A careful implementation that earns its reputation.
zitadel/oidc's minimal attack surface, exhaustive test coverage against the RFC 6749 corpus, and a maintainer who replies on weekends make it our first recommendation for new Go projects.
§1 · Context
zitadel/oidc is the OIDC client + server library maintained by the
ZITADEL team. It has been a quietly excellent project for years and the
reputation is deserved.
§2 · Findings
We ran our OAuth 2.1 compliance corpus (148 assertions) against both the
client and server halves of the library. Every assertion passed. The one
medium finding: the library's RequireHTTPS option is honoured in most
request paths but skipped on one explicit local-development code path —
this is defensible but we recommend a louder warning when RequireHTTPS
is false outside 127.0.0.0/8.
Four low findings are documentation gaps, not correctness issues. The
maintainer accepted all five in 48 hours and shipped fixes in the next
release.
§3 · Supply chain
Dependency tree is small, every transitive dep is pinned, provenance is
attested through sigstore. The release binary on the GitHub releases page
verified cleanly against the attestation. We'd be comfortable running
this in a sensitive context without a wrapper.
§4 · Bottom line
Use it. Read the example folder before you integrate — it's unusually
complete — and configure RequireHTTPS to fail loudly in prod.