Hey! I was looking through the code and noticed that RandomString() in internal/oauth2/crypto.go uses math/rand seeded with time.Now().UnixNano():

  func init() {
        r = rand.New(rand.NewSource(time.Now().UnixNano()))
  }

This is used for:

• PKCE code_verifier (request.go:89)
• jti claims in JWT assertions (jwt.go:86, jwt.go:136)

This probably doesn't present a practical security risk, but wouldn't it be more in line with best practices to use crypto/rand instead? Something like:

import "crypto/rand"

func RandomString(n int) string {
      b := make([]byte, n)
      rand.Read(b)
      for i := range b {
              b[i] = letter[b[i]%byte(len(letter))]
      }
      return string(b)
}

Anyway, not urgent, just thought I'd flag it.