From 5268f10eb358703b94ad67034db49bc4dfbacfb5 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Mon, 5 Jan 2026 16:40:11 +1100
Subject: [PATCH] Don't allow claim escalation

---
 app/controllers/oidc_controller.rb | 10 ++++++++++
 docs/beta-checklist.md             |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
index 45c7deb..3e461a5 100644
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -457,6 +457,16 @@ class OidcController < ApplicationController
 
   # POST /oauth/token
   def token
+    # Reject claims parameter - per OIDC security, claims parameter is only valid
+    # in authorization requests, not at the token endpoint
+    if params[:claims].present?
+      render json: {
+        error: "invalid_request",
+        error_description: "claims parameter is not allowed at the token endpoint"
+      }, status: :bad_request
+      return
+    end
+
     grant_type = params[:grant_type]
 
     case grant_type
diff --git a/docs/beta-checklist.md b/docs/beta-checklist.md
index caa04cf..044365f 100644
--- a/docs/beta-checklist.md
+++ b/docs/beta-checklist.md
@@ -158,7 +158,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
 
 ### Performance
 - [ ] Review N+1 queries
-- [ ] Add database indexes where needed
+- [x] Add database indexes where needed
 - [ ] Test with realistic data volumes
 - [ ] Review token cleanup job performance