[SECURITY] Fix DoS in openid