From 02e16a7e74ace1f1d0604a68ead45aae971fd6a7 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Mon, 9 Dec 2024 09:38:39 +0100
Subject: [PATCH] feat: support OIDC id_token

- generate JWT id_token in token exchange
- store optional nonce in authorization object
- switch to RS256 algorithm for JWT signature
- add JWKs endpoint to provide OIDC clients with public keys
---
 .env                                          |   1 -
 .swp                                          | Bin 0 -> 77824 bytes
 Cargo.lock                                    |  49 +++++++++-
 TODO.md                                       |   5 +
 config.toml                                   |  19 +++-
 justfile                                      |  20 ++--
 lib/http_server/Cargo.toml                    |   9 ++
 .../controllers/api/oauth2/access_token.rs    |  39 ++++++--
 .../src/controllers/api/openid/keys.rs        |  45 +++++++++
 .../src/controllers/api/openid/mod.rs         |   1 +
 .../src/controllers/api/openid/well_known.rs  |  10 +-
 .../src/controllers/api/read_user.rs          |   6 +-
 .../src/controllers/ui/authorize.rs           |  18 ++--
 lib/http_server/src/controllers/ui/login.rs   |   4 +-
 lib/http_server/src/middlewares/app_auth.rs   |  20 ++--
 lib/http_server/src/middlewares/user_auth.rs  |  26 +++---
 lib/http_server/src/router.rs                 |   3 +-
 lib/http_server/src/services/oauth2.rs        |  13 ++-
 lib/http_server/src/services/session.rs       |  27 ++++--
 lib/http_server/src/token_claims.rs           |  88 ++++++++++++++----
 lib/kernel/src/consts.rs                      |   1 +
 lib/kernel/src/context.rs                     |  39 ++++++--
 lib/kernel/src/models/authorization.rs        |   2 +
 lib/kernel/src/models/config.rs               |   9 +-
 lib/kernel/src/models/user.rs                 |   2 +-
 migrations/all.sql                            |   1 +
 tests/hurl_integration/oidc_core/config.toml  |  58 ++++++++++++
 tests/hurl_integration/oidc_core/init_db.sh   |  11 +++
 tests/hurl_integration/oidc_core/main.hurl    |  41 ++++++++
 tests/hurl_integration/scenario_1/config.toml |   2 +
 tests/hurl_integration/scenario_1/main.hurl   |   2 +-
 .../user_invitation_scenario/config.toml      |   1 +
 32 files changed, 469 insertions(+), 103 deletions(-)
 create mode 100644 .swp
 create mode 100644 lib/http_server/src/controllers/api/openid/keys.rs
 create mode 100644 tests/hurl_integration/oidc_core/config.toml
 create mode 100755 tests/hurl_integration/oidc_core/init_db.sh
 create mode 100644 tests/hurl_integration/oidc_core/main.hurl

diff --git a/.env b/.env
index 8c4c540..e69de29 100644
--- a/.env
+++ b/.env
@@ -1 +0,0 @@
-APP_JWT_SECRET=bc1996ea-5464-424a-9a38-5604f2bc865a
diff --git a/.swp b/.swp
new file mode 100644
index 0000000000000000000000000000000000000000..6f58751739bf717a577f867cfa00d136ffe82c4f
GIT binary patch
literal 77824
zcmeI*2bd*UUH|_j2gxWRAgoK0(8JC5mLN&VSp{SXLsi|XnPxi7cG%rnBuIuOEFd|o
zAQB`;S)!t-1W^=GL<B^XtVAWr|Mk70yYB6t?h$MGJ^$yKd3e*^x5M63b?Th+O`mVp
zxX+#Lc4~5<d5V8mivJt``@P#;^pxeSSYMyMu*b)2Db0^O1bh6<$#0#!0w=G)|LZGo
znR~Ze%|^V7>z?)tr(X3c_x^wVhED$XPhNqOSK#CoIC%w5UV)QW;N%rJc?C{hfs<F@
zCwK)mj$ZkcNBHkubn@SP<mBT;=009*^7WG^A0IXM{fke&e!}GA6()aR`gblddHwN|
zkI$a_{v{``zj*TT=O=Gy`umrfynf!~<2&cRf9c8VPn&$a%j6ADfB!O**Uz1N{KvWP
zUv~2P6DJ>w$$+N6|5J0n|JAwgUvBdKXHPz!JsI%y_b)$r{dtp*SC|ZV`u!_RUVqEv
z<16OAf5pk`Pnmptz~q8Ve}C$_dCuhfU!42?l_#$sn|yra<bq9q|0<K$Z#((;-*exe
zynOP*$t!U33Y@$GC$GTCD{%4(oV)@jufWMGaPkVAyaFe$!2eILKsr3-l(2nI3wxRo
z`N+vQzQW*qF<ykH;}KZKP4Ul+)lcE0crRXyC0rYq$Hj0FoPuvLeE$_6#d)|bnz#Y3
zhwI{JaS?ot5&c>m#NBZV{1Or@;99s0{(>=n4vt|Nr{j*e6fQ8Bx8pT<5zfV(@dFNk
z@8du4IeZl7;kIbvhPXbihpXe#_zoNRtvG}dr{m7(<2&r@SK>K%49-A_`{Hi61%3h7
z!L@M}{E$umW&8mifcxVfxCL&EFY+0@0MEx$@o*f$jqy+X4IjeW@LIe8&%<-^WUS(W
zxE4ObxAB+wW4s2>!*AlU_^$i>pZFTSiqGO>cprWnZNyyo1&sd<i=)NLuvp0#i}h1~
z`PBQLk{>SeBkP;XzBsLy6uqJ|>}TzEnsmxWk~H&Huir|NelKe_ifmXkhwV<@E{Z{`
z(-@Rlx7};@I%V2y414X~X{W5OZm#7;{H?X((Bk^W+OeA)-q<+0{!2Hz*`dXa!<*TG
ze0BL|Yn$sE3rp$Bp_}Dv=|-`BU~zR}(YrePv{TM3*47tSSK=?U53~+6PdjBLT^{|x
zd@Voil>6WRsLYh~Q1QSAx<aR%dfL)rmY;UhQ}!HIvzHATtyZ^@^vhP!O^Z&^Z}yYn
zu+{4I45Zf?l<lHbc9LPzY<Gs;K_~0?+Jj`+ZstZ?@30y%ESG9)Tt_#{BHh?rE7s@6
zSG_g;e%ss3lFqPEbcelGqjcF@gGRsK?{vETPNV2G%c9?CHjH!7FY-aw?U$Wy-cOo?
z!62)941)vx$`Dr9iiL7@b7h!rxOoff$L5C;w`y{04~~ZAo}GHy#^Q1@`s8R~)~swS
zn3t==#g#+*-O<i)Sd=DdyPc#-vq%R?OvPrmnGG9hr#DFQGA~;FMz@={lIE~Xdr8vi
zcKThnJnwhB^*SeN<3MvTGgDVrk1Q5@+|0by=_c)dzcuKl!-1RE_0XA|?L05CG8uG|
z{vb`;Nwbxdy&^4#MK>Sj0|U%@%~m<6`|T$Os`GJm#nZXEINW0Z-bXu6)5QPUNxx_f
zlg^-#CRwxH>$eBpUfv%J2Wj4HwOfNhx7Ewr{b7I5PRdp~a4Q=14xo9Ualk{m^+2sI
zt*+&VR~Pg7dl0kmEDO!*S?dcM>Dr-UWBt^|fo{w2V>+Idt}icSzJI7#8NIMxtPRH#
zbY*jSVPh>_+*lud<00##IUc{Xn69J?F_9O}SzQ_baJn*FbNv=J&hb2?`_1LF)hv^C
zZ&)__{bpA7T3NqeHah*R@49t*t!`=2G97x2e%@#nd820uYjm^Wpwnx28dk`9=W^#j
z+XUOXn1|O^S626!3Rzk<hegMe*zYyFRvK@xnH25ZC(Tx)D7u4Ik!Agk2Q=#xWmZ~|
zn*D6p8m65_X_nRb_G2oTU0d(IJhZS_&b|AX1?z{G>^A%C8>PJ<X&3HD!)!0R{YLIz
z+Xk5By}V_K$<slrY$vT|v(dG4beoMqI?S`w2AK_QSM?69b)Z!l+Wc-<-7VU!u4RAN
zD~ookY_+pyGUyM=qLZ~d{iI_9Y?gV`2ACCYiuc}crXB0hu+u5aVLPdLw`d+nsy8J&
zX3L+uC)GFKEQgJ<WfN|8dS%b#FD)*EZo|Gd=%snt_MVHf?6(_TSGk!My`<Y{Snl&)
z->z8uoA1uQ`BkgJ+8zVwC#|H{Z}ysfTW=%jw6j5{-^jY<VAyD<Y1i9s6}?V(bj`D2
zmbJ{9tdlf*t->=?^So(0ZOn{dbNOhxH2+A)Lt)t~))w=HbZsp?w%^0iZuAFvzt>8#
zUTfI4V6~HOvtQb^I!WR-rFq`<oH#*t(^g|R$a~#E(eJ0(u<Ii9YhSjSjRT$Srz2Zh
z&5tZ(n`OD<PQ^%vi-(H!js1q$>2({eblB+*@+9rHvR*Ruhz#4Ue&4yuQrAzL*`Qlk
z^L%Gu7mPz@nKz1dIVeiIPo2-dQ%0k@Ps`IjQdkgn9Eqp9)}CkLtl`jW7cYknib<<o
zx=pErf5)vVn%!Pn<PMRIR@pGpG99G7;gBuRY<nX67W{h0W(S^`qKg~lQhI2wMPiV*
z^Jd!a4az>#BahXf<%m(n*GYSrwk&bkpz!?JHM@D96y0Xpw5lXsL+RGONX)+fblvlv
zZ_M4C>LS-~Wftj9>6!P&2JJyJ_4W$q_;%hIy6nv)DdV9DE33$}Fiq@0-J(%unb%GA
zU96|D|8LFEdqUWI?Efc^jlNU<lb!!Hd=;O?hw%;^!%c8wTpO3bH`w`aM2=s>EpZFn
z95=(&5I%wTvGF&sjzhR7ZiyeV>0gf*<H>j=9*&3M3_KWj#ZTegZ2Z^Y1$ZJJkH;bW
z0YlsqSHvH)`QLz7;(2%?9)S%M$dTbbxD{@KFR}Swh;wlcjv~cDJP5yr+o6qb@BzFG
z&%|S~iA7X>1$Xpy7vEz0zZ}oP6Yw}Z7RRuN``~Br=X?Nf!|&rccr4Dr**FVFa9`XG
z7suQ91%4mT!nyb@oP%Rn#shFCTpI7-7q|f7J9rVEggfE;d;(v>XYkMX6h4Y~;Z-<{
zYv3~YA9Lgf_&)vvpTq|cbLS!0`(Je~Geq;Gl^4Ubmls9eZPdN)RnI-e%9#ht#ifm1
z*Y$jS-rMI~*S7;T7+W3o@sM@Z?+&bPy}rG=*G=te#h?h&tn0ZO*vK6L?N~|P&076l
zuViY}yRHuow7c6|*VG0+xHiB3jSj98lVs1uz1PT^j^%l)<=n(p%Zt=f-nC8lik#ac
z>*t+8(#gsq$%jeiAZ}6VWVxks*vZS<&9i2^y1Ew}K|AhVbv{`N%cPsNS-k_NSC(+A
z(d<~^``tKe^qRx0krs_%x7q5n>{w;DJ7|uqi>&1sQuEqw-|beN9mCZPbMV;Q+CI8B
z$5u{lF+kY2VHuvW=_f~@9bH?^7naj}ZMC)EnIqxnN%D;G)M;jUyVrA^a$}r2oJO4J
z^I_^DG#kt<&Z%D8;l0%yB(1dVl;xt-JvUniDpPZ~xPEjgJvLmOw>?Iq-^@0a#^cS`
zjvd`tUEu0lUL9M~`Ib{5uFTBoY@dfUDTYbf8Z^tkQ&!gR_Io^CTs&FI+)R7D)FjEv
zVOe%ehDO?Nq--*Nu#{m_v=RrTdLLGYu!`qva**742s^rZR<Twt?|a6~I?k14+UTU6
zPJ<0#G>&GRe0%|YXP54P*}#}KCtAii$cK#~OFQQaD%#D=k+<IAu@)*mS9T6BZ87f(
ziralo!N+mVWPTUR3u~oW+8d1Kd-ZPbxlnm>Ge_lqW^N~gUc2A6%o=#7$eP_QtGb^L
zT1lrEwt7P=8Shw9viKU|-}6}1KHK{TlI?|fr;)ekLq1H`mbfkt=A5DXJ>|o8yO*}o
zZnIPN!lz(~D;i1W2;1Rc@3z~GywM*HOO}#{z1Iy_L$i@(-Comiyiv2Goku#1i^|9+
zLm4eu`!96d{OgO$qdR}RHIJW6&|%|X?qodr!E)uy{Vo!FvfUo^oQ@mqR+<)RW6&D(
zEq$#r)_ZfINCtV~B9)xLy)^4^1Na@T-eKvyU-zSNoQpKN-#Zt8>2w%h!&vpEubjvP
z;rQS+=;ecSFlhBsd%z&)C*)pg4I6!z#W`y*OpMp|=fP<V!xk5}C`3AvfmvMdvatKu
zcbOU+$HbR5$CKfI<xk-H%-ClvPPS;rQ^B^*m_~VP;BF3k+*yNWn;X2%I%;(-1iT5|
zwB1R|RxitHKa@4Aw)X6XHhZ(HCzn>M$djbo>1J7@u!ys$Gq<j27JT`wA~l`Ma=`DC
zH~0#8O-qhnj-afO6b-ko?%Ou-WN$y#&L8XRS&=R;Y;G(r?RL7H|A~F}=2)OQy{tRz
z7JV+C77rtbqfN^q-3<R@R`^2vC2I~!o3}BCtHD#;={Jiw^wv8|XE(3y!JM&KY|h65
zs<(|RwB7GG+-IJqY><g_7W@Q7+0S{j46xmFaPD*2MG%yWaWHgqTki0%U-ZkG$I&{_
zsUDZbJr{Cugr(I(yF72z@80y3u>Wt!a61_G8~gtW6C>_T?E07Bd3YM0f+ypVSi=2q
zb$pOre*s>D-^J7MXgn0ha5f@0;5Tu5TmpZ{=6@Uh058B3a0h&seg6e~8h?R5!~1ao
zUV&%fH*iUOn~nb^d=?)><OKXV-ihDC(-FRai{c{qHv9f__$bc9ZE+iPaRXcxf5WbS
z4Azn1UbrJ}kFfg_+!WWqC)oAp;z@Wo3j8{*f<I-;zZoya3-JOx4Znql;70f)`~8FX
zBfJr>$LsJ?JP~K2i+^Xke;n_}Tks~l5n=Z~4Po=&98r((6?_JNhBspk*TYqDQGA^Z
zKX2#1&1)}1j-SEB@lA8#-|%sK41bG1$D8rHh`DlW#J}o8VF!()*dR|kHeU;I-DZ9J
zK)Z6(EH_6X@P)<QJkv+hwIgx1T3U?*wWvSu?!olv;`k^r`OOpASDOMljl9)pdw`w0
zOTn}T<I)f<UP;qF+iB;$L8lZ7X$c=Q`Fq1wlR0f$?e>I{>RqvBVhdZBU}Zyw#NwIr
zOI92|r#}-b_{``x()A-VFPzZj;O7{+CSuPFjiM_w#ON%Oz93N1Z#ie!w?uJMVO?ho
zuav?S-Ck$dvqdMhUyj|UL~(YJZ*Huv%`Jb`$=c|at)$US^0>K)2&9nd(30NlGpD+P
zhG=7+bQ)sl{eeS8jD)kN9Q4z&*Xy-wc4rGm?>e`Sb5xw()Ahxb|NSj&F@5C)l;RQM
zUrk}XwoSO#b4)Bu_2!`2Nd+UA8lK^@-|7e?M?AU3t!!S`e&jgL$PcG0E5*{>9o)m7
z+S6?8i(2GaXHYN*JHjtc6Yis7c8XSuv0OA;gI>4W5^2tol-JJ2-O5r{BVQlmpzf!*
zSq(jvn@dZ_4j$d)hT0LD`QPTb6cQ?09dVZy*O%aVo=Z|{cjBNw95Q|~K?BK5EXS<t
zGtcUv=r)9L_&|iCYqk@cvk6({>e}+b&9$YG!*Yj@p!#%LQP?XHk#_j&G{n&&qQOJi
z?RIhxV=hc1iA2ywN{M?bbtG-DZQ9K=8?^G8V}+3;P;udeCA#xYtsh++d#?UZ59cs#
z$fq01dJ*9nq|LI!*ze~_UNjq>9zRc-^_X#`TsnqLCy!WTt3B+dmawFe)O@gH<TtB%
zO6Ag~{HxiqS8rQ~wZhp@^xL`I2dDQ)`in3i3#Y-omL=_6sMiJ>IX?y{Th6*7F(nhu
z%4_yb$$qFFi_4VTL8i?f@825}gXceMIk5Mn*7Uk9c>_bM1=pZOgauYaa@D}+LWw;V
zbko+x*D`dAYF-+7Qma`?#hH=twj@U~qV98}h=p;Qs3e(Al2T`2@Nx7xygJF5JF!@Y
z1!UOFx~)Mw^)U72-6SpPf<`aPA{iQUU*JXtNF0X}`#pbTZm}5@f}~Ox>Ru{i7+dK%
z#YSET<fQwKz8eW7ql4cGq<gm8e1$Cw3<pY*x1^=Dhh<CDIu$|a3?wN?qiPQ1y2wbg
zYIe%-ua!;@DZgX4=8U8`3sik;#oF4Q`BdFbr!8nbln_?-Bnh^Ma;s9luCnXwB3*D;
zb{jdjpyfYS(4mywZmY0#%21NKTJH^uwX$+ZFV5IpJTtZ8&xf{S!iIr5nxUJ^>B?4W
zXC+=2-%KSJ9-D*-;`24`2*0)Gc5fGCg*TH-2s~>EmG?Orq<rQEKaf<`?TL%?lf_X^
zvQvL_IFJd{ZZrh~2DRT%tEkI7%`uAs8v3DKA7WY1qdc?e)!B2LJL0HihvOlM&2u2S
zQQ9IS0_ju}DWUzWl}p~p8w2@hZT=Srj<Elkqo>?F>^b)T<HM-)FYNy};`i}XJQTl#
zudv@gi4WnA@g}?hugCA<DL4lSzRafo68;%~fwv;!|B?HDef%6QhW}*GNBlp<J#i~E
zaBW;3KVZLq9sh)n;Qja$ybo`~`FJw!f*-Quzk<);Bls{rg!dw90wNdSH*r~fmmU8#
zL_NSiB5DHu2=BqW@kYE9Ps81D3Vy`C|0X_zzr>SqODy2JxDu{_%i|*WTG;w{KJJRU
z;8s|`HSv#Z{3qj~C^1Bii1XhGeSC*~|4KXuQ4<h0|3k5g6!*Xt@JDR?_abcnm*aQv
z>$n6ij{j!ce-07fKM%LXZP3LH@zV%f|FPJ>5iH^`9)P<e=E*O?ze?i0M}8*r{xBc*
zE=%<2<$WIAeq_B#cMFS)n|e^B@~?-TzNA-k*|VB;2Wg)tt;aXo>Ppm4t;~saO+<QF
z)}N@&xwif29zGJbz|1MVdj63<sY1ZpErt<<b*?sohC^$Tv72+*ePR-Fbfr8?1(PEh
zfd^mk801o7Yd(ED15}sd!^PQ753zgBTUFH|D0t{dGm2F0t_<9KAPFxm)H-ytJePCW
zvuik_%B$=qU0c4xn{YxVM^WmwU~0X)Nesb>V!Cn~!X8(jh2AL|jbtF1&S@ock-1|!
z9m6QvS+C(t?bBg|%E~;o==0#n&2^__wRQ`KiVM+I6Gby~?>)A_&6Pz348_8FacJ2l
zIjV-(Z+A<&Qd@JQQ^wKCBoQ_nqJ3h4Vq87B4IN`{q|EwuFY*HH08X-b(UWN0E2XQ{
zJ<hpVw(B?#r|XBawbip$oJ^Y?yWu{|fY63|B9#p7W?4#2E_<9Xif`ndgi)TfvMlX$
zOypwPiM;o2p`bw8c+u~+<$%<_3=C#g0fP~_oxh*e$0)NPH9L(4hoO9T_e5S^1ZV}T
zqLfI;irL+Ay3A!~wApS3A~&Ix@WP1O*B*|Ok<zL>N7K8p%ZyBy_)1gGvjy(b$Ubod
zi@Ue)9pgRW0&N#k^%<-sw_3&$EFz;w09L6-V!igz4NI{(=7S|r$ZI%o)|Pr%v&lZ0
zW!o#qaYkIdXZ&9+R*cdwVNz}}fy7cmf#4zUm&|>Uokq_d#OQX&VgQ7HOcHFnrP9Kp
zQ}=V#p0T|TEiNxD?sC6&)S!4_?B<?Sx}ADjrTFB;Y`{ED$il_EeJLk*LwQuf&*I$J
zlSVrjN<I*~Q#Ho*E8Rl&n5{u%(stY{RVLMaB^)j)=Vw(oVaKm7?{YPEDH+>}FYkGj
z=8xzk9!9kU{Z^|VslhF7U$NqTC$+?y46=k2+_YKxvh*WEUEaD$!RRWI+BXl2WX0t)
z8yKHGfQ)>iOAhn#sB%J0Vztw+q>??P$is0k$t_zhmh;1Fqo1C-s&<3|b~u)|lM<%C
zBkU6YiRqUo5<EyeK%<(pC`wbCp)^Lcpu<w-%i=_^cK75r^ZVJa_$|9dkI#7^q@qSI
z9n`)=?CyCU1xjWwadnj_lLn6vXOC$j=F2Tt+I#KE1KX6NMWRZN*T~^jyn1}}81j-d
zobZw)8PvY}?mmdo9X<Xa3W?z*@6NC(D^kwtP||*umq{wJQM8&YX4YZ1>0KAjrX5~Z
z2{cL6XsF%l)W5y%K8VpQoE^kyve%F`DT}@+#6293Q~{Y>Y3B2Y2g#Rr3HnlDd#V@2
zgq$1;hujE-ltn3{#5z~|F?aV1uv<D+buR9VxH2vVDo=W;Xhy%+=!so1jwI>!RI)b9
zwsIOL4<0<Ju~8Ec_CK?K6xWSUruuvDW$T}T2jkxOb^ID`j{$Cg&$IELgU4YN%ZOP2
zgAsKAx5kgy_ix1S;@NmA9*algQ8*Jh?u9GieeC@=BI5l~5AZ^~08hhNC~!S|oUI>z
zfQa}10bYV<;^Fu$JQS<=4cr!y1Mp@x|C{h~JRMOFu!5)sI34#w<OQ^FDlUc44frZP
zjgR0@@J_rI&%@L4c$|$Kr{kWu6>fsl5PAZa!A0<2;S<1D@MU}&;YWBU&cRJ_6I=)3
zL-;-)!8@>oBRGigBm5G+%Qx_9gr2~Q@iaUPp(pS){(w*6Z}DEd4v{kuK7=RXVc5Vy
z{2K0v+v9dfaD7|_ALTcAG$NPaFz$=H<JRcm7x1$PAH&5Ec?RF%M~GU258+9;1#W`N
z<J)`(|Add?kMMfD7O%nY;(S#9&6wKp@K2rGll^9w8r;fhXSURK;c&WmWOKA@#c$8o
zpN~$u<3iknT<9Cc@<Ds20Ne)U1HZNB@uAgLXd~xXX{TD-UY~6*?@rmOQuFXaHaO5_
z0|*tcTGZnwJj&d$%~a`IChNZL6O&}LiWheFI_z?6+KA+1M(Em^Q3D-UVnapxc!!T8
z#g0S7VW+C`86wmg7P8f0)c*-K_-gdY^jxr&b}%mD+~+cKyAN}FzAH$-pd%8?QYz!*
z&4%R#a{hK!Xe#AT1O~0(ytPsglwzp3xDb+?oxt6iE%!qVdUU+n^%71m*!nUX>dYck
zCdLP{9anF0V>R8nTuQ#jmprarx;9C7J<-cLz0Ub0ULOC=6S~wC1L7FlS1jw~&TwlK
zP4l)py2=b8DIFy%+aA&sTQF56?Im(WWl-8<nl)QH9ON^;s?qeC-TG%XKGh3S7}%6#
z5t?eJ`8xOv`x)aywFhfWF>oeHCF#gaQQ{$XDhSYz^h#AawFeqSJu1^=E1Yrs0SrrF
zh+apvXd-yaua@(uH5_^sSaw>4T0Tkap_-!fy&>zuaLRUrOHPSwhlEAF>qP`@s%|zD
zaWpHB|NbK;D(_t0J)Z`vsLLG{Yg(_XD!FNF4PjtDCziehN!D`wf7E3#skmxt_H;(Q
zc*Q{6dXQ${|H$9ANv0y6k#R!n=(DwPUetIE+*-i47r?E^)W+dOOXS+>+Nfx!J^DKW
zQk%;MM+ddB(!=P5@wd)c3dI200a1cgO?=pX@geJzdY5Spt`(ygCqpkUt}H%eapfWD
zLZK7W_+4+kHu}5M_}P(SEmCFTug2dytH`|hi6X^za!Gu<5_*a+*@2<e5TB-J8%E?}
z4-YPHE^RDYiN=|8@r?zWp*o()IyHKwGUCzK#o3JVt-mz>WbIIRjr{GEV~1DI^68E(
zbS8!{Bg7E*;b3e?JECMW>wt>+RGPGE<3T%2l=jd%HS7*4FUV|am~SQVp?=X(i>Kre
zr6o)j(6HZj*su373U77Q%Vr1*qjH#q!$rD#amenQYy4teTWUYje-g_g-K8`FCb{~1
zL2ilXEz`;_AjggCi=0eB1Y)2XlO~X*pA{suT=P25FSp|o#Ym60t8P7xC$y(I7!*wN
zQ6YDaGLu@sqT#lS`V!^HB`7e?r6vl6#+IN=z?!O_y2t0xw#L>w9p*yeF_iIL-MK7n
z9SFu%E~lQ@7B0;+Bsru2DRPm9Dc^iRU!Wscqq3F)5bt@nW%NQb9tR#2;hT)kQR-Py
z*<SZ>XLmuv-Q}1xJ-?5WR4D00n#PWGq56y$p6T$Ulsy7B?b!c_*(hjZovZD#0m)e8
zeWl@~93->vNTHH})Di?Qc{J<`b%%8-C10cDnw|Ia#N;9v>xsL@XOuVlX_se_>X9&}
zY#S$<G;xwqUK}R@Ppxxt+r(9@#95=vM^LMVk%j%wEIlO+yNmsQ-o*I&7xw*MBXa+5
zg9dJd8zOA~Yv3aI4>tbm5H|lk5H^1wH%90IUJKX674ZZ1edGhY3irpIadX@Zp#%6c
zxC}0ZOX7R%{7>OScoISn@FoZyz$+kf0zQL}A@cwK4B->F0MEf=@vHa_J3jLNzlg~H
zk6eI<qk-$-N(ejuUop)Ac(c!6hG*kRcsPCw55+1%3*gp>e1JFN4G2Ae$Oi~JKEapS
z=>Lch;SX^>9*;8-bpQ`S==k3s_dpA$;?wN+r{g?41}g}?z-!_!+2rrSYjHjvkE0mk
zKDZlhjSgC9B5e840Qe5u{H-{I`{4Gt1r~4<+!)u!Wf8doe~3kd2EYSwcZ4k;_5WeB
zzYyo*;W&yFEF<R9gE9KI!+_u1C<g~43_Us;%-Bkc!<F=)1LD!~clTTsB;N@=@N`MP
zi#qQ(8#_FQNLrS9Orp4r#7xOg?`X=kXFX6Go)jJ{2?TXKJC(!B+yOcUGPm|sS2Vd<
z5+FOg;M}S<pCVB+VBhWalqxodl5)E|uTdh^7iuUBBjOO2KN~Z3!3*K=U-cDimtF2$
z*VgNBy)w>3OxkXd^bYHqI8sL*L?>zRgf!Dw;?(#K$wW%7vt6?(x|YC3_$<?5?WV&_
zMa5#i8D5_=6`!t6PxU)5LzFU44gC1LToa6nlkPF+?$IY_t(oF!HpyGtSX|*yn#}l(
zc=@2eUz7(&3UQ-f*zG?Ye=%Mckeyg9m3sPpcFmp?l$N7ir1I0&qgFX|_#LEF0OX?B
zN}P~KrR3~1*@97f*RmD45Ap+L7}v13%sd~*y~=w$C%t~W`_jo~XaJpzyDWr-MB@fS
z38#{V2g>@}DsCdU-fjC?rhp_}X9Bf1Kanv^{DTKa!hL(sl<F*~-tOxCpZRk$_dn*!
z%6g>GZ~c6}y0j#;M?iCIdY<^~U?(Z+XfO)Y#alle54-Ag<e3lp3b-6J9G4}!ii2b%
z(mZ_42zM$uZ%GEKyMA%b`7^mTlS{G3{2*?ShCCo0Dw>{&)r0U+S6zdQ$A;u&RUOj8
zIJ6vvTRabCF5%NM(pCm8a(CgcBrEP#x<vF~?L_9sXwC4h;<nH3lD=y8j<;!6R;;a=
zG2^%%FCz2rWjeWj{7EE3f{Uu53Zsx0&~-3ne>0?pLc2{zSdsLS1`bg{(hExR3D1&b
zP{}I~DOE9dp)WDpL*8o=(Mc^y!w%%Jk!&k0e}r%oDsDxHsxl~OZgJ}mLgqN+1iB^H
zbkxkSAUzrv`Y1-L|Mt^=A~R{<m1ft!Ih_$d&URycXsY07M}jp?GMk7>7Q!P@$Q}g*
zL`l{3DAehb6Y{_gn$j%#U8;vv@$BwD>8m(5A;L9S-PDi2eMcI_aypK2ocMa%Y^PH3
z)Dkum$zORwtEF&&%?B*mywgloh*RZp*bCuG+QZ8ITl5g6V#=$ba`Kb8Jo{Xf-A_6v
zei7vFmT8AW!jXe_sX54vTAZC$k#spq;r&K~03YGk&XClW)FaOE2ERo=Dg4@nzg$<B
z!kt@rzOQUJcZ+}uStV(fJ*kVN!<}g*_;E;z1`_6pED>Qs4+KMnbwX%d;6>(<;niOp
zJL77bjR8(#p`-Z!wHaz_VXv|OpEkDIPWcks{vYrh+zAo$zdo*lE8&W`7{1P~|1@5V
zd*W7TAZ-4h!_{#)e2qQ-Njx8S#a(bKL@$7ABkcT$@jn%h!WyCvK-2*IH5>lDcpXCf
z@70K$|Iq(C3q5>+4gdFeKi+|e^S=t`BkKJhiLm(}hBJ`j9=Iji_(fa`m&cFT_0cEb
z-|;C#-2eS}7v6-I;3){Lfba>dVG)N=B60wB(+Lc%fG6Pbcqo=}KU^IjWcPmn@5bv9
zx&h%AxI8Y0Q}6}$|KH(vaC?M4zyVwbKZC2{D!3&6gT4Pxh<*a$6SynFFK{#bJffe#
zQ}Go1HllyP18_}5?|{(%djnpA^YLOl1CPZTn)sYK^Dp=~-j6pU=Ft$<e^t}BZb^WC
zHEy+>Zsdm-H|CbH>VIC&u(~w`h#j6&ifOs{rvgN2TV3j=YJ&x|sL=8@l4K^~7dbzJ
zKH2zjUT)0};!(Vy5-`|Zuwy-!gm7pxT^omhQibiZI34x&^p7+Ystd`5cpsmz^Kn;}
zt*WR#mq;S~A)4EzMnZ>Ic>?L=p#X(cYm0J0N2giyjx#Dnm>KCrj$wA0t=_5*MHSik
zZBa$$X_O%jsN1XBCpXyOFOiig_^&or+}~+Z+%Z)+OO>#1kKre&cgs`&T+INVo&t{l
z_Q?peQxTNVNQ|7>(BmS<*OX7%?ekCbfT+O=^%y^3NVW<VuBu+~8b)r-w(IEnyCl<0
z2HESIXNygpb-d0C`Ozce+B_f0@~xDM<1hE$1jVqU2xchSqCz1n+Ef$VJ^3&!g@J=1
zjlE{1#>+KmC7gAAd!tLx%1La}z^?ngwffcAyqxIuGve;GcNuwg`Uxj?$pSRxo(_8n
zT`iABNUz156PfRa$XeEPr<z3f)q;{KN+L^I(j?QS<o>HS>L3NW;-oW-`RwQFn^&hx
zA5R(q*CEYA^^a;pWkd8sAdR1tnz-@`cS35X%P*_5lUn)6LRuRgOD}{s->YOZj}p^o
zADvNN=eUA?&t*-GmmscmiA17AYbcpOyoaetf;FM@F6JkpILgl(xlS!zOPaD*X^^4E
zM2YpnwKJB|bB-Nck0PGks^2#EN<CPf<RJXG83u>b*2wrDryA^%RWQvJs8)f6!MA6A
zz*M<3ez2M=@MFaDCpikc-1SAN1;xR1eWkhg2-e1JUbYh?Dv5sCNIzR`QL8C!exI$8
zkc1~Aas{Zzb(=-Mqt#2PDU35Zmni>`#Pm$cb{TmCw8>IZn-p(`Y%{-Av)>|7?p;Y9
znn~c;d9~)MJ@$N7q({mA<*=ZaDN;I6Dyf7&Y;iW1lpJct1G(x_qwGW+AQlGIINBVk
zyt3Zaz6G@p^eah5le;%N#OfkOc}4n0hiZg8bbdZYmC8gFIU(Fa?l<A+O&g9lt&B54
z0=^Zy8C@SJ5p{a~nhyY@V18u>9YySq|K>H#P>067>NH9ENM8d-foRr1ol}XIeIsgI
z<*rzmgsUZC6zxG@{h}RFP^9KL=An>yvAz8-t{)U)lT4H@9Xz_abc{Uqd`)O9$TLNI
zQ9u^!K&7I8pXV$TKn#^Wz1!yAd6o()3;m+$a-_2Cds<lt)pc{~C888^?#1XdI%*b_
zB!)F_p>rJrM%}~0ku!S_W7u>4=c!w);!WIV;6sHHGz^=0(v^oGs-<dza75m-)?{Xb
zBo(Eq_9)^g4zo0fDLVQMRjTAg>h5$AB0QA^W+uowvi}pt+QY(TWB;E!G2E*4|KS68
z41NXQX3PI8K7o(m!w4;a=mYqAya*4#6%f4uqYvOW+4rBp`G`FK(Ea~aG*GquL-T(V
zi#UW5r{fOj;#=(em*ZJD7h(TD0g>;Y<6gKD-p7Uy{r|V(g?JL~gy{eGJw(m_C-CQZ
z90s@{u7zvh=WuyMVnpQXzZM5^ciaxQ!1WRJ{-@z;xFka7KXm^J{08of$kPwKzliH!
z6_>`3*yrEDzv5r;S%h8x7YP0TP23Py!%yMA*z4cMx9|mg4DZ8lqm9!Lx%wBwMQ{qf
z#f}df|ATlUZjOlWUkjH*<m!Ku4gYWWdqmH`=ok1_ycuu8%kevS6hbH9o94(j5ZZtr
z#d{F*=8mW?-2KFXS#!A|b4@WyR7Xj9cZ60iIc%uMCj2SZG_3iAOjC>TFtu=^|JLHl
z1~rYfxktSER!NO^MZVOhihxEwIrlWd0YT|ZOP;Qyziel@&?M!h6Og-;n64C%rndZD
znm=_PlxH%iVhBvHGw0s_)K@*#(w<477zrH3iZ$1NY;-xMNf*^?6F)n$CPtrB4zTfc
zB;AdB7wxy=MZUGWt;-<mj_|24v$zRmHGYMm^`7Hf4zP22_`gfV_JTtMZV5(G=kMB@
z>a~_;%C%#-+2SFyVL@KjE?0B6Yc-iV`;0qs$(6%VIh6D)_BGTufzYAM1|cNMhur?w
zcHOh2p71>hhe_UIlMN|**%)e{Kb@)u@%FfP8FOS3i%l-*YPOhDgoxX{RT;YHu~NQw
zo5q6nKfP|a(-Z^8=o(EacY~JH0?N}YPCX+Cbo4sHLV|vd*&UMgQO8;Dz3xjWt(+=X
zPOvI?ORa5r+EH?A@Z%zunL>=w)tOdWY*n;W`)*91mVFC_2CkOc7C9|kBm>t)?}{!<
zyvfZNsj3-CBB3!QiK^!nnhTl<VvlByV|(4b$|y}$&jykCy<@$M^=8+s%~9>uOsV;v
z^F{%+oQ<~B9<m4-qg@72Ki8|!P$R}gNmcrZs>I%aEhc)e!lNObTQxqN_N-=6rn!u*
z<y}=|)8SIF7RTN_2PU;9G}M(bYqhBwJd<cGIc2n?v>jxnrV?A^fsLjds%I5|DNa$4
zN#anx&4sY|RgQb{oS$=W^=t`EbE`mgAB^mI2h!Y$octRfaR^k%lGiY=B=nNe>ek?v
z{)W}Nljv_qwVOtv95wsAV0pdI^r+$O_EtW>RL!2)tHZGI2(or;KOEiB@qt+z&c%@F
zW`o32rCkE?7m3rdZt1rXhVOX<iG#7kT(&y5p;idF%?_hl&oMiUc*>?VAbZX>eo_{c
z;%vp+oU9HdK2UlI$p({+%`BTxudtB&*Ip?EZ@TK4nao1WNmg?@bZ8XL&9>1P=jK|B
zE~IXz%^W7H?w$jsr5=iVg?7@p6+`1moy{1`A<yVU;k*$I9~qN<E^`M73nmR15e+pB
z6mn{I^+lVWN{LYn;NYRnVtsvXq}A!zv(iUP0%DzN)Eoff<YPhi@F<`ovnybsiIOuz
z$83~=LJuay<A)Ug!(gm;I*xP&D_+>qJ(!(@)i)nH-lTBpSZArVtmsR*qsXAwNOaY7
zCYG&`Q%Q{0(WC)v@pgATO!>?$?WsMv-e+kh{xaFDXWxBHvaQ5>4$Bj2?KPB(DjuWs
zPU??760}V;h_W4bG-<WcSugxV5!Gv<3rzb{)rf3;vIvDsRI{Uomu9AA<MMF9q?^g1
zuHGX}e-!qo5q3yKP%<-(y0LN(OF@S|soA7<f)|D^ndYawQ6!(^;6_G`g~Oc{`Txwf
zQ*Igm$Nqn!5AiST|Iq(`2F^p&0X!O^3Gg8NJpPJp{~m+};7jpLg#Q0|cnpr>fruJ_
zkFfRMjnD#kC0>r-$Mf(+gbqL#|IW_;I3nl&1BgBV@4~C_Y}^}{Li7Om9$WwO_#1@Y
z|F58h>m&RCSHR^Fwg3Ol{{I-BiQA!r8zJiauYil--`M+60}y(Ee~&-H>#&UL;0lNu
z{?PyX0{#u3NAv>tApQ_%;ump4Toa)M_yacoJF$$&_Yc3ot#M2IGMcy+E{hMa_d^Tt
zA$TC}kJE8?bZ{Cz%f5dmo`J_<3HQU*5%&HE@NWD8o{Om2zYH#oAF$)UicjMCxGQds
zHg1Gdac%rOu8fN!di}i)55_%k2aM)RY*|N-j8A}3-nP#<iO-fV%%P8u&)Gt^01;|w
zm^=hL?#u+z8{7pt!V25amk$YH!W$%`3NEs&_K>tktrC(xdL&<05jFFyjW*@!2**DV
z2mKQmYvdH_IKx@3Q&)drhthwDzL%4{@PgEKheWH3q94iDG}dJ-_uAwQ)h6Ucr(gTB
z(ywk_F%k!pnW0vf6_ElxQU?Ooj;WS-vd#Rmwj}jqv|$L}3L|*Ow%%yhVv~-RLxcfC
z_pA0Yx+oc}95J>Pj*dS7XKjMb-mRFxkbsp~A(NG7J?Xg8R&B`wO;sTj!&O!hez9$Z
z1KzZB^~>6?{;Yo0j+)Qo4}`j%ycCY&9=)Vg&W5+EU9h#h&8<$YhlGvupQQJwh1a){
zO_@n3E7Le*)ZL|E?m#O+I}b_fsU18wqvGKi$K~|3-Dhc#1lkro&tz!laS*q4b*UN?
z?PW&^Q0XVq6;Y8fr?Yyf*@*Tk`O#m8YlVt^y@!oR_NdOdO0&AzTQyoACjB+1gN-0$
zh@tK`VkwOYC80<W)WK2p5-l~Uf=!AAoN3~4-L?V;%3}H_D_&N_(Tp-(Pg>V8xaQNX
z5M(vIB}&j|M_OGTq^#=fp-NF-4-pHkkXRaoH|ZCsUsR9fk#qc@yG)&uVP(Bw`400a
z%MyUB`B)o<d{rIpD4F+pQ+ITqw!2M+lXTj3Z+hGIpQ9RAk#S*S=nK)}#Iqy{qB_`X
zb<zt3^fs5KZtRkkh8-t)DV@$;=5os4-R#w#*fL{y8TI;ET($B#Nj1*iyBPh{fwPgW
zk<SZ#c%`@FQiEClaWPyyJLGTp1jkOnQL;wtdM9?C4nH5KRrGC-^;9S}%8M*X&d&A{
zT}Cu+$or%%WXp=Y6BAKA;E5KBR*X_}O|sUiGYT$L4W?~@#uH%YmD=$mF?K2O)Am7o
z+pL<>jmnX80Z$EOdKATawsW~nJt8YTyN-lrN*)6-l6I&lwwpr2A`TJ~(^maQ9831L
z2cj~xxhYb8yd^X>waVk3bDJ`LA$4rrc1><yR$e3qP&n33mVi-%HE91S6`n`GVC6M5
z{OVncMK5QLX{#%FaWF4-jaP5EaQD1N<bvdu%k@y3Vjl9MXcVY<FvSSj`LYL`W%y6H
zXB|5&U_4!{^OTlTYL?c$r?Sd>)w9`Z7HW-iw<n(9tsu<_CxC{h%X6nMNFfcKoKhYI
zmXf11Y7&T(q$Zt`@Slyyu|h7467wN3PwpdoYQ48{<kA!FsD|f8#gFs;lNjor@fdO<
zCzb)L1S!#N(D~aA+tMLdiC~dsp#j1LuPjMZ@4Ri!CX8cAa)~;ORC1;q7!__=?T0||
z$%+Fh#yF~i-njzJ41dq5e4>$7q6kfibMjFdO0Z-zF-Qn|8)Df1%)(I&w;KQdANKtZ
z@pXI(AH)-Jb3`A21GpA0ix05xqu*cX{;%M4+yR%w+u8K5K;->D7tg`DID-4(>i8gA
zK6?CxjekB~gwXvv50MX$<1|E_f9U?d63@j`@d!K&kpplP_s1P^DO|v&e<hxc-$B^^
zkH^_4a6NpSJs-LKZ$;GnM}Ggy@mxf1K;-d<W?$I)pF(K$y%+DsyAXB%FTfLVM|_VB
z|3yUI|A$e{>;D5^KNt7KW$@o@`7a^z`u`oD#Gm3#I0M&3<nvzw7sEvny#S&oVB`RV
z4<PjVqSpVq2>bsMh}i!(@O6A1e~EYE9NZL<<9}KFh;9Ehd<9>|r||(q-T#^RMMPhK
zYa+D!zQ^vr0MQrVbo@FZ_8<Q$#{-}4TPZ{DLMc!lU7UFox$FtGSbJH_BBpX|WeTY?
zZ4Tr{Y0e@wT1~&s-5lK(Zl}+>7pG?bfRo2`aT;YB&OVpb4blm(8$n#M_s)K))_;z{
z1wC)OqW;Te8O>oxsPZ84a<o)HlA~|4@oBS=Xs<oHc2M0vM*TzNHq(+ndzW2g=G$?y
z+1fL$tB0cl`x^OZ67Kt%FZ$2wK;@+1wC|Xpxu5c;NXyk4fB`4#ONJARjXQ@YQUfm@
z$;j_+jskkMAM-lZKHTF$#x|iMgt;-}=!gww$5oj7jsL@iQOqcZixeTReplx!IRNc~
zp-xAS@R_MmvIcr;t3!=RW-`Mm(@uzCudAf<N4+zfe&LLW_-LHFT##&Wqg+Z4?Hj%3
zVi*bxD#Bp>$>!_Ga1_0j6f11a@*{ApdQoblX1$t}sW7Lo)Q~B!2LYA1+V|9MRU~_D
z#&+3x*SB@U_nF*<gAym4Xon6#qr0Skhu6BoqQW@*6ja5;dwT*TikTge`(!+YPst|h
zSX}!9-mBW?+s5n85pI7kX7JIYXO2|A2Vv*!d5$PdNZyoo%3bNW8)eYUdN+|uM8cvc
zy+DwItrGKDgr|rC-Vj&}t3Xk2y_0qnsH&{SBWwL|O5t*snL9h=@mJ%Y9ocOs()~+A
zaD_Qkqf}+eu;6SFd2H+6!Xss4Qv1c_Nye4&qZ&!O5XVC`Rn%sbuGU{@G`pPdY*-fy
znEL*FVI;w~Z+1c!xwPR*N)k2NlDi{|-J7>QX}&;VMM#L+TdY1F*=WVB4;FVk9R=>i
zwB|>4ly*@GLY}d?x~sQl+80IIg4SXCOkZB7QB{kI5E26%(p<kXY_zAzG}#cD)a}g9
z+|*?~dUT66SduMa>f>x(S<PYp7-CWlEL85*&PVnH6?Lk&d|{+PxsYyb?4O&`Y+AS!
zG<u@>=lTlFm;&_cSwmzI$s{_X2v9@|ztGR+!jD+5pl+|Jkxrv#$7%%8D;W{nvv@ot
z|Fs=k^>~7emb1!r+-E{04kb$G>Dp%2sAx_^6VLAJAy?X|?|`7S3^n=#95O;KUe4*O
zI(iPI>*O`NFk;kIck<RaW^Uxpp+~*F+RqSH-gEVq|Ij5(LGeZki1Z_M9*U$$z)QRp
zyzWOmhXGoz^_k)Q5M7hyN(NCHrV5Ih3njwR4?XMYVY;#l%?`18q*mq`V$Om!5-Gci
z(D=r+AE6T<R3;$9HWw!BhUlFoSyq@v<GN6~wVIxCMb*6l&1B3U4RP#pdEO~geg6qR
zm~sy*s6#R1MI#7W%8p7@03>-Sc+?a<YCd_%nx-H#MsQ93K%D$6zjeR=*>(bz8qV2U
z@W8G3|615_;{VScS##`1cKsLe8T<|2i3{*{yawmvDYz^Chn@dbgbu*R5PbpPh{y?e
zE}n`<VhxLU5TZXo=mmsk;IH5&2(5s>=MRW{fG6O$u!P^l&m!^x-i}w}C3r3#hgB?N
z2@l3yFu;HD0lW&~FL)uIhVT>I9A9PoPx}N$kHF9jIEI_x#<(`Fh^QHO2bOSu+!=So
z9dL78A6Ld-v;7~1GmzrG2!Fus5j6v$2N*R2SH@qn{U3!ha2OB7y%D_u?}R(z7Pt<g
z_Wwid{?PSbLi7f_AEH0teQ;;A@eBA2+dpywqAuVpY+?h4ad+GT-)Hx~7B9pT@CclR
zWgNjn@F3h1zl_KicpYAZsQ-^zfU~fP4TLt}>9_+fiMN|auRv%6J{iA_M<6r;M{{g`
z0?wxF9NqNDY;3NL1otaGg}v85m3&!9!`a0`?l%PE2@)|vy3xv`Cx9vkMqB7m-Ios|
zXDK0iC738pNx-!3hfiLCzd2q1)}u7@LKwATq3FHDAEGmwotx~jDx<DkR5JPOOD$iG
zjX=ISGn<`_O^3KB_qT59ZCrB{Za#6zs4dDncJpb5BNP1CxD&&+^6gx6@O?HtM_Ppj
zqw>Z)ZMBlf9hP>hOj~DH6~MHcBrt?Wh8mpDq7*uM7uxuur$Fr<BzfqSdp<Atef%r2
z=gf8tYfxZ|ZAGg^mY5`QqB7<><q9g6QAH?!+J?gK!sSxR5SNP2?Jwtx_EOz5yEikj
zM}u5Hny#!+CqMoO71WK}9qc(&3E!F{X<SGpKoyP~X{(pPL4HmpQOG2u$_#puGEGrR
z@6RlvP*gj}fXbw-J-W(mQmG~ymsKB4Hx3`%SUos8fA2Zs>Flm}*G}Xj<RXQfC#J8S
zA-!k}qDtS{P2CJvsl|$nnxLDWf==(+Zl?NB>k_Y9xe@}2RrTKQQDnVci62&q%Xhim
zHAsV|`cVl|7#Tl`*{qM2gX@6lDqtan%280-f$){K^1|_hXulm&?^^PSzvmZ%A!iSn
zf2?JHEuOh+hQa88n0$Mm<x4wDX<(vone1~~P_j!01HN$HK-Ng3Z`M1hcbO#;;iP%W
zn<E;gR;rbhyvP@VRlakib2EJAyesqC_8G0t*omcl2tmU_7h6xQasd&>PH31pq;n)R
zq~MEgmxWWlJH{_qbKTQig=<AHXLg!aM-a7XVQ5eq<C<?dvdisNqb5LKFdsFuaLKz&
zDP>&hc)3KpO1jKZUXeuIT3w?@t#W9H_2c;Oy`f$_;j?jwiAHmDO4MxRDmTJ|rKXsl
z!*prd=7(CKGp*G0>u^i|qai5TsrkUO<GpXLZ%m|L=f)78t7#(2jQ)E>x2u9Q71y1D
z^R=}}kBSrZQq!Fzsiw7H=77M9OAl1djdGiiL86HpngaA4lW-Pg)E(KJJ#{VJq?C%$
zDQn+L+R70tr-L;YXz}d1Yg3(@iY2qKD9tt{l`LahT~yPNx)rnMqSb{n5!Gg3azSSH
z16B4qOX()f%~8LX-SfpsFg?)5+s_w<R1jAV(Knu*rg4kIZ?RRJx}9~kl`6cxcxYvG
z$miH_5S&TI+D@_^C#l9y%*4aTUrsA~r{AuWcg9QADgffR8w;x={p39lAkyw61@M2W
z7Lw6bP%o0hBQqqrAC?vgc}#TsG7q0PRy=Ja8tE5OnjxUota(X`#HEUxbZvb%-}iBz
zrOg#RX(Yjo^}@C)9k&v>s&SBr|Hr@IVxNWm|Gd#x<GBB)+4e8SJ#i02{eScUxHdk;
zR(~2Ej&&5sk>NhL4Q__e{fpjzPs1Z|1|EQ4M^y`;=j-d?bL{qK;W0QHXCiU{7I9zv
zDlUe%vf<x?u<hry{y)!d|0jeN;GZD$0N#daF2KEg9=-j(!*2f~{vDC~|Bv`E!rniI
z=-(H50HFnN30w>p#dp~7pTkFS9&U>!ZiK7gO1L5}hHtaqKZlnhGy#4EU0fem!^QC}
zw);2mb$lLwgFnI}(8Q?-Er848M{M}e0{9aC1s}nm;0<^o&PCY$CGL&r>leCzp%ZWu
zoQlv2h<*UyWZ!=g|A^@G_osLpUV`V~afqCO=>4~d=o?VtbleVYe1pyZGCUKH#xWeh
zeQ<mHDt-lhL`}g@;e+N{%(v>2CkG(1Zq(URZyrY6U-^x;C9+3_n4NsJ^%lesg;A8l
zk;|p;gv41L$6-n<^`3m^)ZQqDojs1WtVe)+w>2-^_@j-mk&ITg9lsLG(&)vl#)UtY
zXIoggBT&^=R32)oX$b5p%92;ft*!D=5XV8L#ZO8~t}&E&+muo)>nC-g1nYiM*J+n+
zVO#%d+Hh+v&8M19qi$OZH1dmdtZ!avzqO@_6&IMQ`{YuF6nZ-DQ8kmoI&!#-er9wY
z-$e^+N8)<?^f+%gKHE+)jISyt+*CtrOFJgMPf%<0jw11P)D%8m+)*n&ePOO^vVF`_
z9p*&!x3;Fp^tY<b{faXq=YDC?0>3h8qERev9G-ldudS}HXD;Hx8JorC_|N8R<5q+f
z1+Qs0rBi1l9;AS5td7fhPN?O(V5#C@=1WIMAxBLWm^m}7skEZ#wm9I_gGBe-II6_4
z+Uyi=;2=*qri%K{Su-Vq+Yj5$6Uyj&{!aqlbT*y6aCCKj<IvReIQog@V?J#EK&9o`
z=-ZRqwCAZJ=b+0Kxf{3y`L4_5<e;60x&=l=i)}$8yC<u^6$N}zkKzR1$|M@dl(raN
z=+EnJ52`}lRSoNM4c`u}u8q5&I(LnFT<kg8=&tCL#806`5nYUIsGcV3Y?vUriz%3-
z_blIq*Ge!XO0}c4G9^f@T3Gls+wT#Hs`_xwSeh&uJ14}rqRZ1T(vjQ07C;LMO-H3X
z4YJ5~XFo=1j{cH~*p5hRGyKi6Pi05g#nk(28c!FKE)<P5-Pr2CtyMQoRIKeB<B8_5
zQy+K6<xo+`OMgN^8g)p17ST2Wu@RSJ<V$Qz23o8szfq;FhE0O8UY3H6wQn)WjMFhR
zB6p7MI49xBk$2BIOC&(Xv%CmP)u_u1?LVGmDkm*^<oaF62<KcDoeT#QQ3s_}(Ly__
zp`$x}-M6wkGhB5C#m0R6pn7nk!$MX`<92!?%1}sPT4A(0C3MglwDb*P*K~A<Yp1>)
z+Hz9Zd2PBB#}#1KeYbc`+ts4Vt&Mr-Ejz(1Zsi6<0BOk5pCIGVw57;am%8s3L{}u;
zKZfm0z80}o3#|uCM<r=Gy2eTEsC#^&qg%;hUtdbIU1sAh4MQtOmtD-+vH5DJ*>k3f
z=cx8;De-m)mSQQN(yGE+E@g+GRPCtr*o>HfqD?8Mdbxz&K%d`SWj^)!x@T%{=1x~+
zJa^vgStEbTJl}J;N=cLlDQy?iQY<GyUj^hqXv-`Zn$q?VrGR|J#DnEra{tQJ$}+=O
zvcch1?{FnGRFgQieHgQYtv;H%V2Cx9(t-zSq8yKO5Rq%82?U2?6gKNiBm0>yB3~qV
z4%MouRy=Yk)y@^Yn)5QqB+U%qFy*Il{{NNP{NJ6}|8JSt|Np_p{~V$Rzz6Whcr$(v
z&qL?|JQ8PN5vSvhh&}<oh->1?xC}0ZOX7R{0sn@`5eTh-+o6Mq{YS5W=o9cid;s6V
z7x7tq93RAc@oGdJLDUbNgTr_*?u)zQcKBs<a3fq3(MRxy`~}~}m+>$71U`)S;PrSu
zqVK?CaSp=oa2Af>H*i~A1aIbRcqyKT$KxC<A;tZ0H{2RG#Wis`e4n4;oA?qwi+{jh
z;m`3Nycxfb&?$Td9*uLbjDxr*ZjPJb2Dm1E4p+zJ@L&89pGWj6ybq#Y;TC8jG!3tc
z@L7D7FXHd<XLvJSjb|hJ6+RqmcnD6%y>JhN-eLGQZh)W0-||&F7LUQ%7~<D(W&8=>
zMAR+31dqp2MBl<?q_`Jui68PiydJN^OA$2;kHoDI^$P!qf5k^IU$YRpg^`aCK8Jt7
z-{PbAYy2tRf|nx2RdE$WPD0G>|Bm@x{WtYyGTi4@@aiKhNYiriDag3;vr@?)6(w{<
z20X9wVYLUKj3fe=^DB#WsEh50c*Mb1B5h;=)+>V2n~5@yeXFwzP&i=catgy4ICaQ}
znRz_NL)fzUkthwdQ0%i8b$Ch1)-q_)78korccI(1wK$<<+LqW92i}2P>7jN>Qn(xy
zE#s=s=oLvnt$A^F(x1tZ=116W$~}91s&`k%2Yt!)nNg4_UZDI`5nLt@l6pX66fUsc
z4D`}fy%5FPf^R~tBGJAtCAjuDfk9M{@iB-!=BDFM<Rpj8OLt^Tnuw&KB!VbtQ^MCJ
zGT~&@(Z+(<`yh?5G3||kUIY%Vb+_M=05Vf);1;Ye&cFSboYTzSxfW&9m!~SbMARpp
z(Wl?Z7Kh=R*!#?&bx`T#r{%L*CJ@H&rNOhp8z!|1INNI)B5egRI(OBHUYeeZ6B6Kx
zcxq3W(AjP~aN?41cO6|Tj_z?+>2$HX`m#B_Pp!11vC@k2R7v-c;X_r?lSdvZC5Npl
zRe*@ZB9DRcRmG}9^QX=gXFjsJvv=j}(>1!mTRQh^OIy+qvF>c{;`ggMQnm%qc;n`^
zCE^cE{cp@Vzqi%Iq3Sx@5@(#c&UW{(6=xT@@}Q8c*>=|L>2@oZHkT*vw8LwwlYr#J
zUAE_xl+F=3925bY#HAQ2swqb2_fCu7N0_;p@ZgG>^Z&4AWbNw2F0&;X8S*4t_#U8z
z@wJ?rlW`}{I=q@LkNtsL&Ra#h+fLhEJ+s@hJTC6s4JJ9dH0_+azoRzHhS4oLu1j_#
zkX4-<Tlr+8&fM{x!~AxmKXUlUupECfaoJAi$j(W#dg2qK*vJc_nd#^^W*R2!?slE(
z>7II8C7kVxxef+fzSun{mqaObg@Pa<ZNpNQI+KJZzKJH6s6+jR4_5P3i43`d2+1Za
zNX|yt0fR1=T)nHsZef!xuj<Z);wLt}A{TKq7b74r`Yht9@ygZ&+jYJ9ac13dC)=TL
z*DvM^>DpQvDgE2)&i`%tZTtSKlW)t!mPEVzJRG--ttvd%G9&p#+wv8qxl5OE*wf-!
zj~S_ok<y@ntUQcFg+-H8OeiBpA(Gr(su(@3pm`H7{24j+>hGM6Ties>kx7(Br^lmO
zBTQlhyG8gWOXp~EMUZf7wr{;M7em<EWA<PCj(<#_otIkysPW;wGtwTCHnZEr*s+*I
z{Qv6gqT$5;f6By0`U-pf)p#Hx$Nv^+;Z#KYKlJ~?zP~u42jCkJvHyD^V*h<yAJ@fc
zxEfAD<O94G2k{{M8g79b<BM$U7hr0ShaFzvdiXe7`u&KwfAs&0eE#PnZ1Jbyp*V~i
z;uGxRzrefk2D}u{!F&(E2YKx-xGbW#->dO-JPl99qp*qxB6<USgbf^Z|1ZN!@e(`>
z4@20_5&!=rTR3X|-+?#aB{&~1#xrmZBIo~x_yl`6H2>d@*WrA;2rtBWcobF<J^nt!
zKK?6&?*9dN4bI22@OaGU`$z2mS8!3hh28vSyaLZa<ow?f|H(Fvn*YB+*w637v<E=M
z^q+xy;bQoP`4Rp8{vLmakKr%yhxmQO{K>J~zj_a(gQ^!R8r{ZmV&~Ib?dE#oElOqg
z$+uMTN{&o+d5DAP5ZD(`jS_><=<zB=`+?R#%)+vimmu?+Czj1WXw{sS8T)A^fHm#v
zyK}JNa2{tS#JUp>=272(eT=11f^DixmbXunR!%k5rh);fT96A>y?$!I%DG7$Xy)7?
zV@RJ?2}O88_}c4Us;Q<~{-=(a(U>M7*Vz$QO?Yy;PB>&+Gzf~;xrzWtjcKf>uZr$L
z+{1Fm#b32R61s^>-+>@W)c@rj7IDqy5+k_k6W_iqvjd2;b#-`g)3$$hv~_HqRJMxG
z=I-oPR{cnhQYzjk-D}7CUcFY7Yt?G&#36NB$gZas1Kl#ck~Djl@20Gdpo30I1j^Zz
z_V7~9n@&Z{6k=!f#}5>#&CG80)z0fQ=gT_Yrnu+8<wy3lhoZ*C!17d+)RWMw{h)wC
zKcw57Pn=s6jcAS6b0AR^T`;vd3>=|*HJ?eM9JJ!**_awp3lTxNkgkB@5CIZ)Xf74Q
zF--J`BsJN!R!&@zGfTO&dKn6KL|McNB|ppQP(<qD(DA6*FER;+Z9nS!U4q$bbn5sD
z?z6hl437XkNq8!zWS%Sr8iVT1$UjM@OpsSOG%XIwWh%l6&xE8)$bR)H&FD~G@9K8E
zo4(8ao*V2|<Z#a^uG}}3KG!Dj-X9dHoN!eG(ki4{@M%Vi4q-sy(dYw7#!Li?_ME&h
zVpsxB-I^WM$GyS340kScpNxFZEVFTvbgX)_$K5jJN1OTuPE3=qrQ%y^yt3!a%Fko3
zaz=@XBnAzBNLtv#OPahxx~cXEQDe0iYUap+b@Gq~uXieF3ecH3!%VG=3up1mb^Q}M
z@1-=qBQWkGCDEpC0GXZ9C=~-rkLPcc(A*GTC$O)xgC-r)a-?k4J9s<fOj88QdpPU!
zsQH|m9M!E$&X7h8IY(JJjEFb$Quz!;b{W{j|M_$!nNg*Q4!fLb5^Y)`VN92ZBt)xM
z^EMyT+Y>WAsTf0k@T|4;C?~=mV-UFKyB)HBbKPSFMbvrOdGknLpf(cPK+&L~C8sWH
zHk?m{Pl!qpnBu^9b85d4Cpd<x(|#()ar_|Co~u+sf28dk9mT3L#M~>1MKU}{QCO{&
z)e!EmEOi?LX&xjpi7rZWAm8UiN;R|QxfpA5<eXLR<J|45ap)vA9I6u4xP6%#y$C@F
zidmM;T6TtN-qg8^Pei>(>JZi<-5+;dRhXWn?V7WyVg@VR8pr>c-lID0$p3%N#DIGf
zyFT>)pNc2rTs#7YaBuuH{)|2Ueq4Y*z;h6}|Ch#pg*}f?BVzcW|9=6(_J1KBi$~*8
z2<`uf<3|kt@^~+M|8;mVeg_eke>5J2s0WA||GVLGcn^F3wFrMe#N<N@Fnj?Kn_t1{
zxC1VUx3lwKffwP)cqmFd0H@=AxEpSTo8rrC{uklN2w%WaJP7y1-ElYE1~<ml5%KlV
z0X!QkSi%uR@4&lafd69mzY3uPcrJb$s|XE%h^5~X_dwJMbZ{D?Kj1SF{(#U0d@$~U
z=m&6PTmzTJ57_$O!*}sjd;))t=n*i$4RH-z2|r^0e+OT{-{HM@6JCYq<FPo3$oG%_
z0e3(bH^L2Z16%`_z&H5^-h?4?+!wdT0eqED;C#Fo&p_w_JQ7>~rVrmVt}wd^R`&pT
zhf?$kP3(oaT8tOcE)<tZYS04_2NV3HVk1`Hp*F2Ns@sx;NztY7m?;~sc@GGYs_H2|
zG(r{>$ey{F@3oONwXX4K(_iuQbKA!rO!}WhaLFpM7wBZogWqfqBShJ^4?COCT+^-B
zS9LeF*>w<0>9HOA*vMk7Mt)|7JF;I#uZ(|p{53D?!j@}$JDq=r`hEQLuI~3rkDd6L
zQNNn_<nYGE(V^VrkrO?>(8!+syKvaTIZ1;by_&5Kk8Qt$t(UfbZFeVpB{lv8Me!s)
zIFmS5Y3`NL+ZC#%$uM;2N@HgynMXBEYnfiwBnhbh<)E!7Q8NfyF^XAgUfPvNR5$jG
z(S3=*@3OZ|AG+}ktIpu<SLSZ%=%Q6mJn}`t=@GxM>#aR*knKd$=bhr(k#TJDhg2_j
z6f=F)I?riOIe|){=sA&SswgTRb>fk4pAE#s1XAnIap+d_Z$_7Pm#fO6Sy?@6bVVpo
zE**@y8t$F(r5hEcOjQ%&s%>jxRO(9hJVr^!*63=~5<*KhSvZO>G)dswkt@(^5I*Zh
zuOH`msUFb}$ORE~iBp#%$FlZBQ2h>CmGkgu(8X|ZUN9*Zk?COf93MxNuF%?GI~(S*
zARL4`#7-=PQX>bs`hV>MyZjR&2iui{rL~r1?56w<>TdN*SI@{^%-+)3?P|14#w{O>
ze*6rb_ypMVn&@XTlm|j0K+TAiLuof7L7^&_t#u|u1W3<Qbsm{R+SE(*j)Qd}Etnh2
zo>ZqBp2E$6D0$u5y$yPoCt;sef4VfRFRp~(>~=(SD@rz9jQ6}W(N<drJRLNeZLM6Q
zt2Q^aRA}Nq{8#$)5(sfPaEzu;K)I3vI`cl~3nR|etJ%{NPWxy`vVCc`Hp1N|%QV)w
z=h}H9OQk3T7az}_eB(k_4&4OWI`ibz9vM$gOr&^qrKRdQaPoJ6;trNb-wQ{lN2_Mr
zDmI0xfXYmL-_Gk$hnH7F1sXZThg+Q03BhyK4U_<)83ngL8(Q|ERnT6+&&SB7gy>k<
zkonh-Y8SVx&L^a$QlMg6j>o@iI3pH~IVTv)bh3TK+?o8=Xs?*mgT&{%&Y0+98sFS1
z_MSdLr^+zNkHm%_`_P`x69wDw4v|YpDa^Fw;OhiP7(rDGeMB{0)LEKJw_G+luvY4>
zy(gi$An9I*)0z+3Wb<bd3&(59>=de+33MFu+*mc%pe5GOEz+(LC9qNr)Wu4DY>Nsp
z7Px^OtnHF&^AyQSxe7In3&G9e(b`%J#_`I7$DIh1fadfE_PJB4Ak6h<NwY!|9*#_h
zBHf`noSlUR=7hfN_XAE$fjk|W>CA{?it6Yw#CmEAY)tF_e{c~N8T<d(#4!6R`~Ed}
z5blQCA!`4B4wpvc^IrnrW$T9)zz6X}+#EN?HE<<d1V3WaM_&Io@K5*vLf`L~FwN8d
zIiE)_fXm_g?D{X@6}TUM6L-Zg<Hq<RTmA)z_<!^O2%G;1Zj7k=|0E*E{sO!lq4oc>
zxEdnX|4p{~XK+65g|O#;6`|#K6+~VCqY*jrC5FfmntnG&#QDF#E`L6rho>NH_~`9-
zP5dQW{KJSE{+Hnyi2V1ehX3c-;2*_#xGipjE`AYLL)hex$C=1*Km00gi`yV<@l$aH
z{3Sd45qLP(@E}BAzo@l;H(UE%cmrO9b8%<H{jNSWB0VJI94QNys3sW%eMEUxtCH>U
zbo1DWEbvf9BUxt*!c#U`#g1B%actF{&mHcmisH!TMmadROS6pX03^a`^*f{l6}m~H
zcA5$HBL|5zmPcPsTw69eL3$e`DcG!EC~_<umNNCXTygcT{xN_`=C1)Xd;5(*H5<v(
zFeLdziCU!&wC(}zBz@&Qy&T-mFWlcwJKTiSTp2|<iRMCiqKv<KM<5tq^>0Xy+REjf
zU3+8u+SPnt9IlL$?4s)S;PemdAEpj{Mu%3y@<RtVEyFrOb<urCGNbmstY~JwT8u(U
zSvM4Io4HJdqI9JcT-EI-j|RupsVIkecKp>z7$yrPFQxC&?ZX8i%;@+n<5H7Wv6m)?
zzjEiU!abq6wk&P|O6`XXj67`JVb;))sT@JJWnqp#09sKZqDmlI%F}5HJ0j&pkM@<F
zen|Yrqpxixacw<0Db6`bi#N&`AT<@f``WFHnVo-92vDs{KmJHK)1sWiKw6SsqbozS
z+u|0~twXzS)v?MZ6EWdPdvF6ve)mMQPmGwgnbdxWX~vmu>l`qxX;?1~Et7K?7dsq(
zFv25jT!8@NQAICfoS#X|s411VAAL58h9HTaU2@7pJ6X<B(_^6%2`zigI_q5;;%r}W
zeNM+xDd?CT$;c|6Bx>z*pwW`aWK*%MfTgXew`f^U+c<jdl<)>ZmwX#dxmf&WH1paX
zq&5xvM6!=tNdUY4fmW5TrX!uLQJEcVbva1M$g#<Eh*2sp((2K-G;md@PIi-`Avg&)
zCufma)d4z649G<*EQ($-Br@t9%_!zmUCPEX4-4a%-tk94b(^G2M!0|kS#%LdJE83%
zp@cl4=(s10Xd^wIQc%-6=2g{ki3Nis*`V$xY1ABo%XE68p5BvDb<pt#(buNVQrsA{
zX$SR7E;GS!vUoD$laZRZ<3PwXSR$CmP5P-3NFY5_YDmmXsP|U1xKHL*1L^;JY%FEp
zGDR_keb1@Em#im8LnD%SJapwtxIgIH>5|-)X-yTD*F$u~Nl42M=lz<`1`#`)*%ZUb
z+~eI7-&cF4)tm}`$FyiT(T+S7rCKUoIL<q=(xU6Vy@Z;b<h=-gCgk|Juk4-mUVMAX
zOncXjV@C@qlXLGs7OiUH$(|N7Kb(M6?1VWn5E^n}d@?ZyJP#6%)Zv$OKvaxcq3M{~
zk(2{v(($+{qKLoV0gl$^$^t#{^6w>GH3@}>=itZ6uoKYWQR89?F;D?FYjw2o71B}^
zT9Vm}c0r^lBwIznJ1NaB_vO(4({3hSRsRKORZ~gFk*iV1jKyqogSz<aN-^4@CO@?0
zdz@aj=(92Tt>d~~#+7M%&JnX*IhU!S$$^c$5$hy5M<+kx4Wzr7@+rR*cdnIcAWRtA
z4R&(wUX_a%#vUGy^05Ci_H4wr!~VbR#Qy&g+y0vf{r`_3wEk~}TO#TJu8YY3KLy`r
z<9`YNfWJcM|GyXS!JF_hJRPC;e^Gp$jsH1(0-^Umt?_@S&tHi{sQLq<cK>sDDWV?#
z*Kr3VxFSBn?tdhr7vMT_+zVGiX#f2&-iq@PasSBq|Do}I1)s&=BJ%%3_wNF{7EuE*
zx+atBaq`2-D{%4(oV)@jufWMGaPkVAyaM%Ifr&E9slR;cX^kzb_N;V$c_EVzqH1^{
z0(XT%_?>6gnI9X)lt#h7s@-y;O>{W?+DZj@S|r^@2Xr}1Y!@Ct))^HX-e{6kO-Tj1
zs|c;@@+vmSo|D>CG#X^k>WrR-bYoH}4yq1x?mAQ*F5XS5eRpJiJ3Lc%SMJf{9;56*
z*o9`JzV^JAtQE-stpSHR!;|JF#bI%RZta8Ma@qD&7(?id&fdl9yC>L2wk@(-dh!)0
znP@&g)H$pmJEJ9vAVpK>hfb;Gf;hf@AjDpHF*ua`mgI)IZvjD<#!cc~FRZVmN7oOp
zZY&TlIdic%s}j+S@9!}tSG~olB|(Y1Rj!2qJkS0>*Mc@544<;B?_uP-N1qp6`l35e
zDuqApj$zjBxJasDnaQJfaC8&)7z9VeP`IH-Y%mNob)L~rQW7^|Q+I;*qEt~7&1u4L
z>+))}l+?)4%ChJ!QM*@CY^D-iIy2YbZSLKNK|4*gI`y=w;QO97s&o;7J!*ks`D)=*
zhDv2@x+Pltw)EiXL`qH9wA0;Jg96?6*s#_IKEVc!r<(5;N6pLwG}0iMeSBh^Q4Dl&
z%WB^$4cZpeaJfdyV!C!{b!D8Xn64Z<JWA2qaXG5Xu^?XM`HfuGdB;KZ@zu+j>=#Fz
zR)y*ebwn1EC%U9rkIWQhM^wc8f4AQt02uX1eKkl8*^A+CG;ivDd?n>=FFp}MJ({lV
Ha5DaXaZIwb

literal 0
HcmV?d00001

diff --git a/Cargo.lock b/Cargo.lock
index fca0ec9..9b04e92 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -349,6 +349,12 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "base64"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -966,11 +972,13 @@ dependencies = [
  "chrono",
  "env_logger",
  "fully_pub",
+ "jsonwebkey-convert",
  "jsonwebtoken",
  "kernel",
  "log",
  "minijinja",
  "minijinja-embed",
+ "pem 3.0.4",
  "serde",
  "serde_json",
  "serde_urlencoded",
@@ -1238,6 +1246,20 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jsonwebkey-convert"
+version = "0.3.0"
+dependencies = [
+ "base64 0.13.1",
+ "lazy_static",
+ "num-bigint",
+ "pem 0.8.3",
+ "serde",
+ "serde_json",
+ "simple_asn1 0.5.4",
+ "thiserror 1.0.69",
+]
+
 [[package]]
 name = "jsonwebtoken"
 version = "9.3.0"
@@ -1246,11 +1268,11 @@ checksum = "b9ae10193d25051e74945f1ea2d0b42e03cc3b890f7e4cc5faa44997d808193f"
 dependencies = [
  "base64 0.21.7",
  "js-sys",
- "pem",
+ "pem 3.0.4",
  "ring",
  "serde",
  "serde_json",
- "simple_asn1",
+ "simple_asn1 0.6.2",
 ]
 
 [[package]]
@@ -1561,6 +1583,17 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "pem"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd56cbd21fea48d0c440b41cd69c589faacade08c992d9a54e471b79d0fd13eb"
+dependencies = [
+ "base64 0.13.1",
+ "once_cell",
+ "regex",
+]
+
 [[package]]
 name = "pem"
 version = "3.0.4"
@@ -1921,6 +1954,18 @@ dependencies = [
  "rand_core",
 ]
 
+[[package]]
+name = "simple_asn1"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eb4ea60fb301dc81dfc113df680571045d375ab7345d171c5dc7d7e13107a80"
+dependencies = [
+ "chrono",
+ "num-bigint",
+ "num-traits",
+ "thiserror 1.0.69",
+]
+
 [[package]]
 name = "simple_asn1"
 version = "0.6.2"
diff --git a/TODO.md b/TODO.md
index 6d8df20..5771e72 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,8 @@
 # TODO
 
+- [ ] better OIDC support
+- [ ] better support of `profile` `openid` `email` `roles` scopes
+
 - [ ] i18n strings in the http website.
 
 - [ ] Instance customization support
@@ -50,3 +53,5 @@
 - [X] basic docker setup
 - [ ] make `docker stop` working (handle SIGTERM/SIGINT)
 - [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/
+
+- [ ] Find a minimal OpenID client implementation like Listmonk but a little bit more mature
diff --git a/config.toml b/config.toml
index 2b97bd9..12f31b4 100644
--- a/config.toml
+++ b/config.toml
@@ -1,8 +1,23 @@
+signing_key = "tmp/secrets/signing.key"
+
 [instance]
-base_uri = "http://localhost:8085"
-name = "Example org"
+base_uri = "https://auth.fictive.org"
+name = "Fictive's auth"
 logo_uri = "https://example.org/logo.png"
 
+[[applications]]
+slug = "listmonk"
+name = "Listmonk"
+description = "Newsletter tool."
+client_id = "da2120b4-635d-4eb5-8b2f-dbae89f6a6e9"
+client_secret = "59da2291-8999-40e2-afe9-a54ac7cd0a94"
+login_uri = "https://lists.fictive.org"
+allowed_redirect_uris = [
+    "https://lists.fictive.org/auth/oidc",
+]
+visibility = "Internal"
+authorize_flow = "Implicit"
+
 [[applications]]
 slug = "demo_app"
 name = "Demo app"
diff --git a/justfile b/justfile
index c3c20d9..70b755d 100644
--- a/justfile
+++ b/justfile
@@ -2,17 +2,17 @@ export RUST_BACKTRACE := "1"
 export RUST_LOG := "trace"
 export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"
 
-watch-server:
-    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
+watch-server *args:
+    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS {{args}}"
 
-server:
-    cargo run --bin minauthator-server -- $CONTEXT_ARGS
+server *args:
+    cargo run --bin minauthator-server -- $CONTEXT_ARGS {{args}}
 
-admin:
-    cargo run --bin minauthator-admin -- $CONTEXT_ARGS
+admin *args:
+    cargo run --bin minauthator-admin -- $CONTEXT_ARGS {{args}}
 
-docker-build:
-    docker build -t lefuturiste/minauthator .
+docker-build *args:
+    docker build -t lefuturiste/minauthator {{args}} .
 
 docker-init-db:
     docker run \
@@ -28,6 +28,6 @@ docker-run:
         -v minauthator-db:/var/lib/minauthator \
         lefuturiste/minauthator
 
-init-db:
-    sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql
+init-db *args:
+    sqlite3 {{args}} tmp/dbs/minauthator.db < migrations/all.sql
 
diff --git a/lib/http_server/Cargo.toml b/lib/http_server/Cargo.toml
index 260d58c..7fc709b 100644
--- a/lib/http_server/Cargo.toml
+++ b/lib/http_server/Cargo.toml
@@ -43,6 +43,15 @@ argh = { workspace = true }
 sqlx = { workspace = true }
 uuid = { workspace = true }
 url = { workspace = true }
+pem = "3.0.4"
+
+# For now, we test if it's viable, and later we will fork it to fix the build (cf. issue
+# https://github.com/informationsea/jsonwebkey-rs#1 )
+[dependencies.jsonwebkey-convert]
+path = "/home/mbess/workspace/foss/rust_libs/jsonwebkey-rs/jsonwebkey-convert"
+features = ["simple_asn1", "pem"]
+
+pem = "3.0.4"
 
 [build-dependencies]
 minijinja-embed = "2.3.1"
diff --git a/lib/http_server/src/controllers/api/oauth2/access_token.rs b/lib/http_server/src/controllers/api/oauth2/access_token.rs
index 1da6993..396ea96 100644
--- a/lib/http_server/src/controllers/api/oauth2/access_token.rs
+++ b/lib/http_server/src/controllers/api/oauth2/access_token.rs
@@ -4,9 +4,9 @@ use fully_pub::fully_pub;
 use log::error;
 use serde::{Deserialize, Serialize};
 
-use kernel::models::authorization::Authorization;
+use kernel::{models::authorization::Authorization, repositories::users::get_user_by_id};
 use crate::{
-    services::{app_session::AppClientSession, session::create_token}, token_claims::AppUserTokenClaims, AppState
+    services::{app_session::AppClientSession, session::create_token}, token_claims::{OAuth2AccessTokenClaims, OIDCIdTokenClaims}, AppState
 };
 
 const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
@@ -22,6 +22,7 @@ struct AccessTokenRequestParams {
 #[derive(Serialize, Deserialize)]
 #[fully_pub]
 struct AccessTokenResponse {
+    id_token: String,
     access_token: String,
     token_type: String,
     expires_in: u64
@@ -60,6 +61,7 @@ pub async fn get_access_token(
             ).into_response();
         }
     };
+
     // 2.2. Validate that the authorization code is not expired
     let is_code_valid = authorization.last_used_at
         .map_or(false, |ts| {
@@ -72,19 +74,38 @@ pub async fn get_access_token(
         ).into_response();
     }
 
-    // 3. Generate JWT for oauth2 client user session
-    let jwt = create_token(
+    // 2.3. Fetch user resource owner
+    let user = get_user_by_id(&app_state.db, &authorization.user_id)
+        .await
+        .expect("Expected to get user from authorization.");
+
+    // 3.1. Generate JWT for OAuth2 client user session
+    let access_token_jwt = create_token(
+        &app_state.config,
         &app_state.secrets,
-        AppUserTokenClaims::new(
-            &app_client_session.client_id,
-            &authorization.user_id,
+        OAuth2AccessTokenClaims::new(
+            &app_state.config,
+            &user,
             authorization.scopes.to_vec()
         )
     );
+    // 3.2. Generate id_token for OIDC client
+    let id_token_claims = OIDCIdTokenClaims::new(
+        &app_state.config,
+        &app_client_session.client_id,
+        user.clone(),
+        authorization.nonce.clone()
+    );
+    let id_token_jwt = create_token(
+        &app_state.config,
+        &app_state.secrets,
+        id_token_claims
+    );
     // 4. return JWT
     let access_token_res = AccessTokenResponse {
-        access_token: jwt,
-        token_type: "jwt".to_string(),
+        id_token: id_token_jwt,
+        access_token: access_token_jwt,
+        token_type: "Bearer".to_string(),
         expires_in: 3600
     };
     Json(access_token_res).into_response()
diff --git a/lib/http_server/src/controllers/api/openid/keys.rs b/lib/http_server/src/controllers/api/openid/keys.rs
new file mode 100644
index 0000000..8943483
--- /dev/null
+++ b/lib/http_server/src/controllers/api/openid/keys.rs
@@ -0,0 +1,45 @@
+use jsonwebkey_convert::RSAPublicKey;
+use jsonwebkey_convert::der::FromPem;
+
+use axum::{extract::State, response::IntoResponse, Json};
+use fully_pub::fully_pub;
+use serde::Serialize;
+
+use crate::AppState;
+
+// /// JSON Web Key
+// /// @See https://www.rfc-editor.org/rfc/rfc7517.html
+// #[derive(Serialize)]
+// #[fully_pub]
+// struct RsaJWK {
+//     #[serde(rename = "use")]
+//     utilisation: String,
+//     alg: String,
+//     kid: String,
+//     #[serde(rename = "modulus")]
+//     modulus: String,
+//     exp: String
+// }
+
+/// JSON Web Key set
+/// @See https://www.rfc-editor.org/rfc/rfc7517.html
+#[derive(Serialize)]
+#[fully_pub]
+struct JWKs {
+    keys: Vec<RSAPublicKey>
+}
+
+pub async fn get_signing_public_keys(
+    State(app_state): State<AppState>,
+) -> impl IntoResponse {
+    let pem_data = app_state.secrets.signing_keypair.0;
+    
+    // extract modulus and exp number from ASN.1 encoded PCKS 1 package
+    let rsa_jwk = RSAPublicKey::from_pem(pem_data)
+        .expect("Expected to decode PEM public key");
+    dbg!(&rsa_jwk);
+    
+    Json(JWKs {
+        keys: vec![rsa_jwk]
+    }).into_response()
+}
diff --git a/lib/http_server/src/controllers/api/openid/mod.rs b/lib/http_server/src/controllers/api/openid/mod.rs
index 1ab9853..063a9c9 100644
--- a/lib/http_server/src/controllers/api/openid/mod.rs
+++ b/lib/http_server/src/controllers/api/openid/mod.rs
@@ -1 +1,2 @@
 pub mod well_known;
+pub mod keys;
diff --git a/lib/http_server/src/controllers/api/openid/well_known.rs b/lib/http_server/src/controllers/api/openid/well_known.rs
index 54daf3e..6b2d0e8 100644
--- a/lib/http_server/src/controllers/api/openid/well_known.rs
+++ b/lib/http_server/src/controllers/api/openid/well_known.rs
@@ -6,6 +6,8 @@ use strum::IntoEnumIterator;
 
 use crate::AppState;
 
+/// Manifest used by OpenID Connect clients
+/// @See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
 #[derive(Serialize)]
 #[fully_pub]
 struct WellKnownOpenIdConfiguration {
@@ -15,7 +17,9 @@ struct WellKnownOpenIdConfiguration {
     userinfo_endpoint: String,
     scopes_supported: Vec<String>,
     response_types_supported: Vec<String>,
-    token_endpoint_auth_methods_supported: Vec<String>
+    token_endpoint_auth_methods_supported: Vec<String>,
+    id_token_signing_alg_values_supported: Vec<String>,
+    jwks_uri: String
 }
 
 pub async fn get_well_known_openid_configuration(
@@ -30,5 +34,9 @@ pub async fn get_well_known_openid_configuration(
         scopes_supported: AuthorizationScope::iter().map(|v| v.to_string()).collect(),
         response_types_supported: vec!["code".into()],
         token_endpoint_auth_methods_supported: vec!["client_secret_basic".into()],
+        id_token_signing_alg_values_supported: vec!["RS256".into()],
+        jwks_uri: format!("{}/.well-known/jwks", base_url)
+        // jwks_uri:
+        // subject_types_supported
     })
 }
diff --git a/lib/http_server/src/controllers/api/read_user.rs b/lib/http_server/src/controllers/api/read_user.rs
index 4b9e7c1..465a307 100644
--- a/lib/http_server/src/controllers/api/read_user.rs
+++ b/lib/http_server/src/controllers/api/read_user.rs
@@ -2,7 +2,7 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
 use fully_pub::fully_pub;
 use serde::Serialize;
 
-use crate::{token_claims::AppUserTokenClaims, AppState};
+use crate::{token_claims::OAuth2AccessTokenClaims, AppState};
 use kernel::models::user::User;
 
 #[derive(Serialize)]
@@ -18,11 +18,11 @@ struct ReadUserBasicExtract {
 
 pub async fn read_user_basic(
     State(app_state): State<AppState>,
-    Extension(token_claims): Extension<AppUserTokenClaims>,
+    Extension(token_claims): Extension<OAuth2AccessTokenClaims>,
 ) -> impl IntoResponse {
     // 1. This handler require app user authentification (JWT)
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
-        .bind(&token_claims.user_id)
+        .bind(&token_claims.sub)
         .fetch_one(&app_state.db.0)
         .await
         .expect("To get user from claim");
diff --git a/lib/http_server/src/controllers/ui/authorize.rs b/lib/http_server/src/controllers/ui/authorize.rs
index f6016c9..923d8a3 100644
--- a/lib/http_server/src/controllers/ui/authorize.rs
+++ b/lib/http_server/src/controllers/ui/authorize.rs
@@ -7,9 +7,7 @@ use serde::{Deserialize, Serialize};
 use url::Url;
 use uuid::Uuid;
 
-use kernel::{
-    models::{authorization::Authorization, config::AppAuthorizeFlow}
-};
+use kernel::models::{authorization::Authorization, config::AppAuthorizeFlow};
 use utils::get_random_alphanumerical;
 use crate::{
     renderer::TemplateRenderer, services::oauth2::{parse_scope, verify_redirect_uri}, token_claims::UserTokenClaims, AppState
@@ -25,6 +23,7 @@ struct AuthorizationParams {
     redirect_uri: String,
     /// An opaque value used by the client to maintain state between the request and callback
     state: String,
+    nonce: Option<String>
 }
 
 fn redirect_to_client(
@@ -34,7 +33,7 @@ fn redirect_to_client(
     let target_url = format!("{}?code={}&state={}",
         authorization_params.redirect_uri,
         authorization_code,
-        authorization_params.state,
+        authorization_params.state
     );
     debug!("Redirecting to {}", target_url);
 
@@ -56,6 +55,7 @@ pub async fn authorize_form(
     query_params: Query<AuthorizationParams>
 ) -> impl IntoResponse {
     let Query(authorization_params) = query_params;
+    dbg!(&authorization_params);
 
     // 1. Verify the app details
     let app = match app_state.config.applications
@@ -116,9 +116,10 @@ pub async fn authorize_form(
             // Create new auth code
             let authorization_code = get_random_alphanumerical(32);
             // Update last used timestamp for this authorization
-            let _result = sqlx::query("UPDATE authorizations SET code = $2, last_used_at = $3 WHERE id = $1")
+            let _result = sqlx::query("UPDATE authorizations SET code = $2, nonce = $3, last_used_at = $4 WHERE id = $1")
                 .bind(existing_authorization.id)
                 .bind(authorization_code.clone())
+                .bind(authorization_params.nonce.clone())
                 .bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
                 .execute(&app_state.db.0)
                 .await.unwrap();
@@ -172,6 +173,7 @@ pub async fn perform_authorize(
     Extension(token_claims): Extension<UserTokenClaims>,
     Form(authorize_form): Form<AuthorizationParams>
 ) -> impl IntoResponse {
+    dbg!(&authorize_form);
     // 1. Get the app details
     let app = match app_state.config.applications
         .iter()
@@ -203,6 +205,7 @@ pub async fn perform_authorize(
         client_id: app.client_id.clone(),
         scopes: sqlx::types::Json(scopes),
         code: authorization_code.clone(),
+        nonce: authorize_form.nonce.clone(),
         last_used_at: Some(Utc::now()),
         created_at: Utc::now(),
     };
@@ -210,14 +213,15 @@ pub async fn perform_authorize(
     // 3. Save authorization in DB with state
     let res = sqlx::query("
         INSERT INTO authorizations
-            (id, user_id, client_id, scopes, code, last_used_at, created_at)
-            VALUES ($1, $2, $3, $4, $5, $6, $7)
+            (id, user_id, client_id, scopes, code, nonce, last_used_at, created_at)
+            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
         ")
         .bind(authorization.id.clone())
         .bind(authorization.user_id)
         .bind(authorization.client_id)
         .bind(authorization.scopes)
         .bind(authorization.code)
+        .bind(authorization.nonce)
         .bind(authorization.last_used_at.map(|x| x.to_rfc3339_opts(SecondsFormat::Millis, true)))
         .bind(authorization.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
         .execute(&app_state.db.0)
diff --git a/lib/http_server/src/controllers/ui/login.rs b/lib/http_server/src/controllers/ui/login.rs
index 59cce05..68061d4 100644
--- a/lib/http_server/src/controllers/ui/login.rs
+++ b/lib/http_server/src/controllers/ui/login.rs
@@ -91,8 +91,8 @@ pub async fn perform_login(
         .await.unwrap();
 
     let jwt_max_age = Duration::days(15);
-    let claims = UserTokenClaims::new(&user.id, jwt_max_age);
-    let jwt = create_token(&app_state.secrets, claims);
+    let claims = UserTokenClaims::new(&app_state.config, &user.id, jwt_max_age);
+    let jwt = create_token(&app_state.config, &app_state.secrets, claims);
 
     // TODO: handle keep_session boolean from form and specify cookie max age only if this setting
     // is true
diff --git a/lib/http_server/src/middlewares/app_auth.rs b/lib/http_server/src/middlewares/app_auth.rs
index 3709f8b..c5c4e56 100644
--- a/lib/http_server/src/middlewares/app_auth.rs
+++ b/lib/http_server/src/middlewares/app_auth.rs
@@ -9,7 +9,7 @@ use utils::parse_basic_auth;
 
 use crate::{
     services::{app_session::AppClientSession, session::verify_token},
-    token_claims::AppUserTokenClaims,
+    token_claims::OAuth2AccessTokenClaims,
     AppState
 };
 
@@ -102,14 +102,16 @@ pub async fn enforce_jwt_auth_middleware(
             );
         }
     };
-    let token_claims: AppUserTokenClaims = match verify_token(&app_state.secrets, jwt) {
-        Ok(val) => val,
-        Err(_e) => {
-            return Err(
-                (StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
-            );
-        }
-    };
+    let token_claims: OAuth2AccessTokenClaims =
+        match verify_token(&app_state.config, &app_state.secrets, jwt) {
+            Ok(val) => val,
+            Err(_e) => {
+                dbg!(_e);
+                return Err(
+                    (StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
+                );
+            }
+        };
     req.extensions_mut().insert(token_claims);
     Ok(next.run(req).await)
 }
diff --git a/lib/http_server/src/middlewares/user_auth.rs b/lib/http_server/src/middlewares/user_auth.rs
index 7582eb7..921bdce 100644
--- a/lib/http_server/src/middlewares/user_auth.rs
+++ b/lib/http_server/src/middlewares/user_auth.rs
@@ -28,18 +28,20 @@ pub async fn auth_middleware(
             return Ok(next.run(req).await)
         }
     };
-    let token_claims: UserTokenClaims = match verify_token(&app_state.secrets, jwt) {
-        Ok(val) => val,
-        Err(_e) => {
-            // UserWebGUI: delete invalid JWT cookie
-            return Err(
-                (
-                    cookies.remove(WEB_GUI_JWT_COOKIE_NAME),
-                    Redirect::to(&original_uri.to_string())
-                )
-            );
-        }
-    };
+    let token_claims: UserTokenClaims =
+        match verify_token(&app_state.config, &app_state.secrets, jwt) {
+            Ok(val) => val,
+            Err(_e) => {
+                dbg!(&_e);
+                // UserWebGUI: delete invalid JWT cookie
+                return Err(
+                    (
+                        cookies.remove(WEB_GUI_JWT_COOKIE_NAME),
+                        Redirect::to(&original_uri.to_string())
+                    )
+                );
+            }
+        };
     req.extensions_mut().insert(token_claims);
     Ok(next.run(req).await)
 }
diff --git a/lib/http_server/src/router.rs b/lib/http_server/src/router.rs
index 7901928..fcbd89a 100644
--- a/lib/http_server/src/router.rs
+++ b/lib/http_server/src/router.rs
@@ -51,7 +51,8 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
         .route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
 
     let well_known_routes = Router::new()
-        .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));
+        .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration))
+        .route("/.well-known/jwks", get(api::openid::keys::get_signing_public_keys));
 
     Router::new()
         .merge(public_routes)
diff --git a/lib/http_server/src/services/oauth2.rs b/lib/http_server/src/services/oauth2.rs
index ed60954..d528747 100644
--- a/lib/http_server/src/services/oauth2.rs
+++ b/lib/http_server/src/services/oauth2.rs
@@ -12,9 +12,16 @@ pub fn verify_redirect_uri(app: &Application, input_redirect_uri: &str) -> bool
 pub fn parse_scope(scope_str: &str) -> Result<Vec<AuthorizationScope>> {
     let mut scopes: Vec<AuthorizationScope> = vec![];
     for part in scope_str.split(' ') {
-        scopes.push(
-            AuthorizationScope::from_str(part).context("Cannot parse space-delimited scope.")?
-        )
+        if part == "openid" {
+            scopes.push(AuthorizationScope::UserReadBasic);
+            scopes.push(AuthorizationScope::UserReadRoles);
+            continue;
+        }
+        if part == "profile" || part == "email" {
+            continue;
+        }
+        scopes.push(AuthorizationScope::from_str(part).context("Cannot parse space-delimited scope.")?);
     }
+    dbg!(&scopes);
     Ok(scopes)
 }
diff --git a/lib/http_server/src/services/session.rs b/lib/http_server/src/services/session.rs
index 018e094..dd97828 100644
--- a/lib/http_server/src/services/session.rs
+++ b/lib/http_server/src/services/session.rs
@@ -1,24 +1,37 @@
 use anyhow::Result;
 use serde::{de::DeserializeOwned, Serialize};
 use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
-use kernel::context::AppSecrets;
+use kernel::{context::AppSecrets, models::config::Config};
 
 
-pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {
+pub fn create_token<T: Serialize>(
+    _config: &Config,
+    secrets: &AppSecrets,
+    claims: T
+) -> String {
     let token = encode(
-        &Header::default(),
+        &Header::new(Algorithm::RS256),
         &claims,
-        &EncodingKey::from_secret(secrets.jwt_secret.as_bytes())
+        &EncodingKey::from_rsa_pem(&secrets.signing_keypair.1)
+            .expect("To build encoding key from signing key.")
     ).expect("Create token");
 
     token
 }
 
-pub fn verify_token<T: DeserializeOwned>(secrets: &AppSecrets, jwt: &str)  -> Result<T> {
+pub fn verify_token<T: DeserializeOwned>(
+    config: &Config,
+    secrets: &AppSecrets,
+    jwt: &str
+)  -> Result<T> {
+    let mut validation = Validation::new(Algorithm::RS256);
+    validation.set_issuer(&[config.instance.base_uri.clone()]);
+    validation.set_audience(&[config.instance.base_uri.clone()]);
     let token_data = decode::<T>(
         jwt,
-        &DecodingKey::from_secret(secrets.jwt_secret.as_bytes()),
-        &Validation::new(Algorithm::HS256)
+        &DecodingKey::from_rsa_pem(&secrets.signing_keypair.0)
+            .expect("To build decoding key from signing key."),
+        &validation 
     )?;
 
     Ok(token_data.claims)
diff --git a/lib/http_server/src/token_claims.rs b/lib/http_server/src/token_claims.rs
index 932b4ce..726c4e5 100644
--- a/lib/http_server/src/token_claims.rs
+++ b/lib/http_server/src/token_claims.rs
@@ -1,6 +1,6 @@
 use fully_pub::fully_pub;
 use jsonwebtoken::get_current_timestamp;
-use kernel::models::authorization::AuthorizationScope;
+use kernel::models::{authorization::AuthorizationScope, config::Config, user::User};
 use serde::{Deserialize, Serialize};
 use time::Duration;
 
@@ -12,41 +12,91 @@ struct UserTokenClaims {
     /// token expiration
     exp: u64,
     /// token issuer
-    iss: String
+    iss: String,
     // TODO: add roles
+    /// token audience
+    aud: String
 }
 
 impl UserTokenClaims {
-    pub fn new(user_id: &str, max_age: Duration) -> Self {
+    pub fn new(config: &Config, user_id: &str, max_age: Duration) -> Self {
         UserTokenClaims {
             sub: user_id.into(),
             exp: get_current_timestamp() + max_age.whole_seconds() as u64,
-            iss: "Minauthator".into()
+            iss: config.instance.base_uri.clone(),
+            aud: config.instance.base_uri.clone(),
         }
     }
 }
 
+/// Access token for OAuth2 defined in RFC 9068
+/// @See https://datatracker.ietf.org/doc/html/rfc9068
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[fully_pub]
-struct AppUserTokenClaims {
-    /// combined subject
-    client_id: String,
-    user_id: String,
-    scopes: Vec<AuthorizationScope>,
-    /// token expiration
+struct OAuth2AccessTokenClaims {
+    /// Token issuer (URI to the issuer)
+    iss: String,
+    /// Audiance (In this case, the audiance is equal to the issuer)
+    aud: String,
+    /// End-user id assigned by the issuer (user_id)
+    sub: String,
+    /// Token expiration
     exp: u64,
-    /// token issuer
-    iss: String
+    /// List of OAuth 2 scopes asked by the client
+    scopes: Vec<AuthorizationScope>
 }
 
-impl AppUserTokenClaims {
-    pub fn new(client_id: &str, user_id: &str, scopes: Vec<AuthorizationScope>) -> Self {
-        AppUserTokenClaims {
-            client_id: client_id.into(),
-            user_id: user_id.into(),
-            scopes,
+impl OAuth2AccessTokenClaims {
+    pub fn new(config: &Config, user: &User, scopes: Vec<AuthorizationScope>) -> Self {
+        OAuth2AccessTokenClaims {
+            iss: config.instance.base_uri.clone(),
+            aud: config.instance.base_uri.clone(),
+            sub: user.id.clone(),
             exp: get_current_timestamp() + 86_000,
-            iss: "Minauth".into()
+            scopes,
+        }
+    }
+}
+
+
+/// @See https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+/// @See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[fully_pub]
+struct OIDCIdTokenClaims {
+    /// Token expiration
+    exp: u64,
+    /// Token issuer (URI to the issuer)
+    iss: String,
+    /// Audiance (client_id)
+    aud: String,
+    /// End-user id assigned by the issuer (user_id)
+    sub: String,
+    /// additional claims
+    name: Option<String>,
+    email: Option<String>,
+    preferred_username: Option<String>,
+    roles: Vec<String>,
+    nonce: Option<String>
+}
+
+impl OIDCIdTokenClaims {
+    pub fn new(
+        config: &Config,
+        client_id: &str,
+        user: User,
+        nonce: Option<String>
+    ) -> Self {
+        OIDCIdTokenClaims {
+            iss: config.instance.base_uri.clone(),
+            aud: client_id.into(),
+            sub: user.id,
+            exp: get_current_timestamp() + 86_000,
+            email: user.email,
+            name: user.full_name,
+            preferred_username: Some(user.handle),
+            roles: user.roles.0,
+            nonce
         }
     }
 }
diff --git a/lib/kernel/src/consts.rs b/lib/kernel/src/consts.rs
index 31fca20..9bdfaf2 100644
--- a/lib/kernel/src/consts.rs
+++ b/lib/kernel/src/consts.rs
@@ -1,4 +1,5 @@
 pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
 pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
 pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";
+pub const DEFAULT_SIGNING_KEY_PATH: &str = "/etc/minauthator/secrets/jwt.key.pem";
 
diff --git a/lib/kernel/src/context.rs b/lib/kernel/src/context.rs
index 0c6e3b1..cb90e0d 100644
--- a/lib/kernel/src/context.rs
+++ b/lib/kernel/src/context.rs
@@ -1,11 +1,13 @@
-use std::{env, fs};
+use std::{env, fs, path::Path};
 use anyhow::{Result, Context, anyhow};
 use fully_pub::fully_pub;
 
 use log::info;
-use sqlx::{Pool, Sqlite};
 use crate::{
-    consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH}, database::prepare_database, models::config::Config, repositories::storage::Storage
+    consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH, DEFAULT_SIGNING_KEY_PATH},
+    database::prepare_database,
+    models::config::Config,
+    repositories::storage::Storage
 };
 
 /// get server config
@@ -26,9 +28,18 @@ struct StartKernelConfig {
 #[derive(Debug, Clone)]
 #[fully_pub]
 struct AppSecrets {
-    jwt_secret: String
+    /// RSA keypair (public, private) used to signed the JWT issued by minauthator in PEM conainer format
+    signing_keypair: (Vec<u8>, Vec<u8>)
 }
 
+#[derive(Debug, Clone)]
+#[fully_pub]
+struct ComputedConfig {
+    signing_public_key: Vec<u8>,
+    signing_private_key: Vec<u8>
+}
+
+
 #[derive(Debug, Clone)]
 #[fully_pub]
 struct KernelContext {
@@ -37,6 +48,19 @@ struct KernelContext {
     storage: Storage
 }
 
+fn get_signing_keypair(key_path: &str) -> Result<(Vec<u8>, Vec<u8>)> {
+    let key_path = Path::new(key_path);
+    let pub_key_path = key_path.with_extension("pub");
+    let private_key: Vec<u8> = fs::read_to_string(&key_path)
+        .context(format!("Failed to read private key from path {:?}.", key_path))?
+        .as_bytes().to_vec();
+    let public_key: Vec<u8> = fs::read_to_string(&pub_key_path)
+        .context(format!("Failed to read public key from path {:?}.", pub_key_path))?
+        .as_bytes().to_vec();
+
+    Ok((public_key, private_key))
+}
+
 pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
     env_logger::init();
     let _ = dotenvy::dotenv();
@@ -50,10 +74,13 @@ pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<Kerne
     let config: Config = get_config(config_path)
         .expect("Cannot get config.");
 
+    let signing_key_path = config.signing_key.clone().unwrap_or(DEFAULT_SIGNING_KEY_PATH.to_string());
+
+    // optionally load dotenv file
     let _ = dotenvy::dotenv();
+
     let secrets = AppSecrets {
-        jwt_secret: env::var("APP_JWT_SECRET")
-            .context("Expected APP_JWT_SECRET environment variable to exists.")?
+        signing_keypair: get_signing_keypair(&signing_key_path)?
     };
 
     Ok(KernelContext {
diff --git a/lib/kernel/src/models/authorization.rs b/lib/kernel/src/models/authorization.rs
index 4713871..8c2895b 100644
--- a/lib/kernel/src/models/authorization.rs
+++ b/lib/kernel/src/models/authorization.rs
@@ -25,6 +25,8 @@ struct Authorization {
     client_id: String,
     scopes: Json<Vec<AuthorizationScope>>,
 
+    nonce: Option<String>,
+
     /// defined in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
     code: String,
     last_used_at: Option<DateTime<Utc>>,
diff --git a/lib/kernel/src/models/config.rs b/lib/kernel/src/models/config.rs
index 57a275a..bf2d311 100644
--- a/lib/kernel/src/models/config.rs
+++ b/lib/kernel/src/models/config.rs
@@ -66,11 +66,6 @@ struct Role {
 struct Config {
     instance: InstanceConfig,
     applications: Vec<Application>,
-    roles: Vec<Role>
-}
-
-#[derive(Debug, Clone)]
-#[fully_pub]
-struct AppSecrets {
-    jwt_secret: String
+    roles: Vec<Role>,
+    signing_key: Option<String>
 }
diff --git a/lib/kernel/src/models/user.rs b/lib/kernel/src/models/user.rs
index 9634fa0..355fcdd 100644
--- a/lib/kernel/src/models/user.rs
+++ b/lib/kernel/src/models/user.rs
@@ -14,7 +14,7 @@ enum UserStatus {
     Active
 }
 
-#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
+#[derive(sqlx::FromRow, Deserialize, Serialize, Debug, Clone)]
 #[fully_pub]
 struct User {
     /// uuid
diff --git a/migrations/all.sql b/migrations/all.sql
index 2f71c3c..adf3327 100644
--- a/migrations/all.sql
+++ b/migrations/all.sql
@@ -33,6 +33,7 @@ CREATE TABLE authorizations (
     client_id           TEXT NOT NULL,
     scopes              TEXT, -- json array of app scope (permissions)
     code                TEXT,
+    nonce               TEXT, -- code used to associate client session to id_token
 
     last_used_at        DATETIME,
     created_at          DATETIME NOT NULL
diff --git a/tests/hurl_integration/oidc_core/config.toml b/tests/hurl_integration/oidc_core/config.toml
new file mode 100644
index 0000000..df607aa
--- /dev/null
+++ b/tests/hurl_integration/oidc_core/config.toml
@@ -0,0 +1,58 @@
+signing_key = "tmp/secrets/signing.key"
+
+[instance]
+base_uri = "http://localhost:8086"
+name = "Example org"
+logo_uri = "https://example.org/logo.png"
+
+[[applications]]
+slug = "demo_app"
+name = "Demo app"
+description = "A super application where you can do everything you want."
+client_id = "00000001-0000-0000-0000-000000000001"
+client_secret = "dummy_client_secret"
+login_uri = "https://localhost:9876"
+allowed_redirect_uris = [
+    "http://localhost:9090/callback",
+    "http://localhost:9876/callback"
+]
+visibility = "Internal"
+authorize_flow = "Implicit"
+
+[[applications]]
+slug = "wiki"
+name = "Wiki app"
+description = "The knowledge base of the exemple org."
+client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
+client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
+login_uri = "https://wiki.example.org/login"
+allowed_redirect_uris = [
+    "https://wiki.example.org/oauth2/callback"
+]
+visibility = "Public"
+authorize_flow = "Implicit"
+
+[[applications]]
+slug = "private_app"
+name = "Demo app"
+description = "Private app you should never discover"
+client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
+client_secret = "this_is_the_secret"
+login_uri = "https://private-app.org"
+allowed_redirect_uris = [
+    "http://localhost:9091/authorize",
+]
+visibility = "Private"
+authorize_flow = "Implicit"
+
+[[roles]]
+slug = "basic"
+name = "Basic"
+description = "Basic user"
+default = true
+
+[[roles]]
+slug = "admin"
+name = "Administrator"
+description = "Full power on organization instance"
+
diff --git a/tests/hurl_integration/oidc_core/init_db.sh b/tests/hurl_integration/oidc_core/init_db.sh
new file mode 100755
index 0000000..b57b134
--- /dev/null
+++ b/tests/hurl_integration/oidc_core/init_db.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/bash
+
+password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
+echo $password_hash
+SQL=$(cat <<EOF
+    INSERT INTO users
+        (id, handle, email, roles, status, password_hash, created_at)
+        VALUES
+        ('$(uuid)', 'john.doe', 'john.doe@example.org', '[]', 'Active', '$password_hash', '2024-11-30T00:00:00Z');
+EOF)
+echo $SQL | sqlite3 $DB_PATH
diff --git a/tests/hurl_integration/oidc_core/main.hurl b/tests/hurl_integration/oidc_core/main.hurl
new file mode 100644
index 0000000..36e70db
--- /dev/null
+++ b/tests/hurl_integration/oidc_core/main.hurl
@@ -0,0 +1,41 @@
+POST {{ base_url }}/login
+[FormParams]
+login: john.doe
+password: root
+HTTP 303
+[Captures]
+user_jwt: cookie "minauthator_jwt"
+
+# OAuth2 implicit flow (pre-granted app)
+GET {{ base_url }}/authorize
+[QueryStringParams]
+client_id: 00000001-0000-0000-0000-000000000001
+response_type: code
+redirect_uri: http://localhost:9090/callback
+state: Afk4kf6pbZkms78jM
+scope: openid profile email
+HTTP 302
+[Captures]
+authorization_code: header "Location" regex "\\?code=(.*)&"
+
+# OIDC Token exchange
+POST {{ base_url }}/api/token
+[BasicAuth]
+00000001-0000-0000-0000-000000000001: dummy_client_secret
+[FormParams]
+code: {{ authorization_code }}
+scope: user_read_basic
+redirect_uri: http://localhost:9090/callback
+grant_type: authorization_code
+HTTP 200
+Content-Type: application/json
+[Asserts]
+jsonpath "$.access_token" exists
+jsonpath "$.id_token" exists
+jsonpath "$.id_token" matches "eyJ[[:alpha:]0-9].[[:alpha:]0-9].[[:alpha:]0-9]"
+[Captures]
+id_token: jsonpath "$.id_token"
+
+# TODO: assert id_token JWT claims fields
+# TODO: contribute to hurl to add JWT extraction and assertion
+# See. https://github.com/Orange-OpenSource/hurl/issues/2223
diff --git a/tests/hurl_integration/scenario_1/config.toml b/tests/hurl_integration/scenario_1/config.toml
index ad3f58e..df607aa 100644
--- a/tests/hurl_integration/scenario_1/config.toml
+++ b/tests/hurl_integration/scenario_1/config.toml
@@ -1,3 +1,5 @@
+signing_key = "tmp/secrets/signing.key"
+
 [instance]
 base_uri = "http://localhost:8086"
 name = "Example org"
diff --git a/tests/hurl_integration/scenario_1/main.hurl b/tests/hurl_integration/scenario_1/main.hurl
index 1e68473..6213536 100644
--- a/tests/hurl_integration/scenario_1/main.hurl
+++ b/tests/hurl_integration/scenario_1/main.hurl
@@ -27,7 +27,7 @@ handle: root
 email: root@johndoe.net
 full_name: John Doe
 website: https://johndoe.net
-picture: file,john_doe_profile_pic.jpg; image/jpeg
+avatar: file,john_doe_profile_pic.jpg; image/jpeg
 HTTP 200
 
 GET {{ base_url }}/me/authorizations
diff --git a/tests/hurl_integration/user_invitation_scenario/config.toml b/tests/hurl_integration/user_invitation_scenario/config.toml
index f85dc48..722fd33 100644
--- a/tests/hurl_integration/user_invitation_scenario/config.toml
+++ b/tests/hurl_integration/user_invitation_scenario/config.toml
@@ -1,3 +1,4 @@
+signing_key = "tmp/secrets/signing.key"
 applications = []
 
 roles = []