvider(_, _ string) error {
+	return nil
+}
+
+// TestCoordinatedTokenRefresh_SingleUpstreamCall verifies the wireup: many
+// concurrent calls to coordinatedTokenRefresh with the same refresh token
+// must collapse to a single tokenExchanger.GetNewTokenWithRefreshToken call.
+//
+// Without the wireup this assertion fails (one upstream call per goroutine).
+func TestCoordinatedTokenRefresh_SingleUpstreamCall(t *testing.T) {
+	stub := &stubTokenExchanger{
+		delay: 100 * time.Millisecond,
+		resp: &TokenResponse{
+			AccessToken:  "new_access",
+			RefreshToken: "new_refresh",
+			IDToken:      "new_id",
+			ExpiresIn:    3600,
+		},
+	}
+
+	logger := NewLogger("error")
+	cfg := DefaultRefreshCoordinatorConfig()
+	cfg.MaxRefreshAttempts = 10000
+	cfg.MaxConcurrentRefreshes = 32
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(cfg, logger),
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	const concurrency = 50
+	var wg sync.WaitGroup
+	wg.Add(concurrency)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	start := make(chan struct{})
+
+	for i := 0; i < concurrency; i++ {
+		go func() {
+			defer wg.Done()
+			<-start
+			resp, err := oidc.coordinatedTokenRefresh(req, "shared_refresh_token")
+			if err != nil {
+				t.Errorf("unexpected error: %v", err)
+				return
+			}
+			if resp == nil || resp.AccessToken != "new_access" {
+				t.Errorf("unexpected response: %+v", resp)
+			}
+		}()
+	}
+
+	close(start)
+	wg.Wait()
+
+	got := atomic.LoadInt32(&stub.calls)
+	// Up to 2 is acceptable to absorb the documented timing slack in the
+	// existing coordinator tests (e.g. operation just cleaned up before a
+	// late goroutine reads the in-flight map). Anything beyond that means
+	// coalescing is broken.
+	if got > 2 {
+		t.Fatalf("expected <=2 upstream refresh calls, got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_FallsBackWithoutCoordinator verifies the nil
+// coordinator path so existing tests that build TraefikOidc literals stay
+// green.
+func TestCoordinatedTokenRefresh_FallsBackWithoutCoordinator(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "ok"},
+	}
+
+	oidc := &TraefikOidc{
+		logger:         NewLogger("error"),
+		tokenExchanger: stub,
+		// refreshCoordinator deliberately nil
+	}
+
+	resp, err := oidc.coordinatedTokenRefresh(nil, "rt")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "ok" {
+		t.Fatalf("unexpected response: %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 1 {
+		t.Fatalf("expected exactly 1 upstream call, got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_DistinctTokensRunInParallel verifies that
+// distinct refresh tokens are not falsely coalesced.
+func TestCoordinatedTokenRefresh_DistinctTokensRunInParallel(t *testing.T) {
+	stub := &stubTokenExchanger{
+		delay: 20 * time.Millisecond,
+		resp:  &TokenResponse{AccessToken: "ok"},
+	}
+
+	logger := NewLogger("error")
+	cfg := DefaultRefreshCoordinatorConfig()
+	cfg.MaxRefreshAttempts = 10000
+	cfg.MaxConcurrentRefreshes = 32
+	cfg.DeduplicationCleanupDelay = 0
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(cfg, logger),
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	const distinct = 8
+	var wg sync.WaitGroup
+	wg.Add(distinct)
+	for i := 0; i < distinct; i++ {
+		i := i
+		go func() {
+			defer wg.Done()
+			_, err := oidc.coordinatedTokenRefresh(nil, refreshCoordinatorSessionID(string(rune('a'+i))))
+			if err != nil {
+				t.Errorf("unexpected error: %v", err)
+			}
+		}()
+	}
+	wg.Wait()
+
+	if got := atomic.LoadInt32(&stub.calls); int(got) != distinct {
+		t.Fatalf("expected %d distinct upstream calls, got %d", distinct, got)
+	}
+}

refresh_distributed_test.go

@@ -0,0 +1,186 @@
+package traefikoidc
+
+import (
+	"context"
+	"errors"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+// inMemoryCache is the smallest CacheInterface that satisfies the cross-
+// replica dedup contract: Set/Get with TTL. Used in place of the universal
+// cache singleton so these tests stay hermetic.
+type inMemoryCache struct {
+	entries map[string]inMemoryCacheEntry
+	mu      sync.Mutex
+}
+
+type inMemoryCacheEntry struct {
+	expiresAt time.Time
+	value     interface{}
+}
+
+func newInMemoryCache() *inMemoryCache {
+	return &inMemoryCache{entries: make(map[string]inMemoryCacheEntry)}
+}
+
+func (c *inMemoryCache) Set(key string, value any, ttl time.Duration) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.entries[key] = inMemoryCacheEntry{value: value, expiresAt: time.Now().Add(ttl)}
+}
+
+func (c *inMemoryCache) Get(key string) (any, bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	e, ok := c.entries[key]
+	if !ok {
+		return nil, false
+	}
+	if time.Now().After(e.expiresAt) {
+		delete(c.entries, key)
+		return nil, false
+	}
+	return e.value, true
+}
+
+func (c *inMemoryCache) Delete(key string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.entries, key)
+}
+
+func (c *inMemoryCache) SetMaxSize(int) {}
+func (c *inMemoryCache) Cleanup()       {}
+func (c *inMemoryCache) Close()         {}
+func (c *inMemoryCache) Size() int {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return len(c.entries)
+}
+func (c *inMemoryCache) Clear() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.entries = map[string]inMemoryCacheEntry{}
+}
+func (c *inMemoryCache) GetStats() map[string]any { return map[string]any{} }
+
+// erroringTokenExchanger always errors - simulates an IdP rejection.
+type erroringTokenExchanger struct {
+	calls int32
+}
+
+func (e *erroringTokenExchanger) ExchangeCodeForToken(_ context.Context, _, _, _, _ string) (*TokenResponse, error) {
+	return nil, errors.New("not used")
+}
+
+func (e *erroringTokenExchanger) GetNewTokenWithRefreshToken(_ string) (*TokenResponse, error) {
+	atomic.AddInt32(&e.calls, 1)
+	return nil, errors.New("invalid_grant")
+}
+
+func (e *erroringTokenExchanger) RevokeTokenWithProvider(_, _ string) error { return nil }
+
+// TestCoordinatedTokenRefresh_CrossReplicaCacheHit simulates a peer Traefik
+// replica having just refreshed: the shared cache already has the result, so
+// this pod must reuse it without ever calling the IdP.
+func TestCoordinatedTokenRefresh_CrossReplicaCacheHit(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "should_not_be_called"},
+	}
+
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+	preExisting := &TokenResponse{
+		AccessToken:  "from_peer",
+		RefreshToken: "rotated_by_peer",
+		IDToken:      "id_from_peer",
+	}
+	rt := "shared_refresh_token"
+	cache.Set(refreshResultCacheKey(refreshCoordinatorSessionID(rt)), preExisting, refreshResultCacheTTL)
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	resp, err := oidc.coordinatedTokenRefresh(httptest.NewRequest("GET", "/", nil), rt)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "from_peer" {
+		t.Fatalf("expected peer-provided response, got %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 0 {
+		t.Fatalf("expected 0 upstream calls (peer already refreshed), got %d", got)
+	}
+}
+
+// TestCoordinatedTokenRefresh_PopulatesCrossReplicaCache verifies that on a
+// cache miss the leader stores its result for peers to find within the TTL.
+func TestCoordinatedTokenRefresh_PopulatesCrossReplicaCache(t *testing.T) {
+	stub := &stubTokenExchanger{
+		resp: &TokenResponse{AccessToken: "fresh_grant"},
+	}
+
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     stub,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	rt := "fresh_refresh_token"
+	resp, err := oidc.coordinatedTokenRefresh(nil, rt)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp == nil || resp.AccessToken != "fresh_grant" {
+		t.Fatalf("unexpected response: %+v", resp)
+	}
+	if got := atomic.LoadInt32(&stub.calls); got != 1 {
+		t.Fatalf("expected 1 upstream call, got %d", got)
+	}
+
+	v, ok := cache.Get(refreshResultCacheKey(refreshCoordinatorSessionID(rt)))
+	if !ok {
+		t.Fatal("expected refresh result to be cached after upstream success")
+	}
+	if tr, ok := v.(*TokenResponse); !ok || tr.AccessToken != "fresh_grant" {
+		t.Fatalf("cached value malformed: %+v", v)
+	}
+}
+
+// TestCoordinatedTokenRefresh_ErrorIsNotCached makes sure we don't poison the
+// dedup cache when the IdP rejects the grant. Peers must run their own
+// refresh; they cannot inherit an error.
+func TestCoordinatedTokenRefresh_ErrorIsNotCached(t *testing.T) {
+	failing := &erroringTokenExchanger{}
+	logger := NewLogger("error")
+	cache := newInMemoryCache()
+
+	oidc := &TraefikOidc{
+		logger:             logger,
+		tokenExchanger:     failing,
+		refreshCoordinator: NewRefreshCoordinator(DefaultRefreshCoordinatorConfig(), logger),
+		refreshResultCache: cache,
+	}
+	defer oidc.refreshCoordinator.Shutdown()
+
+	if _, err := oidc.coordinatedTokenRefresh(nil, "doomed_refresh_token"); err == nil {
+		t.Fatal("expected an error from the failing exchanger")
+	}
+	if cache.Size() != 0 {
+		t.Fatalf("error result must not be cached, size=%d", cache.Size())
+	}
+}

refresh_token_expiry_test.go

@@ -0,0 +1,68 @@
+package traefikoidc
+
+import (
+	"testing"
+	"time"
+
+	"github.com/gorilla/sessions"
+)
+
+// sessionWithIssuedAt builds the smallest SessionData that GetRefreshTokenIssuedAt
+// reads from. We can't reuse sessionPool.Get() here because that requires a
+// fully initialized SessionManager - overkill for this unit-level check.
+func sessionWithIssuedAt(t *testing.T, issuedAt time.Time) *SessionData {
+	t.Helper()
+	rs := sessions.NewSession(nil, "refresh")
+	if !issuedAt.IsZero() {
+		rs.Values["issued_at"] = issuedAt.Unix()
+	}
+	return &SessionData{
+		refreshSession:     rs,
+		accessTokenChunks:  make(map[int]*sessions.Session),
+		refreshTokenChunks: make(map[int]*sessions.Session),
+		idTokenChunks:      make(map[int]*sessions.Session),
+	}
+}
+
+func TestIsRefreshTokenExpired_DisabledWhenAgeZero(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 0}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-30*24*time.Hour))
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false when maxRefreshTokenAge is 0")
+	}
+}
+
+func TestIsRefreshTokenExpired_LegacySessionWithoutTimestamp(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: time.Hour}
+	sd := sessionWithIssuedAt(t, time.Time{}) // no issued_at value
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false when issued_at missing (legacy session)")
+	}
+}
+
+func TestIsRefreshTokenExpired_WithinWindow(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 6 * time.Hour}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-1*time.Hour))
+	if tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=false within max age")
+	}
+}
+
+func TestIsRefreshTokenExpired_BeyondWindow(t *testing.T) {
+	tr := &TraefikOidc{maxRefreshTokenAge: 6 * time.Hour}
+	sd := sessionWithIssuedAt(t, time.Now().Add(-7*time.Hour))
+	if !tr.isRefreshTokenExpired(sd) {
+		t.Fatal("expected isRefreshTokenExpired=true beyond max age")
+	}
+}
+
+func TestIsRefreshTokenExpired_NilGuards(t *testing.T) {
+	var tr *TraefikOidc
+	if tr.isRefreshTokenExpired(nil) {
+		t.Fatal("nil receiver must not panic and must return false")
+	}
+	tr = &TraefikOidc{maxRefreshTokenAge: time.Hour}
+	if tr.isRefreshTokenExpired(nil) {
+		t.Fatal("nil session must return false")
+	}
+}

regression/regression_test.go

@@ -129,7 +129,7 @@ func testIssue53ReverseProxyHTTPS(t *testing.T) {
 
 	// Simulate successful Azure authentication
 	session.SetAuthenticated(true)
-	session.SetEmail("user@example.com")
+	session.SetUserIdentifier("user@example.com")
 	// Azure may use opaque access tokens
 	session.SetAccessToken("opaque-azure-access-token")
 	session.SetIDToken("eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ") // trufflehog:ignore
@@ -152,7 +152,7 @@ func testIssue53ReverseProxyHTTPS(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.True(t, session2.GetAuthenticated(), "User should remain authenticated")
-	assert.Equal(t, "user@example.com", session2.GetEmail())
+	assert.Equal(t, "user@example.com", session2.GetUserIdentifier())
 	assert.NotEmpty(t, session2.GetAccessToken(), "Access token should persist")
 	assert.NotEmpty(t, session2.GetIDToken(), "ID token should persist")
 	assert.NotEmpty(t, session2.GetRefreshToken(), "Refresh token should persist")

security_edge_cases_test.go

@@ -485,7 +485,7 @@ func TestSessionFixationAttack(t *testing.T) {
 
 	// Set up the attacker's session with malicious data
 	attackerSession.SetAuthenticated(true)
-	attackerSession.SetEmail("attacker@evil.com")
+	attackerSession.SetUserIdentifier("attacker@evil.com")
 	attackerSession.SetIDToken(ValidIDToken)
 	attackerSession.SetAccessToken(ValidAccessToken)
 
@@ -512,7 +512,7 @@ func TestSessionFixationAttack(t *testing.T) {
 		}
 
 		// Get the email from the session
-		email := session.GetEmail()
+		email := session.GetUserIdentifier()
 		w.Header().Set("X-User-Email", email)
 		w.WriteHeader(http.StatusOK)
 	})

session.go

@@ -100,7 +100,7 @@ type combinedSessionPayload struct {
 	A  string                 `json:"a,omitempty"`
 	R  string                 `json:"r,omitempty"`
 	I  string                 `json:"i,omitempty"`
-	E  string                 `json:"e,omitempty"`
+	Ui string                 `json:"ui,omitempty"`
 	Cs string                 `json:"cs,omitempty"`
 	N  string                 `json:"n,omitempty"`
 	Cv string                 `json:"cv,omitempty"`
@@ -113,11 +113,11 @@ type combinedSessionPayload struct {
 // knownSessionKeys are the standard keys that are handled explicitly in the combined payload.
 // All other mainSession.Values keys are stored in the X (extra) field.
 var knownSessionKeys = map[string]bool{
-	"access_token":   true,
-	"refresh_token":  true,
-	"id_token":       true,
-	"email":          true,
-	"authenticated":  true,
+	"access_token":    true,
+	"refresh_token":   true,
+	"id_token":        true,
+	"user_identifier": true,
+	"authenticated":   true,
 	"csrf":           true,
 	"nonce":          true,
 	"code_verifier":  true,
@@ -500,6 +500,11 @@ func (sm *SessionManager) combinedChunkCookieName(chunkIndex int) string {
 	return fmt.Sprintf("%s_%d", sm.combinedCookieName(), chunkIndex)
 }
 
+// GetCookiePrefix returns the cookie prefix used for all OIDC session cookies.
+func (sm *SessionManager) GetCookiePrefix() string {
+	return sm.cookiePrefix
+}
+
 // Shutdown gracefully shuts down the SessionManager and all its background tasks
 func (sm *SessionManager) Shutdown() error {
 	var shutdownErr error
@@ -1129,7 +1134,7 @@ func (sm *SessionManager) loadFromCombinedCookies(r *http.Request, sessionData *
 	sessionData.idTokenSession, _ = sm.store.Get(r, sm.idTokenCookieName())
 
 	// Populate legacy session values from combined payload
-	sessionData.mainSession.Values["email"] = payload.E
+	sessionData.mainSession.Values["user_identifier"] = payload.Ui
 	sessionData.mainSession.Values["authenticated"] = payload.Au
 	sessionData.mainSession.Values["csrf"] = payload.Cs
 	sessionData.mainSession.Values["nonce"] = payload.N
@@ -1211,6 +1216,18 @@ type SessionData struct {
 	dirty bool
 
 	inUse bool
+
+	// cachedClaimsToken is the ID token string whose claims were last parsed and
+	// cached. A lazy, per-request cache to avoid re-parsing the JWT on every
+	// authenticated request (e.g. for headerTemplates). Protected by sessionMutex.
+	cachedClaimsToken string
+
+	// cachedClaims holds the parsed claims for cachedClaimsToken.
+	cachedClaims map[string]interface{}
+
+	// cachedClaimsErr holds the parse error (if any) for cachedClaimsToken so
+	// failures are not retried within the same request.
+	cachedClaimsErr error
 }
 
 // IsDirty returns true if the session data has been modified since it was last loaded or saved.
@@ -1261,7 +1278,7 @@ func (sd *SessionData) saveCombined(r *http.Request, w http.ResponseWriter, opti
 		A:  sd.getAccessTokenUnsafe(),
 		R:  sd.getRefreshTokenUnsafe(),
 		I:  sd.getIDTokenUnsafe(),
-		E:  sd.getEmailUnsafe(),
+		Ui: sd.getUserIdentifierUnsafe(),
 		Au: sd.getAuthenticatedUnsafe(),
 		Cs: sd.getCSRFUnsafe(),
 		N:  sd.getNonceUnsafe(),
@@ -1548,9 +1565,10 @@ func (sd *SessionData) Clear(r *http.Request, w http.ResponseWriter) error {
 	}()
 
 	sd.sessionMutex.Lock()
-	defer sd.sessionMutex.Unlock()
-
 	sd.clearAllSessionData(r, true)
+	
+	// Release the lock before calling Save to prevent deadlock
+	sd.sessionMutex.Unlock()
 
 	// This is primarily for testing - in production w will often be nil
 	var err error
@@ -1731,6 +1749,12 @@ func (sd *SessionData) Reset() {
 	sd.request = nil
 	sd.useCombinedStorage = true // Reset to use combined storage by default
 
+	// Drop any cached claims so pooled SessionData does not leak claim data
+	// between requests/users.
+	sd.cachedClaimsToken = ""
+	sd.cachedClaims = nil
+	sd.cachedClaimsErr = nil
+
 	// Reset the refresh mutex to ensure clean state
 	// Note: We don't need to lock it since sessionMutex is already held
 	// and this session is not in use by any request
@@ -2445,30 +2469,30 @@ func (sd *SessionData) SetCodeVerifier(codeVerifier string) {
 	}
 }
 
-// GetEmail retrieves the authenticated user's email address.
-// The email is extracted from ID token claims and used for
-// authorization decisions and header injection.
+// GetUserIdentifier retrieves the authenticated user's identifier as extracted
+// from the configured userIdentifierClaim of the ID token (email, sub, oid,
+// upn, preferred_username, etc.). The value is used for authorization
+// decisions and header injection.
 // Returns:
-//   - The user's email address string, or an empty string if not set.
-func (sd *SessionData) GetEmail() string {
+//   - The user identifier string, or an empty string if not set.
+func (sd *SessionData) GetUserIdentifier() string {
 	sd.sessionMutex.RLock()
 	defer sd.sessionMutex.RUnlock()
 
-	email, _ := sd.mainSession.Values["email"].(string)
-	return email
+	userIdentifier, _ := sd.mainSession.Values["user_identifier"].(string)
+	return userIdentifier
 }
 
-// SetEmail stores the authenticated user's email address.
-// The email is typically extracted from the 'email' claim in the ID token.
+// SetUserIdentifier stores the authenticated user's identifier value.
 // Parameters:
-//   - email: The user's email address to store.
-func (sd *SessionData) SetEmail(email string) {
+//   - userIdentifier: The user identifier to store (email, sub, or other claim value).
+func (sd *SessionData) SetUserIdentifier(userIdentifier string) {
 	sd.sessionMutex.Lock()
 	defer sd.sessionMutex.Unlock()
 
-	currentVal, _ := sd.mainSession.Values["email"].(string)
-	if currentVal != email {
-		sd.mainSession.Values["email"] = email
+	currentVal, _ := sd.mainSession.Values["user_identifier"].(string)
+	if currentVal != userIdentifier {
+		sd.mainSession.Values["user_identifier"] = userIdentifier
 		sd.dirty = true
 	}
 }
@@ -2508,6 +2532,41 @@ func (sd *SessionData) GetIDToken() string {
 	return sd.getIDTokenUnsafe()
 }
 
+// GetIDTokenClaims returns claims parsed from the current ID token, caching
+// the result on the SessionData so repeated callers within the same request
+// do not re-parse the JWT. The cache is keyed on the ID token string and is
+// cleared when the SessionData is reset (see Reset) or when the ID token
+// changes (e.g. after a refresh).
+//
+// The parser parameter is typically the TraefikOidc.extractClaimsFunc, which
+// lets tests inject mocks just like the direct call it replaces.
+//
+// Returns an empty claims map and a nil error when the session has no ID
+// token, matching the existing "no-op" behavior of the caller sites.
+func (sd *SessionData) GetIDTokenClaims(parser func(string) (map[string]interface{}, error)) (map[string]interface{}, error) {
+	sd.sessionMutex.Lock()
+	defer sd.sessionMutex.Unlock()
+
+	token := sd.getIDTokenUnsafe()
+	if token == "" {
+		// Invalidate any stale cache without running the parser.
+		sd.cachedClaimsToken = ""
+		sd.cachedClaims = nil
+		sd.cachedClaimsErr = nil
+		return nil, nil
+	}
+
+	if sd.cachedClaimsToken == token && (sd.cachedClaims != nil || sd.cachedClaimsErr != nil) {
+		return sd.cachedClaims, sd.cachedClaimsErr
+	}
+
+	claims, err := parser(token)
+	sd.cachedClaimsToken = token
+	sd.cachedClaims = claims
+	sd.cachedClaimsErr = err
+	return claims, err
+}
+
 // getIDTokenUnsafe retrieves the ID token without acquiring locks.
 // Enhanced ID token retrieval with comprehensive integrity checks and chunking support.
 // Used when the session mutex is already held to prevent deadlocks.
@@ -2567,10 +2626,10 @@ func (sd *SessionData) getRefreshTokenUnsafe() string {
 	return result.Token
 }
 
-// getEmailUnsafe retrieves the email without acquiring locks.
-func (sd *SessionData) getEmailUnsafe() string {
-	email, _ := sd.mainSession.Values["email"].(string)
-	return email
+// getUserIdentifierUnsafe retrieves the user identifier without acquiring locks.
+func (sd *SessionData) getUserIdentifierUnsafe() string {
+	userIdentifier, _ := sd.mainSession.Values["user_identifier"].(string)
+	return userIdentifier
 }
 
 // getCSRFUnsafe retrieves the CSRF token without acquiring locks.

session_behaviour_test.go

@@ -320,17 +320,16 @@ func (s *SessionBehaviourSuite) TestSessionData_DirtyTracking() {
 	s.False(session.IsDirty())
 }
 
-// TestSessionData_SetEmail tests email setter with dirty tracking
-func (s *SessionBehaviourSuite) TestSessionData_SetEmail() {
+// TestSessionData_SetUserIdentifier tests user identifier setter with dirty tracking
+func (s *SessionBehaviourSuite) TestSessionData_SetUserIdentifier() {
 	req := httptest.NewRequest(http.MethodGet, "/test", nil)
 
 	session, err := s.sessionManager.GetSession(req)
 	s.Require().NoError(err)
 	defer session.returnToPoolSafely()
 
-	// Set email
-	session.SetEmail("test@example.com")
-	s.Equal("test@example.com", session.GetEmail())
+	session.SetUserIdentifier("test@example.com")
+	s.Equal("test@example.com", session.GetUserIdentifier())
 	s.True(session.IsDirty())
 }
 
@@ -568,7 +567,7 @@ func (s *SessionBehaviourSuite) TestSessionData_Clear() {
 	// Set some data
 	err = session.SetAuthenticated(true)
 	s.Require().NoError(err)
-	session.SetEmail("test@example.com")
+	session.SetUserIdentifier("test@example.com")
 	session.SetCSRF("csrf-token")
 
 	// Clear session
@@ -588,7 +587,7 @@ func (s *SessionBehaviourSuite) TestSessionData_Save() {
 	defer session.returnToPoolSafely()
 
 	// Modify session
-	session.SetEmail("test@example.com")
+	session.SetUserIdentifier("test@example.com")
 	s.True(session.IsDirty())
 
 	// Save session

session_test.go

@@ -2688,7 +2688,7 @@ func TestSessionStatePreservationWithExpiredTokens(t *testing.T) {
 
 	// Set up initial session state (what user has when first logging in)
 	session1.SetAuthenticated(true)
-	session1.SetEmail(originalUserData["email"].(string))
+	session1.SetUserIdentifier(originalUserData["email"].(string))
 	session1.SetAccessToken("initial-valid-access-token-longer-than-20-chars")
 	session1.SetIDToken("initial-valid-id-token-longer-than-20-chars")
 	session1.SetRefreshToken("valid-refresh-token-should-last-30-days")
@@ -2732,7 +2732,7 @@ func TestSessionStatePreservationWithExpiredTokens(t *testing.T) {
 	// Simulate what happens when middleware detects expired tokens
 	// It should preserve session state while attempting token refresh
 	originalAuth := session2.GetAuthenticated()
-	originalEmail := session2.GetEmail()
+	originalEmail := session2.GetUserIdentifier()
 
 	// Reconstruct user data from individual stored keys
 	originalUserDataStored := make(map[string]interface{})
@@ -2813,7 +2813,7 @@ func TestSessionStatePreservationWithExpiredTokens(t *testing.T) {
 
 	// Verify all session data is still intact after token refresh
 	postRefreshAuth := session2.GetAuthenticated()
-	postRefreshEmail := session2.GetEmail()
+	postRefreshEmail := session2.GetUserIdentifier()
 	userDataPresent := true
 	for k := range originalUserData {
 		if session2.mainSession.Values["user_data_"+k] == nil {
@@ -2907,7 +2907,7 @@ func TestSessionExpiryVsTokenExpiry(t *testing.T) {
 
 			// Set up session with specific creation time
 			session.SetAuthenticated(true)
-			session.SetEmail("test@example.com")
+			session.SetUserIdentifier("test@example.com")
 			session.mainSession.Values["created_at"] = sessionCreatedAt.Unix()
 
 			// Create tokens with specific expiry
@@ -3018,7 +3018,7 @@ func TestSessionCleanupOnTokenExpiry(t *testing.T) {
 
 			// Set up session with data that should be preserved or removed
 			session.SetAuthenticated(true)
-			session.SetEmail("cleanup@example.com")
+			session.SetUserIdentifier("cleanup@example.com")
 
 			session.mainSession.Values["user_data"] = "Test User|user-123"
 			session.mainSession.Values["preferences"] = "theme:dark,lang:en"
@@ -3049,7 +3049,7 @@ func TestSessionCleanupOnTokenExpiry(t *testing.T) {
 			if scenario.shouldCleanup {
 				if sessionTooOld {
 					session.SetAuthenticated(false)
-					session.SetEmail("")
+					session.SetUserIdentifier("")
 					session.SetAccessToken("")
 					session.SetRefreshToken("")
 					for key := range session.mainSession.Values {

settings.go

@@ -1,6 +1,7 @@
 package traefikoidc
 
 import (
+	"crypto/x509"
 	"fmt"
 	"io"
 	"log"
@@ -54,6 +55,15 @@ type Config struct {
 	AllowedUsers              []string                         `json:"allowedUsers"`
 	Headers                   []TemplatedHeader                `json:"headers"`
 	RefreshGracePeriodSeconds int                              `json:"refreshGracePeriodSeconds"`
+	// MaxRefreshTokenAgeSeconds is a heuristic upper bound on the lifetime of
+	// a stored refresh token. Once the token has been in the session longer
+	// than this, requests treat it as expired up-front - returning 401 to
+	// AJAX callers and triggering full re-auth on navigations - instead of
+	// hammering the IdP with grants that will only fail with invalid_grant.
+	// IdPs do not expose RT TTL on the wire, so this is intentionally a
+	// conservative heuristic; tune to match your provider configuration.
+	// Default 21600 (6h). Set to 0 to disable the check.
+	MaxRefreshTokenAgeSeconds int                              `json:"maxRefreshTokenAgeSeconds"`
 	SessionMaxAge             int                              `json:"sessionMaxAge"`
 	RateLimit                 int                              `json:"rateLimit"`
 	OverrideScopes            bool                             `json:"overrideScopes"`
@@ -65,10 +75,51 @@ type Config struct {
 	ForceHTTPS                bool                             `json:"forceHTTPS"`
 	AllowPrivateIPAddresses   bool                             `json:"allowPrivateIPAddresses,omitempty"`
 	MinimalHeaders            bool                             `json:"minimalHeaders,omitempty"`
+	StripAuthCookies          bool                             `json:"stripAuthCookies,omitempty"`
 	EnableBackchannelLogout   bool                             `json:"enableBackchannelLogout,omitempty"`
 	EnableFrontchannelLogout  bool                             `json:"enableFrontchannelLogout,omitempty"`
 	BackchannelLogoutURL      string                           `json:"backchannelLogoutURL,omitempty"`
 	FrontchannelLogoutURL     string                           `json:"frontchannelLogoutURL,omitempty"`
+	// CACertPath is an optional filesystem path to a PEM-encoded CA bundle used
+	// to verify the OIDC provider's TLS certificate. Use this when the provider
+	// is signed by an internal/private CA that is not in the system trust store.
+	CACertPath string `json:"caCertPath,omitempty"`
+	// CACertPEM is an optional inline PEM-encoded CA bundle, equivalent to
+	// CACertPath but supplied directly in the middleware configuration. Both
+	// may be set; certificates from both sources are combined.
+	CACertPEM string `json:"caCertPEM,omitempty"`
+	// InsecureSkipVerify disables TLS certificate verification for the OIDC
+	// provider. Intended ONLY for local development against self-signed
+	// providers. Enabling this in production is a security hole — prefer
+	// CACertPath/CACertPEM. Emits a loud warning at startup.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+}
+
+// loadCACertPool assembles an x509.CertPool from CACertPath and CACertPEM.
+// Returns (nil, nil) when neither is configured — callers should fall back to
+// the system trust store. Returns a descriptive error if a PEM source is
+// configured but contains no parseable certificates, so misconfigurations
+// surface at startup rather than as unexplained TLS failures at runtime.
+func (c *Config) loadCACertPool() (*x509.CertPool, error) {
+	if c.CACertPath == "" && c.CACertPEM == "" {
+		return nil, nil
+	}
+	pool := x509.NewCertPool()
+	if c.CACertPath != "" {
+		data, err := os.ReadFile(c.CACertPath)
+		if err != nil {
+			return nil, fmt.Errorf("read caCertPath %q: %w", c.CACertPath, err)
+		}
+		if !pool.AppendCertsFromPEM(data) {
+			return nil, fmt.Errorf("caCertPath %q: no valid PEM certificates found", c.CACertPath)
+		}
+	}
+	if c.CACertPEM != "" {
+		if !pool.AppendCertsFromPEM([]byte(c.CACertPEM)) {
+			return nil, fmt.Errorf("caCertPEM: no valid PEM certificates found")
+		}
+	}
+	return pool, nil
 }
 
 // RedisConfig configures Redis cache backend settings for distributed caching.
@@ -205,6 +256,7 @@ func CreateConfig() *Config {
 		EnablePKCE:                false, // PKCE is opt-in
 		OverrideScopes:            false, // Default to appending scopes, not overriding
 		RefreshGracePeriodSeconds: 60,    // Default grace period of 60 seconds
+		MaxRefreshTokenAgeSeconds: 21600, // 6h - conservative heuristic, see field doc
 		SecurityHeaders:           createDefaultSecurityConfig(),
 		Redis:                     nil, // Redis is disabled by default, configure via Traefik or env vars
 	}
@@ -328,6 +380,11 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("refreshGracePeriodSeconds cannot be negative")
 	}
 
+	// Validate refresh-token max-age heuristic
+	if c.MaxRefreshTokenAgeSeconds < 0 {
+		return fmt.Errorf("maxRefreshTokenAgeSeconds cannot be negative")
+	}
+
 	// Validate audience if specified
 	if c.Audience != "" {
 		// Validate audience format - should be a valid identifier or URL
@@ -733,6 +790,16 @@ func (l *Logger) Errorf(format string, args ...interface{}) {
 	l.logError.Printf(format, args...)
 }
 
+// IsDebug reports whether debug-level logging is enabled.
+// Callers should use this to avoid expensive format-string expansion
+// (e.g. on hot paths under yaegi) when debug output would be discarded.
+func (l *Logger) IsDebug() bool {
+	if l == nil || l.logDebug == nil {
+		return false
+	}
+	return l.logDebug.Writer() != io.Discard
+}
+
 // newNoOpLogger creates a logger that discards all output.
 //
 // Deprecated: Use GetSingletonNoOpLogger() instead for better memory efficiency.

singleton_resources.go

@@ -548,17 +548,24 @@ func (gc *GenericCache) Delete(key string) {
 	delete(gc.data, key)
 }
 
-// cleanupRoutine periodically cleans up the cache
+// cleanupRoutine periodically wipes the cache.
+//
+// NOTE: GenericCache does not track per-entry timestamps, so this is a
+// "clear-all on tick" strategy — every `gc.ttl` interval the entire map
+// is replaced, regardless of when each entry was written. This is the
+// intentional (simplified) behavior of GenericCache, which exists mainly
+// as a generic fallback for tests and non-typed caches. Callers that
+// require true per-entry TTL must use UniversalCache / UnifiedCache which
+// track expiry per entry.
 func (gc *GenericCache) cleanupRoutine() {
-	ticker := time.NewTicker(gc.ttl)
-	defer ticker.Stop()
+	wipeTicker := time.NewTicker(gc.ttl)
+	defer wipeTicker.Stop()
 
 	for {
 		select {
-		case <-ticker.C:
+		case <-wipeTicker.C:
 			gc.mu.Lock()
-			// Simple cleanup - clear all data after TTL
-			// In production, you'd track individual entry TTLs
+			// Clear-all on tick, not per-entry TTL (see function doc).
 			gc.data = make(map[string]interface{})
 			gc.mu.Unlock()
 		case <-gc.stopChan:

test_framework_test.go

@@ -293,7 +293,7 @@ func (tf *TestFramework) CreateAuthenticatedRequest(method, path string) (*http.
 	}
 
 	session.SetAuthenticated(true)
-	session.SetEmail(tf.fixtures.UserEmail)
+	session.SetUserIdentifier(tf.fixtures.UserEmail)
 	session.SetAccessToken(tf.fixtures.AccessToken)
 	session.SetRefreshToken(tf.fixtures.RefreshToken)
 	session.SetIDToken(tf.GenerateJWT(tf.fixtures.Claims))

token_manager.go

@@ -11,6 +11,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"runtime"
 	"strings"
 	"time"
 )
@@ -46,6 +47,17 @@ func (t *TraefikOidc) VerifyToken(token string) error {
 		}
 	}
 
+	// Hot-path fast-return: a previously-verified token has already passed
+	// signature, claims, and replay checks. Skipping the parseJWT cost here
+	// matters under bursty traffic (e.g. 10+ concurrent panel requests on
+	// every Grafana dashboard refresh) where the same token is validated
+	// dozens of times per second by validateStandardTokens.
+	if t.tokenCache != nil {
+		if claims, exists := t.tokenCache.Get(token); exists && len(claims) > 0 {
+			return nil
+		}
+	}
+
 	parsedJWT, parseErr := parseJWT(token)
 	if parseErr != nil {
 		return fmt.Errorf("failed to parse JWT for blacklist check: %w", parseErr)
@@ -63,12 +75,6 @@ func (t *TraefikOidc) VerifyToken(token string) error {
 		}
 	}
 
-	// Check token cache FIRST - if token is already verified and cached, return immediately
-	// This prevents false positives when multiple goroutines validate the same token concurrently
-	if claims, exists := t.tokenCache.Get(token); exists && len(claims) > 0 {
-		return nil
-	}
-
 	// Only check JTI blacklist for tokens that aren't already in the cache
 	// This is for FIRST-TIME validation to detect replay attacks
 	if jti, ok := parsedJWT.Claims["jti"].(string); ok && jti != "" {
@@ -315,15 +321,6 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 	jwksURL := t.jwksURL
 	t.metadataMu.RUnlock()
 
-	jwks, err := t.jwkCache.GetJWKS(context.Background(), jwksURL, t.httpClient)
-	if err != nil {
-		return fmt.Errorf("failed to get JWKS: %w", err)
-	}
-
-	if !t.suppressDiagnosticLogs && jwks != nil {
-		t.safeLogDebugf("DIAGNOSTIC: Retrieved JWKS with %d keys from URL: %s", len(jwks.Keys), jwksURL)
-	}
-
 	kid, ok := jwt.Header["kid"].(string)
 	if !ok {
 		return fmt.Errorf("missing key ID in token header")
@@ -337,38 +334,12 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 		t.safeLogDebugf("DIAGNOSTIC: Looking for kid=%s, alg=%s in JWKS", kid, alg)
 	}
 
-	if jwks == nil {
-		return fmt.Errorf("JWKS is nil, cannot verify token")
-	}
-
-	// Find the matching key in JWKS
-	var matchingKey *JWK
-	availableKids := make([]string, 0, len(jwks.Keys))
-	for _, key := range jwks.Keys {
-		availableKids = append(availableKids, key.Kid)
-		if key.Kid == kid {
-			matchingKey = &key
-			break
-		}
-	}
-
-	if matchingKey == nil {
-		if !t.suppressDiagnosticLogs {
-			t.safeLogErrorf("DIAGNOSTIC: No matching key found for kid=%s. Available kids: %v", kid, availableKids)
-		}
-		return fmt.Errorf("no matching public key found for kid: %s", kid)
-	}
-
-	if !t.suppressDiagnosticLogs {
-		t.safeLogDebugf("DIAGNOSTIC: Found matching key for kid=%s, key type: %s", kid, matchingKey.Kty)
-	}
-
-	publicKeyPEM, err := jwkToPEM(matchingKey)
+	pubKey, err := t.jwkCache.GetPublicKey(context.Background(), jwksURL, kid, t.httpClient)
 	if err != nil {
-		return fmt.Errorf("failed to convert JWK to PEM: %w", err)
+		return fmt.Errorf("failed to get public key: %w", err)
 	}
 
-	if err := verifySignature(token, publicKeyPEM, alg); err != nil {
+	if err := verifySignatureWithKey(token, pubKey, alg); err != nil {
 		if !t.suppressDiagnosticLogs {
 			t.safeLogErrorf("DIAGNOSTIC: Signature verification failed for kid=%s, alg=%s: %v", kid, alg, err)
 		}
@@ -451,7 +422,7 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 	}
 	t.logger.Debugf("Attempting refresh with token starting with %s...", tokenPrefix)
 
-	newToken, err := t.tokenExchanger.GetNewTokenWithRefreshToken(initialRefreshToken)
+	newToken, err := t.coordinatedTokenRefresh(req, initialRefreshToken)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "invalid_grant") || strings.Contains(errMsg, "token expired") {
@@ -463,7 +434,7 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 			session.SetRefreshToken("")
 			session.SetAccessToken("")
 			session.SetIDToken("")
-			session.SetEmail("")
+			session.SetUserIdentifier("")
 			// Clear CSRF tokens as well to prevent any replay attacks
 			session.SetCSRF("")
 			session.SetNonce("")
@@ -505,12 +476,18 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 		t.logger.Errorf("refreshToken failed: Failed to extract claims from refreshed token: %v", err)
 		return false
 	}
-	email, _ := claims["email"].(string)
-	if email == "" {
-		t.logger.Errorf("refreshToken failed: Email claim missing or empty in refreshed token")
-		return false
+	userIdentifier, _ := claims[t.userIdentifierClaim].(string)
+	if userIdentifier == "" {
+		if t.userIdentifierClaim != "sub" {
+			userIdentifier, _ = claims["sub"].(string)
+		}
+		if userIdentifier == "" {
+			t.logger.Errorf("refreshToken failed: User identifier claim '%s' missing or empty in refreshed token", t.userIdentifierClaim)
+			return false
+		}
+		t.logger.Debugf("Configured claim '%s' not found in refreshed token, using 'sub' claim as fallback", t.userIdentifierClaim)
 	}
-	session.SetEmail(email)
+	session.SetUserIdentifier(userIdentifier)
 
 	// Get token expiry information for logging
 	var expiryTime time.Time
@@ -536,7 +513,7 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 		session.SetAccessToken("")
 		session.SetIDToken("")
 		session.SetRefreshToken("")
-		session.SetEmail("")
+		session.SetUserIdentifier("")
 		return false
 	}
 
@@ -553,6 +530,91 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 	return true
 }
 
+// coordinatedTokenRefresh routes a refresh-token grant through the
+// RefreshCoordinator so that concurrent requests sharing the same refresh
+// token coalesce into a single upstream call. This prevents the thundering
+// herd that yields invalid_grant when the IdP rotates refresh tokens.
+//
+// Falls back to a direct call when the coordinator is nil, which only
+// happens in tests that build TraefikOidc literals without going through
+// NewWithContext.
+func (t *TraefikOidc) coordinatedTokenRefresh(req *http.Request, refreshToken string) (*TokenResponse, error) {
+	if t.refreshCoordinator == nil {
+		return t.tokenExchanger.GetNewTokenWithRefreshToken(refreshToken)
+	}
+
+	parentCtx := context.Background()
+	if req != nil {
+		parentCtx = req.Context()
+	}
+	ctx, cancel := context.WithTimeout(parentCtx, refreshCoordinatorWaitTimeout)
+	defer cancel()
+
+	sessionID := refreshCoordinatorSessionID(refreshToken)
+
+	return t.refreshCoordinator.CoordinateRefresh(
+		ctx,
+		sessionID,
+		refreshToken,
+		func() (*TokenResponse, error) {
+			// Cross-replica dedup. The in-process coordinator already
+			// collapses concurrent grants on this pod; this Redis-backed
+			// short-TTL cache covers the (rare) case of a failover or
+			// load-balancer reroute mid-refresh, where two pods would
+			// otherwise both POST the same refresh_token to the IdP.
+			if cached, ok := t.lookupCachedRefreshResult(sessionID); ok {
+				return cached, nil
+			}
+			resp, err := t.tokenExchanger.GetNewTokenWithRefreshToken(refreshToken)
+			if err == nil && resp != nil {
+				t.cacheRefreshResult(sessionID, resp)
+			}
+			return resp, err
+		},
+	)
+}
+
+// lookupCachedRefreshResult returns a previously-stored TokenResponse for the
+// given refresh-token hash, if one exists and is still within its short TTL.
+// The cache wraps the universal cache, which is Redis-backed in production -
+// so a "hit" here means another Traefik replica refreshed this same token
+// within the last few seconds.
+func (t *TraefikOidc) lookupCachedRefreshResult(sessionID string) (*TokenResponse, bool) {
+	if t.refreshResultCache == nil {
+		return nil, false
+	}
+	v, ok := t.refreshResultCache.Get(refreshResultCacheKey(sessionID))
+	if !ok || v == nil {
+		return nil, false
+	}
+	if tr, ok := v.(*TokenResponse); ok && tr != nil {
+		return tr, true
+	}
+	return nil, false
+}
+
+// cacheRefreshResult stores the new TokenResponse under the refresh-token
+// hash for a short window. TTL is intentionally tight: the rotated refresh
+// token cannot be re-presented to the IdP, and any peer waiting longer than
+// this window has almost certainly given up via its own coordinator timeout.
+func (t *TraefikOidc) cacheRefreshResult(sessionID string, resp *TokenResponse) {
+	if t.refreshResultCache == nil || resp == nil {
+		return
+	}
+	t.refreshResultCache.Set(refreshResultCacheKey(sessionID), resp, refreshResultCacheTTL)
+}
+
+// refreshResultCacheKey namespaces refresh-result entries inside the shared
+// cache namespace.
+func refreshResultCacheKey(sessionID string) string {
+	return "rt-result:" + sessionID
+}
+
+// refreshResultCacheTTL bounds how long a peer can lean on the dedup cache.
+// Long enough for a sibling replica to observe the result, short enough that
+// a stale entry never re-supplies a token after the IdP has already moved on.
+const refreshResultCacheTTL = 5 * time.Second
+
 // RevokeToken revokes a token locally by adding it to the blacklist cache.
 // It removes the token from the verification cache and adds both the token
 // and its JTI (if present) to the blacklist to prevent future use.
@@ -1138,9 +1200,14 @@ func (t *TraefikOidc) startTokenCleanup() {
 	sessionManager := t.sessionManager
 	logger := t.logger
 
+	// Only use the fast cleanup interval when actually running under `go test`.
+	// runtime.Compiler == "yaegi" makes isTestMode() return true in production
+	// (Traefik interprets the plugin via yaegi), which would otherwise pin this
+	// ticker to 20 Hz on a real cluster despite tokenCache.Cleanup and
+	// jwkCache.Cleanup both being no-ops there.
 	cleanupInterval := 1 * time.Minute
-	if isTestMode() {
-		cleanupInterval = 50 * time.Millisecond // Fast interval for tests
+	if isTestMode() && runtime.Compiler != "yaegi" {
+		cleanupInterval = 50 * time.Millisecond
 	}
 
 	// Create cleanup function
@@ -1182,25 +1249,27 @@ func (t *TraefikOidc) startTokenCleanup() {
 }
 
 // extractGroupsAndRoles extracts group and role information from token claims.
-// It parses the 'groups' and 'roles' claims from the ID token and validates their format.
-// Parameters:
-//   - idToken: The ID token containing claims to extract.
+// It parses the configured group/role claims from the supplied ID token.
 //
-// Returns:
-//   - groups: Array of group names from the 'groups' claim.
-//   - roles: Array of role names from the 'roles' claim.
-//   - An error if claim extraction fails or if the 'groups' or 'roles' claims are present
-//     but not arrays of strings.
+// Most callers should prefer extractGroupsAndRolesFromClaims when claims have
+// already been parsed for the request (e.g. via SessionData.GetIDTokenClaims),
+// to avoid re-parsing the JWT.
 func (t *TraefikOidc) extractGroupsAndRoles(idToken string) ([]string, []string, error) {
 	claims, err := t.extractClaimsFunc(idToken)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to extract claims: %w", err)
 	}
+	return t.extractGroupsAndRolesFromClaims(claims)
+}
 
+// extractGroupsAndRolesFromClaims extracts group and role information from
+// already-parsed claims. Hot path: callers that have a cached claims map (such
+// as SessionData.GetIDTokenClaims) should use this to skip a redundant
+// base64+JSON decode of the JWT on every authenticated request.
+func (t *TraefikOidc) extractGroupsAndRolesFromClaims(claims map[string]interface{}) ([]string, []string, error) {
 	var groups []string
 	var roles []string
 
-	// Extract groups using configurable claim name (defaults to "groups")
 	if groupsClaim, exists := claims[t.groupClaimName]; exists {
 		groupsSlice, ok := groupsClaim.([]interface{})
 		if !ok {
@@ -1216,7 +1285,6 @@ func (t *TraefikOidc) extractGroupsAndRoles(idToken string) ([]string, []string,
 		}
 	}
 
-	// Extract roles using configurable claim name (defaults to "roles")
 	if rolesClaim, exists := claims[t.roleClaimName]; exists {
 		rolesSlice, ok := rolesClaim.([]interface{})
 		if !ok {

types.go

@@ -95,6 +95,7 @@ type TraefikOidc struct {
 	cancelFunc                 context.CancelFunc
 	errorRecoveryManager       *ErrorRecoveryManager
 	tokenResilienceManager     *TokenResilienceManager
+	refreshCoordinator         *RefreshCoordinator
 	goroutineWG                *sync.WaitGroup
 	dcrConfig                  *DynamicClientRegistrationConfig
 	dynamicClientRegistrar     *DynamicClientRegistrar
@@ -124,12 +125,15 @@ type TraefikOidc struct {
 	scopesSupported            []string
 	scopes                     []string
 	refreshGracePeriod         time.Duration
+	maxRefreshTokenAge         time.Duration
 	metadataMu                 sync.RWMutex
 	shutdownOnce               sync.Once
 	metadataRetryMutex         sync.Mutex
 	firstRequestMutex          sync.Mutex
 	sessionInvalidationCache   CacheInterface
+	refreshResultCache         CacheInterface
 	minimalHeaders             bool
+	stripAuthCookies           bool
 	enableBackchannelLogout    bool
 	enableFrontchannelLogout   bool
 	firstRequestReceived       bool

universal_cache.go

@@ -306,8 +306,10 @@ func (c *UniversalCache) Set(key string, value interface{}, ttl time.Duration) e
 		c.currentMemory += size
 	}
 
-	c.logger.Debugf("UniversalCache[%s]: Set key=%s, ttl=%v, size=%d bytes",
-		c.config.Type, key, ttl, size)
+	if c.logger.IsDebug() {
+		c.logger.Debugf("UniversalCache[%s]: Set key=%s, ttl=%v, size=%d bytes",
+			c.config.Type, key, ttl, size)
+	}
 
 	return nil
 }
@@ -331,15 +333,41 @@ func (c *UniversalCache) Get(key string) (interface{}, bool) {
 				// Fall through to local cache
 			} else {
 				atomic.AddInt64(&c.hits, 1)
-				// Update local cache with backend value
-				go func() {
-					_ = c.updateLocalCache(key, value, c.config.DefaultTTL)
-				}()
+				// Update local cache with backend value synchronously.
+				// Under yaegi, goroutine spawn is 5-10x costlier than compiled Go,
+				// and this path fires per-request on cold local cache.
+				// updateLocalCache is cheap (map write under mutex).
+				_ = c.updateLocalCache(key, value, c.config.DefaultTTL)
 				return value, true
 			}
 		}
 	}
 
+	// Fast read path for caches whose eviction is dominated by TTL rather than
+	// access-recency (token, JWK, session). Holding only an RLock here lets all
+	// concurrent readers verify cached tokens in parallel — under yaegi the
+	// previous unconditional Lock serialized every JWT verify on a single
+	// mutex and pinned a CPU under load.
+	switch c.config.Type {
+	case CacheTypeToken, CacheTypeJWK, CacheTypeSession:
+		c.mu.RLock()
+		item, exists := c.items[key]
+		if !exists {
+			c.mu.RUnlock()
+			atomic.AddInt64(&c.misses, 1)
+			return nil, false
+		}
+		if !time.Now().After(item.ExpiresAt) {
+			value := item.Value
+			c.mu.RUnlock()
+			atomic.AddInt64(&c.hits, 1)
+			return value, true
+		}
+		c.mu.RUnlock()
+		// Expired — fall through to the write-locked slow path below to
+		// remove the entry under exclusive access.
+	}
+
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -540,7 +568,9 @@ func (c *UniversalCache) evictOldest() {
 		if item, exists := c.items[key]; exists {
 			c.removeItem(key, item)
 			atomic.AddInt64(&c.evictions, 1)
-			c.logger.Debugf("UniversalCache[%s]: Evicted key=%s", c.config.Type, key)
+			if c.logger.IsDebug() {
+				c.logger.Debugf("UniversalCache[%s]: Evicted key=%s", c.config.Type, key)
+			}
 		}
 	}
 }

universal_cache_singleton.go

@@ -23,6 +23,7 @@ type UniversalCacheManager struct {
 	metadataCache            *UniversalCache
 	dcrCredentialsCache      *UniversalCache // DCR credentials storage for distributed environments
 	sessionInvalidationCache *UniversalCache // Session invalidation cache for backchannel/front-channel logout
+	refreshResultCache       *UniversalCache // Short-lived cross-replica refresh-result dedup (paired with RefreshCoordinator)
 	logger                   *Logger
 	blacklistCache           *UniversalCache
 	cancel                   context.CancelFunc
@@ -181,6 +182,18 @@ func initializeDefaultCaches(manager *UniversalCacheManager, logger *Logger) {
 		Logger:          logger,
 		SkipAutoCleanup: true, // Managed cleanup
 	})
+
+	// Refresh-result cache: short-lived store keyed by sha256(refreshToken).
+	// In Redis-backed mode this gives cross-replica dedup of refresh grants;
+	// in memory-only mode it's effectively redundant with RefreshCoordinator
+	// but safe and cheap to keep.
+	manager.refreshResultCache = NewUniversalCache(UniversalCacheConfig{
+		Type:            CacheTypeToken,
+		MaxSize:         1000,
+		DefaultTTL:      5 * time.Second,
+		Logger:          logger,
+		SkipAutoCleanup: true, // Managed cleanup
+	})
 }
 
 // initializeCachesWithRedis initializes caches with Redis/Hybrid backends based on configuration
@@ -387,6 +400,21 @@ func initializeCachesWithRedis(manager *UniversalCacheManager, logger *Logger, r
 		createBackend("session_invalidation"),
 	)
 
+	// Refresh-result cache - shared via Redis so concurrent refreshes across
+	// Traefik replicas can dedup their grants. The 5s TTL is long enough for
+	// peers to observe a recent refresh and short enough that a stale entry
+	// can't be replayed against a now-rotated refresh token.
+	manager.refreshResultCache = NewUniversalCacheWithBackend(
+		UniversalCacheConfig{
+			Type:            CacheTypeToken,
+			MaxSize:         1000,
+			DefaultTTL:      5 * time.Second,
+			Logger:          logger,
+			SkipAutoCleanup: true, // Managed cleanup
+		},
+		createBackend("refresh_result"),
+	)
+
 	logger.Infof("Cache manager initialized with %s backend configuration", redisConfig.CacheMode)
 }
 
@@ -436,6 +464,7 @@ func (m *UniversalCacheManager) performConsolidatedCleanup() {
 		m.tokenTypeCache,
 		m.dcrCredentialsCache,
 		m.sessionInvalidationCache,
+		m.refreshResultCache,
 	}
 	m.mu.RUnlock()
 
@@ -498,6 +527,14 @@ func (m *UniversalCacheManager) GetSessionInvalidationCache() *UniversalCache {
 	return m.sessionInvalidationCache
 }
 
+// GetRefreshResultCache returns the short-lived refresh-result cache used to
+// coalesce refresh-token grants across Traefik replicas.
+func (m *UniversalCacheManager) GetRefreshResultCache() *UniversalCache {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.refreshResultCache
+}
+
 // GetDCRCredentialsCache returns the DCR credentials cache for distributed storage
 func (m *UniversalCacheManager) GetDCRCredentialsCache() *UniversalCache {
 	m.mu.RLock()
@@ -520,7 +557,7 @@ func (m *UniversalCacheManager) Close() error {
 
 	// Close all caches first (they won't close the shared backend)
 	for _, cache := range []*UniversalCache{
-		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache, m.sessionInvalidationCache,
+		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache, m.sessionInvalidationCache, m.refreshResultCache,
 	} {
 		if cache != nil {
 			_ = cache.Close() // Safe to ignore: best effort cache cleanup

utilities.go

@@ -250,6 +250,11 @@ func (t *TraefikOidc) Close() error {
 			t.safeLogDebug("metadataRefreshStopChan closed")
 		}
 
+		if t.refreshCoordinator != nil {
+			t.refreshCoordinator.Shutdown()
+			t.safeLogDebug("refreshCoordinator shut down")
+		}
+
 		if t.goroutineWG != nil {
 			done := make(chan struct{})
 			go func() {

vendor/github.com/alicebob/miniredis/v2/gopher-json/json.go

@@ -10,7 +10,7 @@ import (
 // Preload adds json to the given Lua state's package.preload table. After it
 // has been preloaded, it can be loaded using require:
 //
-//	local json = require("json")
+//  local json = require("json")
 func Preload(L *lua.LState) {
 	L.PreloadModule("json", Loader)
 }

vendor/github.com/davecgh/go-spew/spew/bypass.go

@@ -18,7 +18,6 @@
 // tag is deprecated and thus should not be used.
 // Go versions prior to 1.4 are disabled because they use a different layout
 // for interfaces which make the implementation of unsafeReflectValue more complex.
-//go:build !js && !appengine && !safe && !disableunsafe && go1.4
 // +build !js,!appengine,!safe,!disableunsafe,go1.4
 
 package spew

vendor/github.com/davecgh/go-spew/spew/bypasssafe.go

@@ -16,7 +16,6 @@
 // when the code is running on Google App Engine, compiled by GopherJS, or
 // "-tags safe" is added to the go build command line.  The "disableunsafe"
 // tag is deprecated and thus should not be used.
-//go:build js || appengine || safe || disableunsafe || !go1.4
 // +build js appengine safe disableunsafe !go1.4
 
 package spew

vendor/github.com/davecgh/go-spew/spew/config.go

@@ -254,15 +254,15 @@ pointer addresses used to indirect to the final value.  It provides the
 following features over the built-in printing facilities provided by the fmt
 package:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output
 
 The configuration options are controlled by modifying the public members
 of c.  See ConfigState for options documentation.
@@ -295,12 +295,12 @@ func (c *ConfigState) convertArgs(args []interface{}) (formatters []interface{})
 
 // NewDefaultConfig returns a ConfigState with the following default settings.
 //
-//	Indent: " "
-//	MaxDepth: 0
-//	DisableMethods: false
-//	DisablePointerMethods: false
-//	ContinueOnMethod: false
-//	SortKeys: false
+// 	Indent: " "
+// 	MaxDepth: 0
+// 	DisableMethods: false
+// 	DisablePointerMethods: false
+// 	ContinueOnMethod: false
+// 	SortKeys: false
 func NewDefaultConfig() *ConfigState {
 	return &ConfigState{Indent: " "}
 }

vendor/github.com/davecgh/go-spew/spew/doc.go

@@ -21,36 +21,35 @@ debugging.
 A quick overview of the additional features spew provides over the built-in
 printing facilities for Go data types are as follows:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output (only when using
-    Dump style)
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output (only when using
+	  Dump style)
 
 There are two different approaches spew allows for dumping Go data structures:
 
-  - Dump style which prints with newlines, customizable indentation,
-    and additional debug information such as types and all pointer addresses
-    used to indirect to the final value
-  - A custom Formatter interface that integrates cleanly with the standard fmt
-    package and replaces %v, %+v, %#v, and %#+v to provide inline printing
-    similar to the default %v while providing the additional functionality
-    outlined above and passing unsupported format verbs such as %x and %q
-    along to fmt
+	* Dump style which prints with newlines, customizable indentation,
+	  and additional debug information such as types and all pointer addresses
+	  used to indirect to the final value
+	* A custom Formatter interface that integrates cleanly with the standard fmt
+	  package and replaces %v, %+v, %#v, and %#+v to provide inline printing
+	  similar to the default %v while providing the additional functionality
+	  outlined above and passing unsupported format verbs such as %x and %q
+	  along to fmt
 
-# Quick Start
+Quick Start
 
 This section demonstrates how to quickly get started with spew.  See the
 sections below for further details on formatting and configuration options.
 
 To dump a variable with full newlines, indentation, type, and pointer
 information use Dump, Fdump, or Sdump:
-
 	spew.Dump(myVar1, myVar2, ...)
 	spew.Fdump(someWriter, myVar1, myVar2, ...)
 	str := spew.Sdump(myVar1, myVar2, ...)
@@ -59,13 +58,12 @@ Alternatively, if you would prefer to use format strings with a compacted inline
 printing style, use the convenience wrappers Printf, Fprintf, etc with
 %v (most compact), %+v (adds pointer addresses), %#v (adds types), or
 %#+v (adds types and pointer addresses):
-
 	spew.Printf("myVar1: %v -- myVar2: %+v", myVar1, myVar2)
 	spew.Printf("myVar3: %#v -- myVar4: %#+v", myVar3, myVar4)
 	spew.Fprintf(someWriter, "myVar1: %v -- myVar2: %+v", myVar1, myVar2)
 	spew.Fprintf(someWriter, "myVar3: %#v -- myVar4: %#+v", myVar3, myVar4)
 
-# Configuration Options
+Configuration Options
 
 Configuration of spew is handled by fields in the ConfigState type.  For
 convenience, all of the top-level functions use a global state available
@@ -76,52 +74,51 @@ equivalent to the top-level functions.  This allows concurrent configuration
 options.  See the ConfigState documentation for more details.
 
 The following configuration options are available:
+	* Indent
+		String to use for each indentation level for Dump functions.
+		It is a single space by default.  A popular alternative is "\t".
 
-  - Indent
-    String to use for each indentation level for Dump functions.
-    It is a single space by default.  A popular alternative is "\t".
+	* MaxDepth
+		Maximum number of levels to descend into nested data structures.
+		There is no limit by default.
 
-  - MaxDepth
-    Maximum number of levels to descend into nested data structures.
-    There is no limit by default.
+	* DisableMethods
+		Disables invocation of error and Stringer interface methods.
+		Method invocation is enabled by default.
 
-  - DisableMethods
-    Disables invocation of error and Stringer interface methods.
-    Method invocation is enabled by default.
+	* DisablePointerMethods
+		Disables invocation of error and Stringer interface methods on types
+		which only accept pointer receivers from non-pointer variables.
+		Pointer method invocation is enabled by default.
 
-  - DisablePointerMethods
-    Disables invocation of error and Stringer interface methods on types
-    which only accept pointer receivers from non-pointer variables.
-    Pointer method invocation is enabled by default.
+	* DisablePointerAddresses
+		DisablePointerAddresses specifies whether to disable the printing of
+		pointer addresses. This is useful when diffing data structures in tests.
 
-  - DisablePointerAddresses
-    DisablePointerAddresses specifies whether to disable the printing of
-    pointer addresses. This is useful when diffing data structures in tests.
+	* DisableCapacities
+		DisableCapacities specifies whether to disable the printing of
+		capacities for arrays, slices, maps and channels. This is useful when
+		diffing data structures in tests.
 
-  - DisableCapacities
-    DisableCapacities specifies whether to disable the printing of
-    capacities for arrays, slices, maps and channels. This is useful when
-    diffing data structures in tests.
+	* ContinueOnMethod
+		Enables recursion into types after invoking error and Stringer interface
+		methods. Recursion after method invocation is disabled by default.
 
-  - ContinueOnMethod
-    Enables recursion into types after invoking error and Stringer interface
-    methods. Recursion after method invocation is disabled by default.
+	* SortKeys
+		Specifies map keys should be sorted before being printed. Use
+		this to have a more deterministic, diffable output.  Note that
+		only native types (bool, int, uint, floats, uintptr and string)
+		and types which implement error or Stringer interfaces are
+		supported with other types sorted according to the
+		reflect.Value.String() output which guarantees display
+		stability.  Natural map order is used by default.
 
-  - SortKeys
-    Specifies map keys should be sorted before being printed. Use
-    this to have a more deterministic, diffable output.  Note that
-    only native types (bool, int, uint, floats, uintptr and string)
-    and types which implement error or Stringer interfaces are
-    supported with other types sorted according to the
-    reflect.Value.String() output which guarantees display
-    stability.  Natural map order is used by default.
+	* SpewKeys
+		Specifies that, as a last resort attempt, map keys should be
+		spewed to strings and sorted by those strings.  This is only
+		considered if SortKeys is true.
 
-  - SpewKeys
-    Specifies that, as a last resort attempt, map keys should be
-    spewed to strings and sorted by those strings.  This is only
-    considered if SortKeys is true.
-
-# Dump Usage
+Dump Usage
 
 Simply call spew.Dump with a list of variables you want to dump:
 
@@ -136,7 +133,7 @@ A third option is to call spew.Sdump to get the formatted output as a string:
 
 	str := spew.Sdump(myVar1, myVar2, ...)
 
-# Sample Dump Output
+Sample Dump Output
 
 See the Dump example for details on the setup of the types and variables being
 shown here.
@@ -153,14 +150,13 @@ shown here.
 
 Byte (and uint8) arrays and slices are displayed uniquely like the hexdump -C
 command as shown.
-
 	([]uint8) (len=32 cap=32) {
 	 00000000  11 12 13 14 15 16 17 18  19 1a 1b 1c 1d 1e 1f 20  |............... |
 	 00000010  21 22 23 24 25 26 27 28  29 2a 2b 2c 2d 2e 2f 30  |!"#$%&'()*+,-./0|
 	 00000020  31 32                                             |12|
 	}
 
-# Custom Formatter
+Custom Formatter
 
 Spew provides a custom formatter that implements the fmt.Formatter interface
 so that it integrates cleanly with standard fmt package printing functions. The
@@ -174,7 +170,7 @@ standard fmt package for formatting.  In addition, the custom formatter ignores
 the width and precision arguments (however they will still work on the format
 specifiers not handled by the custom formatter).
 
-# Custom Formatter Usage
+Custom Formatter Usage
 
 The simplest way to make use of the spew custom formatter is to call one of the
 convenience functions such as spew.Printf, spew.Println, or spew.Printf.  The
@@ -188,17 +184,15 @@ functions have syntax you are most likely already familiar with:
 
 See the Index for the full list convenience functions.
 
-# Sample Formatter Output
+Sample Formatter Output
 
 Double pointer to a uint8:
-
 	  %v: <**>5
 	 %+v: <**>(0xf8400420d0->0xf8400420c8)5
 	 %#v: (**uint8)5
 	%#+v: (**uint8)(0xf8400420d0->0xf8400420c8)5
 
 Pointer to circular struct with a uint8 field and a pointer to itself:
-
 	  %v: <*>{1 <*><shown>}
 	 %+v: <*>(0xf84003e260){ui8:1 c:<*>(0xf84003e260)<shown>}
 	 %#v: (*main.circular){ui8:(uint8)1 c:(*main.circular)<shown>}
@@ -207,7 +201,7 @@ Pointer to circular struct with a uint8 field and a pointer to itself:
 See the Printf example for details on the setup of variables being shown
 here.
 
-# Errors
+Errors
 
 Since it is possible for custom Stringer/error interfaces to panic, spew
 detects them and handles them internally by printing the panic information

vendor/github.com/davecgh/go-spew/spew/dump.go

@@ -488,15 +488,15 @@ pointer addresses used to indirect to the final value.  It provides the
 following features over the built-in printing facilities provided by the fmt
 package:
 
-  - Pointers are dereferenced and followed
-  - Circular data structures are detected and handled properly
-  - Custom Stringer/error interfaces are optionally invoked, including
-    on unexported types
-  - Custom types which only implement the Stringer/error interfaces via
-    a pointer receiver are optionally invoked when passing non-pointer
-    variables
-  - Byte arrays and slices are dumped like the hexdump -C command which
-    includes offsets, byte values in hex, and ASCII output
+	* Pointers are dereferenced and followed
+	* Circular data structures are detected and handled properly
+	* Custom Stringer/error interfaces are optionally invoked, including
+	  on unexported types
+	* Custom types which only implement the Stringer/error interfaces via
+	  a pointer receiver are optionally invoked when passing non-pointer
+	  variables
+	* Byte arrays and slices are dumped like the hexdump -C command which
+	  includes offsets, byte values in hex, and ASCII output
 
 The configuration options are controlled by an exported package global,
 spew.Config.  See ConfigState for options documentation.

vendor/github.com/google/uuid/CHANGELOG.md

@@ -1,41 +0,0 @@
-# Changelog
-
-## [1.6.0](https://github.com/google/uuid/compare/v1.5.0...v1.6.0) (2024-01-16)
-
-
-### Features
-
-* add Max UUID constant ([#149](https://github.com/google/uuid/issues/149)) ([c58770e](https://github.com/google/uuid/commit/c58770eb495f55fe2ced6284f93c5158a62e53e3))
-
-
-### Bug Fixes
-
-* fix typo in version 7 uuid documentation ([#153](https://github.com/google/uuid/issues/153)) ([016b199](https://github.com/google/uuid/commit/016b199544692f745ffc8867b914129ecb47ef06))
-* Monotonicity in UUIDv7 ([#150](https://github.com/google/uuid/issues/150)) ([a2b2b32](https://github.com/google/uuid/commit/a2b2b32373ff0b1a312b7fdf6d38a977099698a6))
-
-## [1.5.0](https://github.com/google/uuid/compare/v1.4.0...v1.5.0) (2023-12-12)
-
-
-### Features
-
-* Validate UUID without creating new UUID ([#141](https://github.com/google/uuid/issues/141)) ([9ee7366](https://github.com/google/uuid/commit/9ee7366e66c9ad96bab89139418a713dc584ae29))
-
-## [1.4.0](https://github.com/google/uuid/compare/v1.3.1...v1.4.0) (2023-10-26)
-
-
-### Features
-
-* UUIDs slice type with Strings() convenience method ([#133](https://github.com/google/uuid/issues/133)) ([cd5fbbd](https://github.com/google/uuid/commit/cd5fbbdd02f3e3467ac18940e07e062be1f864b4))
-
-### Fixes
-
-* Clarify that Parse's job is to parse but not necessarily validate strings. (Documents current behavior)
-
-## [1.3.1](https://github.com/google/uuid/compare/v1.3.0...v1.3.1) (2023-08-18)
-
-
-### Bug Fixes
-
-* Use .EqualFold() to parse urn prefixed UUIDs ([#118](https://github.com/google/uuid/issues/118)) ([574e687](https://github.com/google/uuid/commit/574e6874943741fb99d41764c705173ada5293f0))
-
-## Changelog

vendor/github.com/google/uuid/CONTRIBUTING.md

@@ -1,26 +0,0 @@
-# How to contribute
-
-We definitely welcome patches and contribution to this project!
-
-### Tips
-
-Commits must be formatted according to the [Conventional Commits Specification](https://www.conventionalcommits.org).
-
-Always try to include a test case! If it is not possible or not necessary,
-please explain why in the pull request description.
-
-### Releasing
-
-Commits that would precipitate a SemVer change, as described in the Conventional
-Commits Specification, will trigger [`release-please`](https://github.com/google-github-actions/release-please-action)
-to create a release candidate pull request. Once submitted, `release-please`
-will create a release.
-
-For tips on how to work with `release-please`, see its documentation.
-
-### Legal requirements
-
-In order to protect both you and ourselves, you will need to sign the
-[Contributor License Agreement](https://cla.developers.google.com/clas).
-
-You may have already signed it for other Google projects.

vendor/github.com/google/uuid/CONTRIBUTORS

@@ -1,9 +0,0 @@
-Paul Borman <borman@google.com>
-bmatsuo
-shawnps
-theory
-jboverfelt
-dsymonds
-cd1
-wallclockbuilder
-dansouza

vendor/github.com/google/uuid/LICENSE

@@ -1,27 +0,0 @@
-Copyright (c) 2009,2014 Google Inc. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/google/uuid/README.md

@@ -1,21 +0,0 @@
-# uuid
-The uuid package generates and inspects UUIDs based on
-[RFC 4122](https://datatracker.ietf.org/doc/html/rfc4122)
-and DCE 1.1: Authentication and Security Services. 
-
-This package is based on the github.com/pborman/uuid package (previously named
-code.google.com/p/go-uuid).  It differs from these earlier packages in that
-a UUID is a 16 byte array rather than a byte slice.  One loss due to this
-change is the ability to represent an invalid UUID (vs a NIL UUID).
-
-###### Install
-```sh
-go get github.com/google/uuid
-```
-
-###### Documentation 
-[![Go Reference](https://pkg.go.dev/badge/github.com/google/uuid.svg)](https://pkg.go.dev/github.com/google/uuid)
-
-Full `go doc` style documentation for the package can be viewed online without
-installing this package by using the GoDoc site here: 
-http://pkg.go.dev/github.com/google/uuid

vendor/github.com/google/uuid/dce.go

@@ -1,80 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-	"fmt"
-	"os"
-)
-
-// A Domain represents a Version 2 domain
-type Domain byte
-
-// Domain constants for DCE Security (Version 2) UUIDs.
-const (
-	Person = Domain(0)
-	Group  = Domain(1)
-	Org    = Domain(2)
-)
-
-// NewDCESecurity returns a DCE Security (Version 2) UUID.
-//
-// The domain should be one of Person, Group or Org.
-// On a POSIX system the id should be the users UID for the Person
-// domain and the users GID for the Group.  The meaning of id for
-// the domain Org or on non-POSIX systems is site defined.
-//
-// For a given domain/id pair the same token may be returned for up to
-// 7 minutes and 10 seconds.
-func NewDCESecurity(domain Domain, id uint32) (UUID, error) {
-	uuid, err := NewUUID()
-	if err == nil {
-		uuid[6] = (uuid[6] & 0x0f) | 0x20 // Version 2
-		uuid[9] = byte(domain)
-		binary.BigEndian.PutUint32(uuid[0:], id)
-	}
-	return uuid, err
-}
-
-// NewDCEPerson returns a DCE Security (Version 2) UUID in the person
-// domain with the id returned by os.Getuid.
-//
-//  NewDCESecurity(Person, uint32(os.Getuid()))
-func NewDCEPerson() (UUID, error) {
-	return NewDCESecurity(Person, uint32(os.Getuid()))
-}
-
-// NewDCEGroup returns a DCE Security (Version 2) UUID in the group
-// domain with the id returned by os.Getgid.
-//
-//  NewDCESecurity(Group, uint32(os.Getgid()))
-func NewDCEGroup() (UUID, error) {
-	return NewDCESecurity(Group, uint32(os.Getgid()))
-}
-
-// Domain returns the domain for a Version 2 UUID.  Domains are only defined
-// for Version 2 UUIDs.
-func (uuid UUID) Domain() Domain {
-	return Domain(uuid[9])
-}
-
-// ID returns the id for a Version 2 UUID. IDs are only defined for Version 2
-// UUIDs.
-func (uuid UUID) ID() uint32 {
-	return binary.BigEndian.Uint32(uuid[0:4])
-}
-
-func (d Domain) String() string {
-	switch d {
-	case Person:
-		return "Person"
-	case Group:
-		return "Group"
-	case Org:
-		return "Org"
-	}
-	return fmt.Sprintf("Domain%d", int(d))
-}

vendor/github.com/google/uuid/doc.go

@@ -1,12 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package uuid generates and inspects UUIDs.
-//
-// UUIDs are based on RFC 4122 and DCE 1.1: Authentication and Security
-// Services.
-//
-// A UUID is a 16 byte (128 bit) array.  UUIDs may be used as keys to
-// maps or compared directly.
-package uuid

vendor/github.com/google/uuid/hash.go

@@ -1,59 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"crypto/md5"
-	"crypto/sha1"
-	"hash"
-)
-
-// Well known namespace IDs and UUIDs
-var (
-	NameSpaceDNS  = Must(Parse("6ba7b810-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceURL  = Must(Parse("6ba7b811-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceOID  = Must(Parse("6ba7b812-9dad-11d1-80b4-00c04fd430c8"))
-	NameSpaceX500 = Must(Parse("6ba7b814-9dad-11d1-80b4-00c04fd430c8"))
-	Nil           UUID // empty UUID, all zeros
-
-	// The Max UUID is special form of UUID that is specified to have all 128 bits set to 1.
-	Max = UUID{
-		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-	}
-)
-
-// NewHash returns a new UUID derived from the hash of space concatenated with
-// data generated by h.  The hash should be at least 16 byte in length.  The
-// first 16 bytes of the hash are used to form the UUID.  The version of the
-// UUID will be the lower 4 bits of version.  NewHash is used to implement
-// NewMD5 and NewSHA1.
-func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID {
-	h.Reset()
-	h.Write(space[:]) //nolint:errcheck
-	h.Write(data)     //nolint:errcheck
-	s := h.Sum(nil)
-	var uuid UUID
-	copy(uuid[:], s)
-	uuid[6] = (uuid[6] & 0x0f) | uint8((version&0xf)<<4)
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // RFC 4122 variant
-	return uuid
-}
-
-// NewMD5 returns a new MD5 (Version 3) UUID based on the
-// supplied name space and data.  It is the same as calling:
-//
-//  NewHash(md5.New(), space, data, 3)
-func NewMD5(space UUID, data []byte) UUID {
-	return NewHash(md5.New(), space, data, 3)
-}
-
-// NewSHA1 returns a new SHA1 (Version 5) UUID based on the
-// supplied name space and data.  It is the same as calling:
-//
-//  NewHash(sha1.New(), space, data, 5)
-func NewSHA1(space UUID, data []byte) UUID {
-	return NewHash(sha1.New(), space, data, 5)
-}

vendor/github.com/google/uuid/marshal.go

@@ -1,38 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "fmt"
-
-// MarshalText implements encoding.TextMarshaler.
-func (uuid UUID) MarshalText() ([]byte, error) {
-	var js [36]byte
-	encodeHex(js[:], uuid)
-	return js[:], nil
-}
-
-// UnmarshalText implements encoding.TextUnmarshaler.
-func (uuid *UUID) UnmarshalText(data []byte) error {
-	id, err := ParseBytes(data)
-	if err != nil {
-		return err
-	}
-	*uuid = id
-	return nil
-}
-
-// MarshalBinary implements encoding.BinaryMarshaler.
-func (uuid UUID) MarshalBinary() ([]byte, error) {
-	return uuid[:], nil
-}
-
-// UnmarshalBinary implements encoding.BinaryUnmarshaler.
-func (uuid *UUID) UnmarshalBinary(data []byte) error {
-	if len(data) != 16 {
-		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
-	}
-	copy(uuid[:], data)
-	return nil
-}

vendor/github.com/google/uuid/node.go

@@ -1,90 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"sync"
-)
-
-var (
-	nodeMu sync.Mutex
-	ifname string  // name of interface being used
-	nodeID [6]byte // hardware for version 1 UUIDs
-	zeroID [6]byte // nodeID with only 0's
-)
-
-// NodeInterface returns the name of the interface from which the NodeID was
-// derived.  The interface "user" is returned if the NodeID was set by
-// SetNodeID.
-func NodeInterface() string {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	return ifname
-}
-
-// SetNodeInterface selects the hardware address to be used for Version 1 UUIDs.
-// If name is "" then the first usable interface found will be used or a random
-// Node ID will be generated.  If a named interface cannot be found then false
-// is returned.
-//
-// SetNodeInterface never fails when name is "".
-func SetNodeInterface(name string) bool {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	return setNodeInterface(name)
-}
-
-func setNodeInterface(name string) bool {
-	iname, addr := getHardwareInterface(name) // null implementation for js
-	if iname != "" && addr != nil {
-		ifname = iname
-		copy(nodeID[:], addr)
-		return true
-	}
-
-	// We found no interfaces with a valid hardware address.  If name
-	// does not specify a specific interface generate a random Node ID
-	// (section 4.1.6)
-	if name == "" {
-		ifname = "random"
-		randomBits(nodeID[:])
-		return true
-	}
-	return false
-}
-
-// NodeID returns a slice of a copy of the current Node ID, setting the Node ID
-// if not already set.
-func NodeID() []byte {
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	nid := nodeID
-	return nid[:]
-}
-
-// SetNodeID sets the Node ID to be used for Version 1 UUIDs.  The first 6 bytes
-// of id are used.  If id is less than 6 bytes then false is returned and the
-// Node ID is not set.
-func SetNodeID(id []byte) bool {
-	if len(id) < 6 {
-		return false
-	}
-	defer nodeMu.Unlock()
-	nodeMu.Lock()
-	copy(nodeID[:], id)
-	ifname = "user"
-	return true
-}
-
-// NodeID returns the 6 byte node id encoded in uuid.  It returns nil if uuid is
-// not valid.  The NodeID is only well defined for version 1 and 2 UUIDs.
-func (uuid UUID) NodeID() []byte {
-	var node [6]byte
-	copy(node[:], uuid[10:])
-	return node[:]
-}

vendor/github.com/google/uuid/node_js.go

@@ -1,12 +0,0 @@
-// Copyright 2017 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build js
-
-package uuid
-
-// getHardwareInterface returns nil values for the JS version of the code.
-// This removes the "net" dependency, because it is not used in the browser.
-// Using the "net" library inflates the size of the transpiled JS code by 673k bytes.
-func getHardwareInterface(name string) (string, []byte) { return "", nil }

vendor/github.com/google/uuid/node_net.go

@@ -1,33 +0,0 @@
-// Copyright 2017 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !js
-
-package uuid
-
-import "net"
-
-var interfaces []net.Interface // cached list of interfaces
-
-// getHardwareInterface returns the name and hardware address of interface name.
-// If name is "" then the name and hardware address of one of the system's
-// interfaces is returned.  If no interfaces are found (name does not exist or
-// there are no interfaces) then "", nil is returned.
-//
-// Only addresses of at least 6 bytes are returned.
-func getHardwareInterface(name string) (string, []byte) {
-	if interfaces == nil {
-		var err error
-		interfaces, err = net.Interfaces()
-		if err != nil {
-			return "", nil
-		}
-	}
-	for _, ifs := range interfaces {
-		if len(ifs.HardwareAddr) >= 6 && (name == "" || name == ifs.Name) {
-			return ifs.Name, ifs.HardwareAddr
-		}
-	}
-	return "", nil
-}

vendor/github.com/google/uuid/null.go

@@ -1,118 +0,0 @@
-// Copyright 2021 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"bytes"
-	"database/sql/driver"
-	"encoding/json"
-	"fmt"
-)
-
-var jsonNull = []byte("null")
-
-// NullUUID represents a UUID that may be null.
-// NullUUID implements the SQL driver.Scanner interface so
-// it can be used as a scan destination:
-//
-//  var u uuid.NullUUID
-//  err := db.QueryRow("SELECT name FROM foo WHERE id=?", id).Scan(&u)
-//  ...
-//  if u.Valid {
-//     // use u.UUID
-//  } else {
-//     // NULL value
-//  }
-//
-type NullUUID struct {
-	UUID  UUID
-	Valid bool // Valid is true if UUID is not NULL
-}
-
-// Scan implements the SQL driver.Scanner interface.
-func (nu *NullUUID) Scan(value interface{}) error {
-	if value == nil {
-		nu.UUID, nu.Valid = Nil, false
-		return nil
-	}
-
-	err := nu.UUID.Scan(value)
-	if err != nil {
-		nu.Valid = false
-		return err
-	}
-
-	nu.Valid = true
-	return nil
-}
-
-// Value implements the driver Valuer interface.
-func (nu NullUUID) Value() (driver.Value, error) {
-	if !nu.Valid {
-		return nil, nil
-	}
-	// Delegate to UUID Value function
-	return nu.UUID.Value()
-}
-
-// MarshalBinary implements encoding.BinaryMarshaler.
-func (nu NullUUID) MarshalBinary() ([]byte, error) {
-	if nu.Valid {
-		return nu.UUID[:], nil
-	}
-
-	return []byte(nil), nil
-}
-
-// UnmarshalBinary implements encoding.BinaryUnmarshaler.
-func (nu *NullUUID) UnmarshalBinary(data []byte) error {
-	if len(data) != 16 {
-		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
-	}
-	copy(nu.UUID[:], data)
-	nu.Valid = true
-	return nil
-}
-
-// MarshalText implements encoding.TextMarshaler.
-func (nu NullUUID) MarshalText() ([]byte, error) {
-	if nu.Valid {
-		return nu.UUID.MarshalText()
-	}
-
-	return jsonNull, nil
-}
-
-// UnmarshalText implements encoding.TextUnmarshaler.
-func (nu *NullUUID) UnmarshalText(data []byte) error {
-	id, err := ParseBytes(data)
-	if err != nil {
-		nu.Valid = false
-		return err
-	}
-	nu.UUID = id
-	nu.Valid = true
-	return nil
-}
-
-// MarshalJSON implements json.Marshaler.
-func (nu NullUUID) MarshalJSON() ([]byte, error) {
-	if nu.Valid {
-		return json.Marshal(nu.UUID)
-	}
-
-	return jsonNull, nil
-}
-
-// UnmarshalJSON implements json.Unmarshaler.
-func (nu *NullUUID) UnmarshalJSON(data []byte) error {
-	if bytes.Equal(data, jsonNull) {
-		*nu = NullUUID{}
-		return nil // valid null UUID
-	}
-	err := json.Unmarshal(data, &nu.UUID)
-	nu.Valid = err == nil
-	return err
-}

vendor/github.com/google/uuid/sql.go

@@ -1,59 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"database/sql/driver"
-	"fmt"
-)
-
-// Scan implements sql.Scanner so UUIDs can be read from databases transparently.
-// Currently, database types that map to string and []byte are supported. Please
-// consult database-specific driver documentation for matching types.
-func (uuid *UUID) Scan(src interface{}) error {
-	switch src := src.(type) {
-	case nil:
-		return nil
-
-	case string:
-		// if an empty UUID comes from a table, we return a null UUID
-		if src == "" {
-			return nil
-		}
-
-		// see Parse for required string format
-		u, err := Parse(src)
-		if err != nil {
-			return fmt.Errorf("Scan: %v", err)
-		}
-
-		*uuid = u
-
-	case []byte:
-		// if an empty UUID comes from a table, we return a null UUID
-		if len(src) == 0 {
-			return nil
-		}
-
-		// assumes a simple slice of bytes if 16 bytes
-		// otherwise attempts to parse
-		if len(src) != 16 {
-			return uuid.Scan(string(src))
-		}
-		copy((*uuid)[:], src)
-
-	default:
-		return fmt.Errorf("Scan: unable to scan type %T into UUID", src)
-	}
-
-	return nil
-}
-
-// Value implements sql.Valuer so that UUIDs can be written to databases
-// transparently. Currently, UUIDs map to strings. Please consult
-// database-specific driver documentation for matching types.
-func (uuid UUID) Value() (driver.Value, error) {
-	return uuid.String(), nil
-}

vendor/github.com/google/uuid/time.go

@@ -1,134 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-	"sync"
-	"time"
-)
-
-// A Time represents a time as the number of 100's of nanoseconds since 15 Oct
-// 1582.
-type Time int64
-
-const (
-	lillian    = 2299160          // Julian day of 15 Oct 1582
-	unix       = 2440587          // Julian day of 1 Jan 1970
-	epoch      = unix - lillian   // Days between epochs
-	g1582      = epoch * 86400    // seconds between epochs
-	g1582ns100 = g1582 * 10000000 // 100s of a nanoseconds between epochs
-)
-
-var (
-	timeMu   sync.Mutex
-	lasttime uint64 // last time we returned
-	clockSeq uint16 // clock sequence for this run
-
-	timeNow = time.Now // for testing
-)
-
-// UnixTime converts t the number of seconds and nanoseconds using the Unix
-// epoch of 1 Jan 1970.
-func (t Time) UnixTime() (sec, nsec int64) {
-	sec = int64(t - g1582ns100)
-	nsec = (sec % 10000000) * 100
-	sec /= 10000000
-	return sec, nsec
-}
-
-// GetTime returns the current Time (100s of nanoseconds since 15 Oct 1582) and
-// clock sequence as well as adjusting the clock sequence as needed.  An error
-// is returned if the current time cannot be determined.
-func GetTime() (Time, uint16, error) {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	return getTime()
-}
-
-func getTime() (Time, uint16, error) {
-	t := timeNow()
-
-	// If we don't have a clock sequence already, set one.
-	if clockSeq == 0 {
-		setClockSequence(-1)
-	}
-	now := uint64(t.UnixNano()/100) + g1582ns100
-
-	// If time has gone backwards with this clock sequence then we
-	// increment the clock sequence
-	if now <= lasttime {
-		clockSeq = ((clockSeq + 1) & 0x3fff) | 0x8000
-	}
-	lasttime = now
-	return Time(now), clockSeq, nil
-}
-
-// ClockSequence returns the current clock sequence, generating one if not
-// already set.  The clock sequence is only used for Version 1 UUIDs.
-//
-// The uuid package does not use global static storage for the clock sequence or
-// the last time a UUID was generated.  Unless SetClockSequence is used, a new
-// random clock sequence is generated the first time a clock sequence is
-// requested by ClockSequence, GetTime, or NewUUID.  (section 4.2.1.1)
-func ClockSequence() int {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	return clockSequence()
-}
-
-func clockSequence() int {
-	if clockSeq == 0 {
-		setClockSequence(-1)
-	}
-	return int(clockSeq & 0x3fff)
-}
-
-// SetClockSequence sets the clock sequence to the lower 14 bits of seq.  Setting to
-// -1 causes a new sequence to be generated.
-func SetClockSequence(seq int) {
-	defer timeMu.Unlock()
-	timeMu.Lock()
-	setClockSequence(seq)
-}
-
-func setClockSequence(seq int) {
-	if seq == -1 {
-		var b [2]byte
-		randomBits(b[:]) // clock sequence
-		seq = int(b[0])<<8 | int(b[1])
-	}
-	oldSeq := clockSeq
-	clockSeq = uint16(seq&0x3fff) | 0x8000 // Set our variant
-	if oldSeq != clockSeq {
-		lasttime = 0
-	}
-}
-
-// Time returns the time in 100s of nanoseconds since 15 Oct 1582 encoded in
-// uuid.  The time is only defined for version 1, 2, 6 and 7 UUIDs.
-func (uuid UUID) Time() Time {
-	var t Time
-	switch uuid.Version() {
-	case 6:
-		time := binary.BigEndian.Uint64(uuid[:8]) // Ignore uuid[6] version b0110
-		t = Time(time)
-	case 7:
-		time := binary.BigEndian.Uint64(uuid[:8])
-		t = Time((time>>16)*10000 + g1582ns100)
-	default: // forward compatible
-		time := int64(binary.BigEndian.Uint32(uuid[0:4]))
-		time |= int64(binary.BigEndian.Uint16(uuid[4:6])) << 32
-		time |= int64(binary.BigEndian.Uint16(uuid[6:8])&0xfff) << 48
-		t = Time(time)
-	}
-	return t
-}
-
-// ClockSequence returns the clock sequence encoded in uuid.
-// The clock sequence is only well defined for version 1 and 2 UUIDs.
-func (uuid UUID) ClockSequence() int {
-	return int(binary.BigEndian.Uint16(uuid[8:10])) & 0x3fff
-}

vendor/github.com/google/uuid/util.go

@@ -1,43 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"io"
-)
-
-// randomBits completely fills slice b with random data.
-func randomBits(b []byte) {
-	if _, err := io.ReadFull(rander, b); err != nil {
-		panic(err.Error()) // rand should never fail
-	}
-}
-
-// xvalues returns the value of a byte as a hexadecimal digit or 255.
-var xvalues = [256]byte{
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255,
-	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-	255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-}
-
-// xtob converts hex characters x1 and x2 into a byte.
-func xtob(x1, x2 byte) (byte, bool) {
-	b1 := xvalues[x1]
-	b2 := xvalues[x2]
-	return (b1 << 4) | b2, b1 != 255 && b2 != 255
-}

vendor/github.com/google/uuid/uuid.go

@@ -1,365 +0,0 @@
-// Copyright 2018 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-	"sync"
-)
-
-// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
-// 4122.
-type UUID [16]byte
-
-// A Version represents a UUID's version.
-type Version byte
-
-// A Variant represents a UUID's variant.
-type Variant byte
-
-// Constants returned by Variant.
-const (
-	Invalid   = Variant(iota) // Invalid UUID
-	RFC4122                   // The variant specified in RFC4122
-	Reserved                  // Reserved, NCS backward compatibility.
-	Microsoft                 // Reserved, Microsoft Corporation backward compatibility.
-	Future                    // Reserved for future definition.
-)
-
-const randPoolSize = 16 * 16
-
-var (
-	rander      = rand.Reader // random function
-	poolEnabled = false
-	poolMu      sync.Mutex
-	poolPos     = randPoolSize     // protected with poolMu
-	pool        [randPoolSize]byte // protected with poolMu
-)
-
-type invalidLengthError struct{ len int }
-
-func (err invalidLengthError) Error() string {
-	return fmt.Sprintf("invalid UUID length: %d", err.len)
-}
-
-// IsInvalidLengthError is matcher function for custom error invalidLengthError
-func IsInvalidLengthError(err error) bool {
-	_, ok := err.(invalidLengthError)
-	return ok
-}
-
-// Parse decodes s into a UUID or returns an error if it cannot be parsed.  Both
-// the standard UUID forms defined in RFC 4122
-// (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and
-// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) are decoded.  In addition,
-// Parse accepts non-standard strings such as the raw hex encoding
-// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and 38 byte "Microsoft style" encodings,
-// e.g.  {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.  Only the middle 36 bytes are
-// examined in the latter case.  Parse should not be used to validate strings as
-// it parses non-standard encodings as indicated above.
-func Parse(s string) (UUID, error) {
-	var uuid UUID
-	switch len(s) {
-	// xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36:
-
-	// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36 + 9:
-		if !strings.EqualFold(s[:9], "urn:uuid:") {
-			return uuid, fmt.Errorf("invalid urn prefix: %q", s[:9])
-		}
-		s = s[9:]
-
-	// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-	case 36 + 2:
-		s = s[1:]
-
-	// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-	case 32:
-		var ok bool
-		for i := range uuid {
-			uuid[i], ok = xtob(s[i*2], s[i*2+1])
-			if !ok {
-				return uuid, errors.New("invalid UUID format")
-			}
-		}
-		return uuid, nil
-	default:
-		return uuid, invalidLengthError{len(s)}
-	}
-	// s is now at least 36 bytes long
-	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
-		return uuid, errors.New("invalid UUID format")
-	}
-	for i, x := range [16]int{
-		0, 2, 4, 6,
-		9, 11,
-		14, 16,
-		19, 21,
-		24, 26, 28, 30, 32, 34,
-	} {
-		v, ok := xtob(s[x], s[x+1])
-		if !ok {
-			return uuid, errors.New("invalid UUID format")
-		}
-		uuid[i] = v
-	}
-	return uuid, nil
-}
-
-// ParseBytes is like Parse, except it parses a byte slice instead of a string.
-func ParseBytes(b []byte) (UUID, error) {
-	var uuid UUID
-	switch len(b) {
-	case 36: // xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	case 36 + 9: // urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-		if !bytes.EqualFold(b[:9], []byte("urn:uuid:")) {
-			return uuid, fmt.Errorf("invalid urn prefix: %q", b[:9])
-		}
-		b = b[9:]
-	case 36 + 2: // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-		b = b[1:]
-	case 32: // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-		var ok bool
-		for i := 0; i < 32; i += 2 {
-			uuid[i/2], ok = xtob(b[i], b[i+1])
-			if !ok {
-				return uuid, errors.New("invalid UUID format")
-			}
-		}
-		return uuid, nil
-	default:
-		return uuid, invalidLengthError{len(b)}
-	}
-	// s is now at least 36 bytes long
-	// it must be of the form  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-	if b[8] != '-' || b[13] != '-' || b[18] != '-' || b[23] != '-' {
-		return uuid, errors.New("invalid UUID format")
-	}
-	for i, x := range [16]int{
-		0, 2, 4, 6,
-		9, 11,
-		14, 16,
-		19, 21,
-		24, 26, 28, 30, 32, 34,
-	} {
-		v, ok := xtob(b[x], b[x+1])
-		if !ok {
-			return uuid, errors.New("invalid UUID format")
-		}
-		uuid[i] = v
-	}
-	return uuid, nil
-}
-
-// MustParse is like Parse but panics if the string cannot be parsed.
-// It simplifies safe initialization of global variables holding compiled UUIDs.
-func MustParse(s string) UUID {
-	uuid, err := Parse(s)
-	if err != nil {
-		panic(`uuid: Parse(` + s + `): ` + err.Error())
-	}
-	return uuid
-}
-
-// FromBytes creates a new UUID from a byte slice. Returns an error if the slice
-// does not have a length of 16. The bytes are copied from the slice.
-func FromBytes(b []byte) (uuid UUID, err error) {
-	err = uuid.UnmarshalBinary(b)
-	return uuid, err
-}
-
-// Must returns uuid if err is nil and panics otherwise.
-func Must(uuid UUID, err error) UUID {
-	if err != nil {
-		panic(err)
-	}
-	return uuid
-}
-
-// Validate returns an error if s is not a properly formatted UUID in one of the following formats:
-//   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-//   urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-//   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-//   {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
-// It returns an error if the format is invalid, otherwise nil.
-func Validate(s string) error {
-	switch len(s) {
-	// Standard UUID format
-	case 36:
-
-	// UUID with "urn:uuid:" prefix
-	case 36 + 9:
-		if !strings.EqualFold(s[:9], "urn:uuid:") {
-			return fmt.Errorf("invalid urn prefix: %q", s[:9])
-		}
-		s = s[9:]
-
-	// UUID enclosed in braces
-	case 36 + 2:
-		if s[0] != '{' || s[len(s)-1] != '}' {
-			return fmt.Errorf("invalid bracketed UUID format")
-		}
-		s = s[1 : len(s)-1]
-
-	// UUID without hyphens
-	case 32:
-		for i := 0; i < len(s); i += 2 {
-			_, ok := xtob(s[i], s[i+1])
-			if !ok {
-				return errors.New("invalid UUID format")
-			}
-		}
-
-	default:
-		return invalidLengthError{len(s)}
-	}
-
-	// Check for standard UUID format
-	if len(s) == 36 {
-		if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' {
-			return errors.New("invalid UUID format")
-		}
-		for _, x := range []int{0, 2, 4, 6, 9, 11, 14, 16, 19, 21, 24, 26, 28, 30, 32, 34} {
-			if _, ok := xtob(s[x], s[x+1]); !ok {
-				return errors.New("invalid UUID format")
-			}
-		}
-	}
-
-	return nil
-}
-
-// String returns the string form of uuid, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
-// , or "" if uuid is invalid.
-func (uuid UUID) String() string {
-	var buf [36]byte
-	encodeHex(buf[:], uuid)
-	return string(buf[:])
-}
-
-// URN returns the RFC 2141 URN form of uuid,
-// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,  or "" if uuid is invalid.
-func (uuid UUID) URN() string {
-	var buf [36 + 9]byte
-	copy(buf[:], "urn:uuid:")
-	encodeHex(buf[9:], uuid)
-	return string(buf[:])
-}
-
-func encodeHex(dst []byte, uuid UUID) {
-	hex.Encode(dst, uuid[:4])
-	dst[8] = '-'
-	hex.Encode(dst[9:13], uuid[4:6])
-	dst[13] = '-'
-	hex.Encode(dst[14:18], uuid[6:8])
-	dst[18] = '-'
-	hex.Encode(dst[19:23], uuid[8:10])
-	dst[23] = '-'
-	hex.Encode(dst[24:], uuid[10:])
-}
-
-// Variant returns the variant encoded in uuid.
-func (uuid UUID) Variant() Variant {
-	switch {
-	case (uuid[8] & 0xc0) == 0x80:
-		return RFC4122
-	case (uuid[8] & 0xe0) == 0xc0:
-		return Microsoft
-	case (uuid[8] & 0xe0) == 0xe0:
-		return Future
-	default:
-		return Reserved
-	}
-}
-
-// Version returns the version of uuid.
-func (uuid UUID) Version() Version {
-	return Version(uuid[6] >> 4)
-}
-
-func (v Version) String() string {
-	if v > 15 {
-		return fmt.Sprintf("BAD_VERSION_%d", v)
-	}
-	return fmt.Sprintf("VERSION_%d", v)
-}
-
-func (v Variant) String() string {
-	switch v {
-	case RFC4122:
-		return "RFC4122"
-	case Reserved:
-		return "Reserved"
-	case Microsoft:
-		return "Microsoft"
-	case Future:
-		return "Future"
-	case Invalid:
-		return "Invalid"
-	}
-	return fmt.Sprintf("BadVariant%d", int(v))
-}
-
-// SetRand sets the random number generator to r, which implements io.Reader.
-// If r.Read returns an error when the package requests random data then
-// a panic will be issued.
-//
-// Calling SetRand with nil sets the random number generator to the default
-// generator.
-func SetRand(r io.Reader) {
-	if r == nil {
-		rander = rand.Reader
-		return
-	}
-	rander = r
-}
-
-// EnableRandPool enables internal randomness pool used for Random
-// (Version 4) UUID generation. The pool contains random bytes read from
-// the random number generator on demand in batches. Enabling the pool
-// may improve the UUID generation throughput significantly.
-//
-// Since the pool is stored on the Go heap, this feature may be a bad fit
-// for security sensitive applications.
-//
-// Both EnableRandPool and DisableRandPool are not thread-safe and should
-// only be called when there is no possibility that New or any other
-// UUID Version 4 generation function will be called concurrently.
-func EnableRandPool() {
-	poolEnabled = true
-}
-
-// DisableRandPool disables the randomness pool if it was previously
-// enabled with EnableRandPool.
-//
-// Both EnableRandPool and DisableRandPool are not thread-safe and should
-// only be called when there is no possibility that New or any other
-// UUID Version 4 generation function will be called concurrently.
-func DisableRandPool() {
-	poolEnabled = false
-	defer poolMu.Unlock()
-	poolMu.Lock()
-	poolPos = randPoolSize
-}
-
-// UUIDs is a slice of UUID types.
-type UUIDs []UUID
-
-// Strings returns a string slice containing the string form of each UUID in uuids.
-func (uuids UUIDs) Strings() []string {
-	var uuidStrs = make([]string, len(uuids))
-	for i, uuid := range uuids {
-		uuidStrs[i] = uuid.String()
-	}
-	return uuidStrs
-}

vendor/github.com/google/uuid/version1.go

@@ -1,44 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/binary"
-)
-
-// NewUUID returns a Version 1 UUID based on the current NodeID and clock
-// sequence, and the current time.  If the NodeID has not been set by SetNodeID
-// or SetNodeInterface then it will be set automatically.  If the NodeID cannot
-// be set NewUUID returns nil.  If clock sequence has not been set by
-// SetClockSequence then it will be set automatically.  If GetTime fails to
-// return the current NewUUID returns nil and an error.
-//
-// In most cases, New should be used.
-func NewUUID() (UUID, error) {
-	var uuid UUID
-	now, seq, err := GetTime()
-	if err != nil {
-		return uuid, err
-	}
-
-	timeLow := uint32(now & 0xffffffff)
-	timeMid := uint16((now >> 32) & 0xffff)
-	timeHi := uint16((now >> 48) & 0x0fff)
-	timeHi |= 0x1000 // Version 1
-
-	binary.BigEndian.PutUint32(uuid[0:], timeLow)
-	binary.BigEndian.PutUint16(uuid[4:], timeMid)
-	binary.BigEndian.PutUint16(uuid[6:], timeHi)
-	binary.BigEndian.PutUint16(uuid[8:], seq)
-
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	copy(uuid[10:], nodeID[:])
-	nodeMu.Unlock()
-
-	return uuid, nil
-}

vendor/github.com/google/uuid/version4.go

@@ -1,76 +0,0 @@
-// Copyright 2016 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "io"
-
-// New creates a new random UUID or panics.  New is equivalent to
-// the expression
-//
-//    uuid.Must(uuid.NewRandom())
-func New() UUID {
-	return Must(NewRandom())
-}
-
-// NewString creates a new random UUID and returns it as a string or panics.
-// NewString is equivalent to the expression
-//
-//    uuid.New().String()
-func NewString() string {
-	return Must(NewRandom()).String()
-}
-
-// NewRandom returns a Random (Version 4) UUID.
-//
-// The strength of the UUIDs is based on the strength of the crypto/rand
-// package.
-//
-// Uses the randomness pool if it was enabled with EnableRandPool.
-//
-// A note about uniqueness derived from the UUID Wikipedia entry:
-//
-//  Randomly generated UUIDs have 122 random bits.  One's annual risk of being
-//  hit by a meteorite is estimated to be one chance in 17 billion, that
-//  means the probability is about 0.00000000006 (6 × 10−11),
-//  equivalent to the odds of creating a few tens of trillions of UUIDs in a
-//  year and having one duplicate.
-func NewRandom() (UUID, error) {
-	if !poolEnabled {
-		return NewRandomFromReader(rander)
-	}
-	return newRandomFromPool()
-}
-
-// NewRandomFromReader returns a UUID based on bytes read from a given io.Reader.
-func NewRandomFromReader(r io.Reader) (UUID, error) {
-	var uuid UUID
-	_, err := io.ReadFull(r, uuid[:])
-	if err != nil {
-		return Nil, err
-	}
-	uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
-	return uuid, nil
-}
-
-func newRandomFromPool() (UUID, error) {
-	var uuid UUID
-	poolMu.Lock()
-	if poolPos == randPoolSize {
-		_, err := io.ReadFull(rander, pool[:])
-		if err != nil {
-			poolMu.Unlock()
-			return Nil, err
-		}
-		poolPos = 0
-	}
-	copy(uuid[:], pool[poolPos:(poolPos+16)])
-	poolPos += 16
-	poolMu.Unlock()
-
-	uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
-	uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
-	return uuid, nil
-}

vendor/github.com/google/uuid/version6.go

@@ -1,56 +0,0 @@
-// Copyright 2023 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "encoding/binary"
-
-// UUID version 6 is a field-compatible version of UUIDv1, reordered for improved DB locality.
-// It is expected that UUIDv6 will primarily be used in contexts where there are existing v1 UUIDs.
-// Systems that do not involve legacy UUIDv1 SHOULD consider using UUIDv7 instead.
-//
-// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#uuidv6
-//
-// NewV6 returns a Version 6 UUID based on the current NodeID and clock
-// sequence, and the current time. If the NodeID has not been set by SetNodeID
-// or SetNodeInterface then it will be set automatically. If the NodeID cannot
-// be set NewV6 set NodeID is random bits automatically . If clock sequence has not been set by
-// SetClockSequence then it will be set automatically. If GetTime fails to
-// return the current NewV6 returns Nil and an error.
-func NewV6() (UUID, error) {
-	var uuid UUID
-	now, seq, err := GetTime()
-	if err != nil {
-		return uuid, err
-	}
-
-	/*
-	    0                   1                   2                   3
-	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |                           time_high                           |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |           time_mid            |      time_low_and_version     |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |clk_seq_hi_res |  clk_seq_low  |         node (0-1)            |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	   |                         node (2-5)                            |
-	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	*/
-
-	binary.BigEndian.PutUint64(uuid[0:], uint64(now))
-	binary.BigEndian.PutUint16(uuid[8:], seq)
-
-	uuid[6] = 0x60 | (uuid[6] & 0x0F)
-	uuid[8] = 0x80 | (uuid[8] & 0x3F)
-
-	nodeMu.Lock()
-	if nodeID == zeroID {
-		setNodeInterface("")
-	}
-	copy(uuid[10:], nodeID[:])
-	nodeMu.Unlock()
-
-	return uuid, nil
-}

vendor/github.com/google/uuid/version7.go

@@ -1,104 +0,0 @@
-// Copyright 2023 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"io"
-)
-
-// UUID version 7 features a time-ordered value field derived from the widely
-// implemented and well known Unix Epoch timestamp source,
-// the number of milliseconds seconds since midnight 1 Jan 1970 UTC, leap seconds excluded.
-// As well as improved entropy characteristics over versions 1 or 6.
-//
-// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#name-uuid-version-7
-//
-// Implementations SHOULD utilize UUID version 7 over UUID version 1 and 6 if possible.
-//
-// NewV7 returns a Version 7 UUID based on the current time(Unix Epoch).
-// Uses the randomness pool if it was enabled with EnableRandPool.
-// On error, NewV7 returns Nil and an error
-func NewV7() (UUID, error) {
-	uuid, err := NewRandom()
-	if err != nil {
-		return uuid, err
-	}
-	makeV7(uuid[:])
-	return uuid, nil
-}
-
-// NewV7FromReader returns a Version 7 UUID based on the current time(Unix Epoch).
-// it use NewRandomFromReader fill random bits.
-// On error, NewV7FromReader returns Nil and an error.
-func NewV7FromReader(r io.Reader) (UUID, error) {
-	uuid, err := NewRandomFromReader(r)
-	if err != nil {
-		return uuid, err
-	}
-
-	makeV7(uuid[:])
-	return uuid, nil
-}
-
-// makeV7 fill 48 bits time (uuid[0] - uuid[5]), set version b0111 (uuid[6])
-// uuid[8] already has the right version number (Variant is 10)
-// see function NewV7 and NewV7FromReader
-func makeV7(uuid []byte) {
-	/*
-		 0                   1                   2                   3
-		 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|                           unix_ts_ms                          |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|          unix_ts_ms           |  ver  |  rand_a (12 bit seq)  |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|var|                        rand_b                             |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-		|                            rand_b                             |
-		+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	*/
-	_ = uuid[15] // bounds check
-
-	t, s := getV7Time()
-
-	uuid[0] = byte(t >> 40)
-	uuid[1] = byte(t >> 32)
-	uuid[2] = byte(t >> 24)
-	uuid[3] = byte(t >> 16)
-	uuid[4] = byte(t >> 8)
-	uuid[5] = byte(t)
-
-	uuid[6] = 0x70 | (0x0F & byte(s>>8))
-	uuid[7] = byte(s)
-}
-
-// lastV7time is the last time we returned stored as:
-//
-//	52 bits of time in milliseconds since epoch
-//	12 bits of (fractional nanoseconds) >> 8
-var lastV7time int64
-
-const nanoPerMilli = 1000000
-
-// getV7Time returns the time in milliseconds and nanoseconds / 256.
-// The returned (milli << 12 + seq) is guarenteed to be greater than
-// (milli << 12 + seq) returned by any previous call to getV7Time.
-func getV7Time() (milli, seq int64) {
-	timeMu.Lock()
-	defer timeMu.Unlock()
-
-	nano := timeNow().UnixNano()
-	milli = nano / nanoPerMilli
-	// Sequence number is between 0 and 3906 (nanoPerMilli>>8)
-	seq = (nano - milli*nanoPerMilli) >> 8
-	now := milli<<12 + seq
-	if now <= lastV7time {
-		now = lastV7time + 1
-		milli = now >> 12
-		seq = now & 0xfff
-	}
-	lastV7time = now
-	return milli, seq
-}

vendor/github.com/pmezard/go-difflib/difflib/difflib.go

@@ -199,15 +199,12 @@ func (m *SequenceMatcher) isBJunk(s string) bool {
 // If IsJunk is not defined:
 //
 // Return (i,j,k) such that a[i:i+k] is equal to b[j:j+k], where
-//
-//	alo <= i <= i+k <= ahi
-//	blo <= j <= j+k <= bhi
-//
+//     alo <= i <= i+k <= ahi
+//     blo <= j <= j+k <= bhi
 // and for all (i',j',k') meeting those conditions,
-//
-//	k >= k'
-//	i <= i'
-//	and if i == i', j <= j'
+//     k >= k'
+//     i <= i'
+//     and if i == i', j <= j'
 //
 // In other words, of all maximal matching blocks, return one that
 // starts earliest in a, and of all those maximal matching blocks that

vendor/github.com/redis/go-redis/v9/auth/reauth_credentials_listener.go

@@ -44,4 +44,4 @@ func NewReAuthCredentialsListener(reAuth func(credentials Credentials) error, on
 }
 
 // Ensure ReAuthCredentialsListener implements the CredentialsListener interface.
-var _ CredentialsListener = (*ReAuthCredentialsListener)(nil)
+var _ CredentialsListener = (*ReAuthCredentialsListener)(nil)

vendor/github.com/redis/go-redis/v9/internal/pool/conn_state.go

@@ -13,12 +13,11 @@ import (
 // States are designed to be lightweight and fast to check.
 //
 // State Transitions:
-//
-//	CREATED → INITIALIZING → IDLE ⇄ IN_USE
-//	                           ↓
-//	                       UNUSABLE (handoff/reauth)
-//	                           ↓
-//	                        IDLE/CLOSED
+//   CREATED → INITIALIZING → IDLE ⇄ IN_USE
+//                              ↓
+//                          UNUSABLE (handoff/reauth)
+//                              ↓
+//                           IDLE/CLOSED
 type ConnState uint32
 
 const (
@@ -121,7 +120,7 @@ type ConnStateMachine struct {
 
 	// FIFO queue for waiters - only locked during waiter add/remove/notify
 	mu          sync.Mutex
-	waiters     *list.List   // List of *waiter
+	waiters     *list.List // List of *waiter
 	waiterCount atomic.Int32 // Fast lock-free check for waiters (avoids mutex in hot path)
 }
 
@@ -341,3 +340,4 @@ func (sm *ConnStateMachine) notifyWaiters() {
 		}
 	}
 }
+

vendor/github.com/redis/go-redis/v9/internal/semaphore.go

@@ -190,4 +190,4 @@ func (s *FIFOSemaphore) Close() {
 // Len returns the current number of acquired tokens.
 func (s *FIFOSemaphore) Len() int32 {
 	return s.max - int32(len(s.tokens))
-}
+}

vendor/gopkg.in/yaml.v3/apic.go

@@ -1,17 +1,17 @@
-//
+// 
 // Copyright (c) 2011-2019 Canonical Ltd
 // Copyright (c) 2006-2010 Kirill Simonov
-//
+// 
 // Permission is hereby granted, free of charge, to any person obtaining a copy of
 // this software and associated documentation files (the "Software"), to deal in
 // the Software without restriction, including without limitation the rights to
 // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
 // of the Software, and to permit persons to whom the Software is furnished to do
 // so, subject to the following conditions:
-//
+// 
 // The above copyright notice and this permission notice shall be included in all
 // copies or substantial portions of the Software.
-//
+// 
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

vendor/gopkg.in/yaml.v3/emitterc.go

@@ -162,9 +162,10 @@ func yaml_emitter_emit(emitter *yaml_emitter_t, event *yaml_event_t) bool {
 // Check if we need to accumulate more events before emitting.
 //
 // We accumulate extra
-//   - 1 event for DOCUMENT-START
-//   - 2 events for SEQUENCE-START
-//   - 3 events for MAPPING-START
+//  - 1 event for DOCUMENT-START
+//  - 2 events for SEQUENCE-START
+//  - 3 events for MAPPING-START
+//
 func yaml_emitter_need_more_events(emitter *yaml_emitter_t) bool {
 	if emitter.events_head == len(emitter.events) {
 		return true
@@ -240,7 +241,7 @@ func yaml_emitter_increase_indent(emitter *yaml_emitter_t, flow, indentless bool
 			emitter.indent += 2
 		} else {
 			// Everything else aligns to the chosen indentation.
-			emitter.indent = emitter.best_indent * ((emitter.indent + emitter.best_indent) / emitter.best_indent)
+			emitter.indent = emitter.best_indent*((emitter.indent+emitter.best_indent)/emitter.best_indent)
 		}
 	}
 	return true

vendor/gopkg.in/yaml.v3/parserc.go

@@ -227,8 +227,7 @@ func yaml_parser_state_machine(parser *yaml_parser_t, event *yaml_event_t) bool
 
 // Parse the production:
 // stream   ::= STREAM-START implicit_document? explicit_document* STREAM-END
-//
-//	************
+//              ************
 func yaml_parser_parse_stream_start(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -250,12 +249,9 @@ func yaml_parser_parse_stream_start(parser *yaml_parser_t, event *yaml_event_t)
 
 // Parse the productions:
 // implicit_document    ::= block_node DOCUMENT-END*
-//
-//	*
-//
+//                          *
 // explicit_document    ::= DIRECTIVE* DOCUMENT-START block_node? DOCUMENT-END*
-//
-//	*************************
+//                          *************************
 func yaml_parser_parse_document_start(parser *yaml_parser_t, event *yaml_event_t, implicit bool) bool {
 
 	token := peek_token(parser)
@@ -360,8 +356,8 @@ func yaml_parser_parse_document_start(parser *yaml_parser_t, event *yaml_event_t
 
 // Parse the productions:
 // explicit_document    ::= DIRECTIVE* DOCUMENT-START block_node? DOCUMENT-END*
+//                                                    ***********
 //
-//	***********
 func yaml_parser_parse_document_content(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -383,10 +379,9 @@ func yaml_parser_parse_document_content(parser *yaml_parser_t, event *yaml_event
 
 // Parse the productions:
 // implicit_document    ::= block_node DOCUMENT-END*
-//
-//	*************
-//
+//                                     *************
 // explicit_document    ::= DIRECTIVE* DOCUMENT-START block_node? DOCUMENT-END*
+//
 func yaml_parser_parse_document_end(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -433,41 +428,30 @@ func yaml_parser_set_event_comments(parser *yaml_parser_t, event *yaml_event_t)
 
 // Parse the productions:
 // block_node_or_indentless_sequence    ::=
-//
-//	ALIAS
-//	*****
-//	| properties (block_content | indentless_block_sequence)?
-//	  **********  *
-//	| block_content | indentless_block_sequence
-//	  *
-//
+//                          ALIAS
+//                          *****
+//                          | properties (block_content | indentless_block_sequence)?
+//                            **********  *
+//                          | block_content | indentless_block_sequence
+//                            *
 // block_node           ::= ALIAS
-//
-//	*****
-//	| properties block_content?
-//	  ********** *
-//	| block_content
-//	  *
-//
+//                          *****
+//                          | properties block_content?
+//                            ********** *
+//                          | block_content
+//                            *
 // flow_node            ::= ALIAS
-//
-//	*****
-//	| properties flow_content?
-//	  ********** *
-//	| flow_content
-//	  *
-//
+//                          *****
+//                          | properties flow_content?
+//                            ********** *
+//                          | flow_content
+//                            *
 // properties           ::= TAG ANCHOR? | ANCHOR TAG?
-//
-//	*************************
-//
+//                          *************************
 // block_content        ::= block_collection | flow_collection | SCALAR
-//
-//	******
-//
+//                                                               ******
 // flow_content         ::= flow_collection | SCALAR
-//
-//	******
+//                                            ******
 func yaml_parser_parse_node(parser *yaml_parser_t, event *yaml_event_t, block, indentless_sequence bool) bool {
 	//defer trace("yaml_parser_parse_node", "block:", block, "indentless_sequence:", indentless_sequence)()
 
@@ -698,8 +682,8 @@ func yaml_parser_parse_node(parser *yaml_parser_t, event *yaml_event_t, block, i
 
 // Parse the productions:
 // block_sequence ::= BLOCK-SEQUENCE-START (BLOCK-ENTRY block_node?)* BLOCK-END
+//                    ********************  *********** *             *********
 //
-//	********************  *********** *             *********
 func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
@@ -756,8 +740,7 @@ func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_e
 
 // Parse the productions:
 // indentless_sequence  ::= (BLOCK-ENTRY block_node?)+
-//
-//	*********** *
+//                           *********** *
 func yaml_parser_parse_indentless_sequence_entry(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -822,14 +805,14 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) {
 
 // Parse the productions:
 // block_mapping        ::= BLOCK-MAPPING_START
+//                          *******************
+//                          ((KEY block_node_or_indentless_sequence?)?
+//                            *** *
+//                          (VALUE block_node_or_indentless_sequence?)?)*
 //
-//	*******************
-//	((KEY block_node_or_indentless_sequence?)?
-//	  *** *
-//	(VALUE block_node_or_indentless_sequence?)?)*
+//                          BLOCK-END
+//                          *********
 //
-//	BLOCK-END
-//	*********
 func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
@@ -898,11 +881,13 @@ func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_even
 // Parse the productions:
 // block_mapping        ::= BLOCK-MAPPING_START
 //
-//	((KEY block_node_or_indentless_sequence?)?
+//                          ((KEY block_node_or_indentless_sequence?)?
+//
+//                          (VALUE block_node_or_indentless_sequence?)?)*
+//                           ***** *
+//                          BLOCK-END
+//
 //
-//	(VALUE block_node_or_indentless_sequence?)?)*
-//	 ***** *
-//	BLOCK-END
 func yaml_parser_parse_block_mapping_value(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -930,18 +915,16 @@ func yaml_parser_parse_block_mapping_value(parser *yaml_parser_t, event *yaml_ev
 
 // Parse the productions:
 // flow_sequence        ::= FLOW-SEQUENCE-START
-//
-//	*******************
-//	(flow_sequence_entry FLOW-ENTRY)*
-//	 *                   **********
-//	flow_sequence_entry?
-//	*
-//	FLOW-SEQUENCE-END
-//	*****************
-//
+//                          *******************
+//                          (flow_sequence_entry FLOW-ENTRY)*
+//                           *                   **********
+//                          flow_sequence_entry?
+//                          *
+//                          FLOW-SEQUENCE-END
+//                          *****************
 // flow_sequence_entry  ::= flow_node | KEY flow_node? (VALUE flow_node?)?
+//                          *
 //
-//	*
 func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
@@ -1004,10 +987,11 @@ func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_ev
 	return true
 }
 
+//
 // Parse the productions:
 // flow_sequence_entry  ::= flow_node | KEY flow_node? (VALUE flow_node?)?
+//                                      *** *
 //
-//	*** *
 func yaml_parser_parse_flow_sequence_entry_mapping_key(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -1027,8 +1011,8 @@ func yaml_parser_parse_flow_sequence_entry_mapping_key(parser *yaml_parser_t, ev
 
 // Parse the productions:
 // flow_sequence_entry  ::= flow_node | KEY flow_node? (VALUE flow_node?)?
+//                                                      ***** *
 //
-//	***** *
 func yaml_parser_parse_flow_sequence_entry_mapping_value(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -1051,8 +1035,8 @@ func yaml_parser_parse_flow_sequence_entry_mapping_value(parser *yaml_parser_t,
 
 // Parse the productions:
 // flow_sequence_entry  ::= flow_node | KEY flow_node? (VALUE flow_node?)?
+//                                                                      *
 //
-//	*
 func yaml_parser_parse_flow_sequence_entry_mapping_end(parser *yaml_parser_t, event *yaml_event_t) bool {
 	token := peek_token(parser)
 	if token == nil {
@@ -1069,17 +1053,16 @@ func yaml_parser_parse_flow_sequence_entry_mapping_end(parser *yaml_parser_t, ev
 
 // Parse the productions:
 // flow_mapping         ::= FLOW-MAPPING-START
-//
-//	******************
-//	(flow_mapping_entry FLOW-ENTRY)*
-//	 *                  **********
-//	flow_mapping_entry?
-//	******************
-//	FLOW-MAPPING-END
-//	****************
-//
+//                          ******************
+//                          (flow_mapping_entry FLOW-ENTRY)*
+//                           *                  **********
+//                          flow_mapping_entry?
+//                          ******************
+//                          FLOW-MAPPING-END
+//                          ****************
 // flow_mapping_entry   ::= flow_node | KEY flow_node? (VALUE flow_node?)?
-//   - *** *
+//                          *           *** *
+//
 func yaml_parser_parse_flow_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
 	if first {
 		token := peek_token(parser)
@@ -1145,7 +1128,8 @@ func yaml_parser_parse_flow_mapping_key(parser *yaml_parser_t, event *yaml_event
 
 // Parse the productions:
 // flow_mapping_entry   ::= flow_node | KEY flow_node? (VALUE flow_node?)?
-//   - ***** *
+//                                   *                  ***** *
+//
 func yaml_parser_parse_flow_mapping_value(parser *yaml_parser_t, event *yaml_event_t, empty bool) bool {
 	token := peek_token(parser)
 	if token == nil {

vendor/gopkg.in/yaml.v3/readerc.go

@@ -1,17 +1,17 @@
-//
+// 
 // Copyright (c) 2011-2019 Canonical Ltd
 // Copyright (c) 2006-2010 Kirill Simonov
-//
+// 
 // Permission is hereby granted, free of charge, to any person obtaining a copy of
 // this software and associated documentation files (the "Software"), to deal in
 // the Software without restriction, including without limitation the rights to
 // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
 // of the Software, and to permit persons to whom the Software is furnished to do
 // so, subject to the following conditions:
-//
+// 
 // The above copyright notice and this permission notice shall be included in all
 // copies or substantial portions of the Software.
-//
+// 
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

vendor/gopkg.in/yaml.v3/scannerc.go

@@ -1614,11 +1614,11 @@ func yaml_parser_scan_to_next_token(parser *yaml_parser_t) bool {
 // Scan a YAML-DIRECTIVE or TAG-DIRECTIVE token.
 //
 // Scope:
+//      %YAML    1.1    # a comment \n
+//      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+//      %TAG    !yaml!  tag:yaml.org,2002:  \n
+//      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 //
-//	%YAML    1.1    # a comment \n
-//	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-//	%TAG    !yaml!  tag:yaml.org,2002:  \n
-//	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 func yaml_parser_scan_directive(parser *yaml_parser_t, token *yaml_token_t) bool {
 	// Eat '%'.
 	start_mark := parser.mark
@@ -1719,11 +1719,11 @@ func yaml_parser_scan_directive(parser *yaml_parser_t, token *yaml_token_t) bool
 // Scan the directive name.
 //
 // Scope:
+//      %YAML   1.1     # a comment \n
+//       ^^^^
+//      %TAG    !yaml!  tag:yaml.org,2002:  \n
+//       ^^^
 //
-//	%YAML   1.1     # a comment \n
-//	 ^^^^
-//	%TAG    !yaml!  tag:yaml.org,2002:  \n
-//	 ^^^
 func yaml_parser_scan_directive_name(parser *yaml_parser_t, start_mark yaml_mark_t, name *[]byte) bool {
 	// Consume the directive name.
 	if parser.unread < 1 && !yaml_parser_update_buffer(parser, 1) {
@@ -1758,9 +1758,8 @@ func yaml_parser_scan_directive_name(parser *yaml_parser_t, start_mark yaml_mark
 // Scan the value of VERSION-DIRECTIVE.
 //
 // Scope:
-//
-//	%YAML   1.1     # a comment \n
-//	     ^^^^^^
+//      %YAML   1.1     # a comment \n
+//           ^^^^^^
 func yaml_parser_scan_version_directive_value(parser *yaml_parser_t, start_mark yaml_mark_t, major, minor *int8) bool {
 	// Eat whitespaces.
 	if parser.unread < 1 && !yaml_parser_update_buffer(parser, 1) {
@@ -1798,11 +1797,10 @@ const max_number_length = 2
 // Scan the version number of VERSION-DIRECTIVE.
 //
 // Scope:
-//
-//	%YAML   1.1     # a comment \n
-//	        ^
-//	%YAML   1.1     # a comment \n
-//	          ^
+//      %YAML   1.1     # a comment \n
+//              ^
+//      %YAML   1.1     # a comment \n
+//                ^
 func yaml_parser_scan_version_directive_number(parser *yaml_parser_t, start_mark yaml_mark_t, number *int8) bool {
 
 	// Repeat while the next character is digit.
@@ -1836,9 +1834,9 @@ func yaml_parser_scan_version_directive_number(parser *yaml_parser_t, start_mark
 // Scan the value of a TAG-DIRECTIVE token.
 //
 // Scope:
+//      %TAG    !yaml!  tag:yaml.org,2002:  \n
+//          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 //
-//	%TAG    !yaml!  tag:yaml.org,2002:  \n
-//	    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 func yaml_parser_scan_tag_directive_value(parser *yaml_parser_t, start_mark yaml_mark_t, handle, prefix *[]byte) bool {
 	var handle_value, prefix_value []byte
 
@@ -2849,7 +2847,7 @@ func yaml_parser_scan_line_comment(parser *yaml_parser_t, token_mark yaml_mark_t
 			continue
 		}
 		if parser.buffer[parser.buffer_pos+peek] == '#' {
-			seen := parser.mark.index + peek
+			seen := parser.mark.index+peek
 			for {
 				if parser.unread < 1 && !yaml_parser_update_buffer(parser, 1) {
 					return false
@@ -2878,7 +2876,7 @@ func yaml_parser_scan_line_comment(parser *yaml_parser_t, token_mark yaml_mark_t
 		parser.comments = append(parser.comments, yaml_comment_t{
 			token_mark: token_mark,
 			start_mark: start_mark,
-			line:       text,
+			line: text,
 		})
 	}
 	return true
@@ -2912,7 +2910,7 @@ func yaml_parser_scan_comments(parser *yaml_parser_t, scan_mark yaml_mark_t) boo
 	// the foot is the line below it.
 	var foot_line = -1
 	if scan_mark.line > 0 {
-		foot_line = parser.mark.line - parser.newlines + 1
+		foot_line = parser.mark.line-parser.newlines+1
 		if parser.newlines == 0 && parser.mark.column > 1 {
 			foot_line++
 		}
@@ -2998,7 +2996,7 @@ func yaml_parser_scan_comments(parser *yaml_parser_t, scan_mark yaml_mark_t) boo
 		recent_empty = false
 
 		// Consume until after the consumed comment line.
-		seen := parser.mark.index + peek
+		seen := parser.mark.index+peek
 		for {
 			if parser.unread < 1 && !yaml_parser_update_buffer(parser, 1) {
 				return false

vendor/gopkg.in/yaml.v3/writerc.go

@@ -1,17 +1,17 @@
-//
+// 
 // Copyright (c) 2011-2019 Canonical Ltd
 // Copyright (c) 2006-2010 Kirill Simonov
-//
+// 
 // Permission is hereby granted, free of charge, to any person obtaining a copy of
 // this software and associated documentation files (the "Software"), to deal in
 // the Software without restriction, including without limitation the rights to
 // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
 // of the Software, and to permit persons to whom the Software is furnished to do
 // so, subject to the following conditions:
-//
+// 
 // The above copyright notice and this permission notice shall be included in all
 // copies or substantial portions of the Software.
-//
+// 
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

vendor/gopkg.in/yaml.v3/yaml.go

@@ -17,7 +17,8 @@
 //
 // Source code and other details for the project are available at GitHub:
 //
-//	https://github.com/go-yaml/yaml
+//   https://github.com/go-yaml/yaml
+//
 package yaml
 
 import (
@@ -74,15 +75,16 @@ type Marshaler interface {
 //
 // For example:
 //
-//	type T struct {
-//	    F int `yaml:"a,omitempty"`
-//	    B int
-//	}
-//	var t T
-//	yaml.Unmarshal([]byte("a: 1\nb: 2"), &t)
+//     type T struct {
+//         F int `yaml:"a,omitempty"`
+//         B int
+//     }
+//     var t T
+//     yaml.Unmarshal([]byte("a: 1\nb: 2"), &t)
 //
 // See the documentation of Marshal for the format of tags and a list of
 // supported tag options.
+//
 func Unmarshal(in []byte, out interface{}) (err error) {
 	return unmarshal(in, out, false)
 }
@@ -183,35 +185,36 @@ func unmarshal(in []byte, out interface{}, strict bool) (err error) {
 //
 // The field tag format accepted is:
 //
-//	`(...) yaml:"[<key>][,<flag1>[,<flag2>]]" (...)`
+//     `(...) yaml:"[<key>][,<flag1>[,<flag2>]]" (...)`
 //
 // The following flags are currently supported:
 //
-//	omitempty    Only include the field if it's not set to the zero
-//	             value for the type or to empty slices or maps.
-//	             Zero valued structs will be omitted if all their public
-//	             fields are zero, unless they implement an IsZero
-//	             method (see the IsZeroer interface type), in which
-//	             case the field will be excluded if IsZero returns true.
+//     omitempty    Only include the field if it's not set to the zero
+//                  value for the type or to empty slices or maps.
+//                  Zero valued structs will be omitted if all their public
+//                  fields are zero, unless they implement an IsZero
+//                  method (see the IsZeroer interface type), in which
+//                  case the field will be excluded if IsZero returns true.
 //
-//	flow         Marshal using a flow style (useful for structs,
-//	             sequences and maps).
+//     flow         Marshal using a flow style (useful for structs,
+//                  sequences and maps).
 //
-//	inline       Inline the field, which must be a struct or a map,
-//	             causing all of its fields or keys to be processed as if
-//	             they were part of the outer struct. For maps, keys must
-//	             not conflict with the yaml keys of other struct fields.
+//     inline       Inline the field, which must be a struct or a map,
+//                  causing all of its fields or keys to be processed as if
+//                  they were part of the outer struct. For maps, keys must
+//                  not conflict with the yaml keys of other struct fields.
 //
 // In addition, if the key is "-", the field is ignored.
 //
 // For example:
 //
-//	type T struct {
-//	    F int `yaml:"a,omitempty"`
-//	    B int
-//	}
-//	yaml.Marshal(&T{B: 2}) // Returns "b: 2\n"
-//	yaml.Marshal(&T{F: 1}} // Returns "a: 1\nb: 0\n"
+//     type T struct {
+//         F int `yaml:"a,omitempty"`
+//         B int
+//     }
+//     yaml.Marshal(&T{B: 2}) // Returns "b: 2\n"
+//     yaml.Marshal(&T{F: 1}} // Returns "a: 1\nb: 0\n"
+//
 func Marshal(in interface{}) (out []byte, err error) {
 	defer handleErr(&err)
 	e := newEncoder()
@@ -355,21 +358,22 @@ const (
 //
 // For example:
 //
-//	var person struct {
-//	        Name    string
-//	        Address yaml.Node
-//	}
-//	err := yaml.Unmarshal(data, &person)
-//
+//     var person struct {
+//             Name    string
+//             Address yaml.Node
+//     }
+//     err := yaml.Unmarshal(data, &person)
+// 
 // Or by itself:
 //
-//	var person Node
-//	err := yaml.Unmarshal(data, &person)
+//     var person Node
+//     err := yaml.Unmarshal(data, &person)
+//
 type Node struct {
 	// Kind defines whether the node is a document, a mapping, a sequence,
 	// a scalar value, or an alias to another node. The specific data type of
 	// scalar nodes may be obtained via the ShortTag and LongTag methods.
-	Kind Kind
+	Kind  Kind
 
 	// Style allows customizing the apperance of the node in the tree.
 	Style Style
@@ -417,6 +421,7 @@ func (n *Node) IsZero() bool {
 		n.HeadComment == "" && n.LineComment == "" && n.FootComment == "" && n.Line == 0 && n.Column == 0
 }
 
+
 // LongTag returns the long form of the tag that indicates the data type for
 // the node. If the Tag field isn't explicitly defined, one will be computed
 // based on the node properties.

vendor/gopkg.in/yaml.v3/yamlh.go

@@ -438,9 +438,7 @@ type yaml_document_t struct {
 // The number of written bytes should be set to the size_read variable.
 //
 // [in,out]   data        A pointer to an application data specified by
-//
-//	yaml_parser_set_input().
-//
+//                        yaml_parser_set_input().
 // [out]      buffer      The buffer to write the data from the source.
 // [in]       size        The size of the buffer.
 // [out]      size_read   The actual number of bytes read from the source.
@@ -641,6 +639,7 @@ type yaml_parser_t struct {
 }
 
 type yaml_comment_t struct {
+
 	scan_mark  yaml_mark_t // Position where scanning for comments started
 	token_mark yaml_mark_t // Position after which tokens will be associated with this comment
 	start_mark yaml_mark_t // Position of '#' comment mark
@@ -660,14 +659,13 @@ type yaml_comment_t struct {
 // @a buffer to the output.
 //
 // @param[in,out]   data        A pointer to an application data specified by
-//
-//	yaml_emitter_set_output().
-//
+//                              yaml_emitter_set_output().
 // @param[in]       buffer      The buffer with bytes to be written.
 // @param[in]       size        The size of the buffer.
 //
 // @returns On success, the handler should return @c 1.  If the handler failed,
 // the returned value should be @c 0.
+//
 type yaml_write_handler_t func(emitter *yaml_emitter_t, buffer []byte) error
 
 type yaml_emitter_state_t int

vendor/gopkg.in/yaml.v3/yamlprivateh.go

@@ -1,17 +1,17 @@
-//
+// 
 // Copyright (c) 2011-2019 Canonical Ltd
 // Copyright (c) 2006-2010 Kirill Simonov
-//
+// 
 // Permission is hereby granted, free of charge, to any person obtaining a copy of
 // this software and associated documentation files (the "Software"), to deal in
 // the Software without restriction, including without limitation the rights to
 // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
 // of the Software, and to permit persons to whom the Software is furnished to do
 // so, subject to the following conditions:
-//
+// 
 // The above copyright notice and this permission notice shall be included in all
 // copies or substantial portions of the Software.
-//
+// 
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -137,8 +137,8 @@ func is_crlf(b []byte, i int) bool {
 func is_breakz(b []byte, i int) bool {
 	//return is_break(b, i) || is_z(b, i)
 	return (
-	// is_break:
-	b[i] == '\r' || // CR (#xD)
+		// is_break:
+		b[i] == '\r' || // CR (#xD)
 		b[i] == '\n' || // LF (#xA)
 		b[i] == 0xC2 && b[i+1] == 0x85 || // NEL (#x85)
 		b[i] == 0xE2 && b[i+1] == 0x80 && b[i+2] == 0xA8 || // LS (#x2028)
@@ -151,8 +151,8 @@ func is_breakz(b []byte, i int) bool {
 func is_spacez(b []byte, i int) bool {
 	//return is_space(b, i) || is_breakz(b, i)
 	return (
-	// is_space:
-	b[i] == ' ' ||
+		// is_space:
+		b[i] == ' ' ||
 		// is_breakz:
 		b[i] == '\r' || // CR (#xD)
 		b[i] == '\n' || // LF (#xA)
@@ -166,8 +166,8 @@ func is_spacez(b []byte, i int) bool {
 func is_blankz(b []byte, i int) bool {
 	//return is_blank(b, i) || is_breakz(b, i)
 	return (
-	// is_blank:
-	b[i] == ' ' || b[i] == '\t' ||
+		// is_blank:
+		b[i] == ' ' || b[i] == '\t' ||
 		// is_breakz:
 		b[i] == '\r' || // CR (#xD)
 		b[i] == '\n' || // LF (#xA)

vendor/modules.txt

@@ -18,9 +18,6 @@ github.com/davecgh/go-spew/spew
 # github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
 ## explicit
 github.com/dgryski/go-rendezvous
-# github.com/google/uuid v1.6.0
-## explicit
-github.com/google/uuid
 # github.com/gorilla/securecookie v1.1.2
 ## explicit; go 1.20
 github.com/gorilla/securecookie

verify_token_hotpath_test.go

@@ -0,0 +1,62 @@
+package traefikoidc
+
+import (
+	"testing"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+// TestVerifyToken_CacheHitSkipsParse proves the hot-path optimization: when a
+// token is in the cache, VerifyToken returns nil without calling parseJWT.
+// We construct a token that PASSES the cheap format checks (3 segments, len
+// >= 10) but whose body is unparseable JSON. With the cache hit hoisted ahead
+// of parseJWT, the function returns nil. Without the hoist, parseJWT would
+// fail with "failed to parse JWT for blacklist check".
+func TestVerifyToken_CacheHitSkipsParse(t *testing.T) {
+	tr := &TraefikOidc{
+		logger:     NewLogger("error"),
+		tokenCache: NewTokenCache(),
+		// limiter intentionally absent; if we reached the rate-limit check
+		// the test would NPE - this is a stronger assertion that we exit
+		// before that point.
+		limiter: rate.NewLimiter(rate.Inf, 1),
+	}
+	tr.tokenVerifier = tr
+
+	// Three segments separated by '.', body is junk after base64-decode + JSON.
+	// Pre-fix this fails parseJWT; post-fix it returns nil because the cache
+	// short-circuits.
+	junkToken := "header.bm90LWpzb24.signature" // base64(not-json) in the middle
+	tr.tokenCache.Set(junkToken, map[string]interface{}{
+		"exp": float64(time.Now().Add(time.Hour).Unix()),
+		"sub": "test",
+	}, time.Hour)
+
+	if err := tr.VerifyToken(junkToken); err != nil {
+		t.Fatalf("expected cache-hit fast path to return nil, got: %v", err)
+	}
+}
+
+// TestVerifyToken_CacheMissStillParses ensures we did not skip too aggressively
+// - on a cache miss, the function must still parse and reach the rate-limit
+// check. We assert by passing a syntactically valid token whose signature
+// won't verify, expecting an error from later in the pipeline.
+func TestVerifyToken_CacheMissStillParses(t *testing.T) {
+	tr := &TraefikOidc{
+		logger:     NewLogger("error"),
+		tokenCache: NewTokenCache(),
+		limiter:    rate.NewLimiter(rate.Inf, 1),
+		// no tokenBlacklist, no jwkCache - the function will fail somewhere
+		// after parseJWT. We just need a non-nil error to confirm we did
+		// progress past the cache check.
+	}
+	tr.tokenVerifier = tr
+
+	// Real JWT structure but unsigned/unverifiable.
+	rawToken := "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.signature"
+
+	if err := tr.VerifyToken(rawToken); err == nil {
+		t.Fatal("expected an error past parseJWT for an unsigned token, got nil")
+	}
+}