Tweak openid configuration

package.json

@@ -12,48 +12,48 @@
 		"format": "prettier --write ."
 	},
 	"devDependencies": {
-		"@sveltejs/kit": "^2.9.0",
-		"@sveltejs/vite-plugin-svelte": "^5.0.1",
+		"@sveltejs/kit": "^2.17.2",
+		"@sveltejs/vite-plugin-svelte": "^5.0.3",
 		"@types/bcryptjs": "^2.4.6",
 		"@types/eslint": "^9.6.1",
 		"@types/mime-types": "^2.1.4",
-		"@types/node": "^22.10.1",
+		"@types/node": "^22.13.5",
 		"@types/nodemailer": "^6.4.17",
 		"@types/qrcode": "^1.5.5",
 		"@types/uuid": "^10.0.0",
-		"@typescript-eslint/eslint-plugin": "^8.17.0",
-		"@typescript-eslint/parser": "^8.17.0",
-		"drizzle-kit": "^0.30.0",
-		"eslint": "^9.16.0",
-		"eslint-config-prettier": "^9.1.0",
+		"@typescript-eslint/eslint-plugin": "^8.24.1",
+		"@typescript-eslint/parser": "^8.24.1",
+		"drizzle-kit": "^0.30.4",
+		"eslint": "^9.21.0",
+		"eslint-config-prettier": "^10.0.1",
 		"eslint-plugin-svelte": "^2.46.1",
-		"prettier": "^3.4.2",
-		"prettier-plugin-svelte": "^3.3.2",
-		"svelte": "^5.9.1",
-		"svelte-check": "^4.1.1",
+		"prettier": "^3.5.2",
+		"prettier-plugin-svelte": "^3.3.3",
+		"svelte": "^5.20.2",
+		"svelte-check": "^4.1.4",
 		"tslib": "^2.8.1",
-		"typescript": "^5.7.2",
-		"vite": "^6.0.3"
+		"typescript": "^5.7.3",
+		"vite": "^6.1.1"
 	},
 	"type": "module",
 	"dependencies": {
-		"@sveltejs/adapter-node": "^5.2.9",
-		"bcryptjs": "^2.4.3",
-		"chalk": "^5.4.0",
+		"@sveltejs/adapter-node": "^5.2.12",
+		"bcryptjs": "^3.0.2",
+		"chalk": "^5.4.1",
 		"cropperjs": "^1.6.2",
 		"dotenv": "^16.4.7",
-		"drizzle-orm": "^0.38.0",
-		"image-size": "^1.1.1",
-		"jose": "^5.9.6",
+		"drizzle-orm": "^0.39.3",
+		"image-size": "^1.2.0",
+		"jose": "^5.10.0",
 		"mime-types": "^2.1.35",
-		"mysql2": "^3.11.5",
-		"nodemailer": "^6.9.16",
+		"mysql2": "^3.12.0",
+		"nodemailer": "^6.10.0",
 		"otplib": "^12.0.1",
 		"qrcode": "^1.5.4",
-		"svelte-kit-cookie-session": "^4.0.0",
+		"svelte-kit-cookie-session": "^4.1.1",
 		"sveltekit-i18n": "^2.4.2",
 		"sveltekit-rate-limiter": "^0.6.1",
-		"uuid": "^11.0.3",
+		"uuid": "^11.1.0",
 		"vite-plugin-mkcert": "^1.17.6"
 	}
 }

src/lib/server/oauth2/model/client.ts

@@ -1,4 +1,5 @@
 import { env } from '$env/dynamic/public';
+import { env as privateEnv } from '$env/dynamic/private';
 import { CryptoUtils } from '$lib/server/crypto-utils';
 import {
 	DB,
@@ -540,12 +541,17 @@ export class OAuth2Clients {
 		const set = createLocalJWKSet({ keys: parsedSet as JWK[] });
 		try {
 			const { payload } = await jwtVerify(assertionToken, set, {
-				subject: client.client_id
+				subject: client.client_id,
+				issuer: client.client_id
 			});
 
 			// Check audience, token must be intended for our service
 			const checkAudience = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
-			if (!checkAudience.some((entry) => entry?.startsWith(env.PUBLIC_URL))) {
+			if (
+				!checkAudience.some(
+					(entry) => entry?.startsWith(env.PUBLIC_URL) || entry?.startsWith(privateEnv.JWT_ISSUER)
+				)
+			) {
 				return false;
 			}
 

src/routes/[...wellKnown=wellKnown]/openid-configuration/+server.ts

@@ -17,6 +17,11 @@ export const GET = async () =>
 		id_token_signing_alg_values_supported: [privateEnv.JWT_ALGORITHM],
 		subject_types_supported: ['public'],
 		scopes_supported: ['openid', 'profile', 'picture', 'email'],
+		token_endpoint_auth_methods_supported: [
+			'client_secret_post',
+			'client_secret_basic',
+			'private_key_jwt'
+		],
 		claims_supported: [
 			'aud',
 			'exp',