chore(oidc): graduate webkey to stable (#10122)

# Which Problems Are Solved Stabilize the usage of webkeys. # How the Problems Are Solved - Remove all legacy signing key code from the OIDC API - Remove the webkey feature flag from proto - Remove the webkey feature flag from console - Cleanup documentation # Additional Changes - Resolved some canonical header linter errors in OIDC - Use the constant for `projections.lock` in the saml package. # Additional Context - Closes #10029 - After #10105 - After #10061
2025-08-12 00:27:31 +00:00 · 2025-06-26 19:17:45 +03:00
parent 1ebbe275b9
commit 016676e1dc
59 changed files with 203 additions and 1614 deletions
--- a/internal/api/oidc/token.go
+++ b/internal/api/oidc/token.go
@@ -12,7 +12,6 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"

-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -64,14 +63,13 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
 type SignerFunc func(ctx context.Context) (jose.Signer, jose.SignatureAlgorithm, error)

 func (s *Server) getSignerOnce() SignerFunc {
-	return GetSignerOnce(s.query.GetActiveSigningWebKey, s.Provider().Storage().SigningKey)
+	return GetSignerOnce(s.query.GetActiveSigningWebKey)
 }

 // GetSignerOnce returns a function which retrieves the instance's signer from the database once.
 // Repeated calls of the returned function return the same results.
 func GetSignerOnce(
 	getActiveSigningWebKey func(ctx context.Context) (*jose.JSONWebKey, error),
-	getSigningKey func(ctx context.Context) (op.SigningKey, error),
 ) SignerFunc {
 	var (
 		once    sync.Once
@@ -84,23 +82,12 @@ func GetSignerOnce(
 			ctx, span := tracing.NewSpan(ctx)
 			defer func() { span.EndWithError(err) }()

-			if authz.GetFeatures(ctx).WebKey {
-				var webKey *jose.JSONWebKey
-				webKey, err = getActiveSigningWebKey(ctx)
-				if err != nil {
-					return
-				}
-				signer, signAlg, err = signerFromWebKey(webKey)
-				return
-			}
-
-			var signingKey op.SigningKey
-			signingKey, err = getSigningKey(ctx)
+			var webKey *jose.JSONWebKey
+			webKey, err = getActiveSigningWebKey(ctx)
 			if err != nil {
 				return
 			}
-			signAlg = signingKey.SignatureAlgorithm()
-			signer, err = op.SignerFromKey(signingKey)
+			signer, signAlg, err = signerFromWebKey(webKey)
 		})
 		return signer, signAlg, err
 	}