TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(oidc): graduate webkey to stable (#10122)

Browse Source 
# Which Problems Are Solved

Stabilize the usage of webkeys.

# How the Problems Are Solved

- Remove all legacy signing key code from the OIDC API
- Remove the webkey feature flag from proto
- Remove the webkey feature flag from console
- Cleanup documentation

# Additional Changes

- Resolved some canonical header linter errors in OIDC
- Use the constant for `projections.lock` in the saml package.

# Additional Context

- Closes #10029
- After #10105
- After #10061
This commit is contained in:
Tim Möhlmann
2025-06-26 19:17:45 +03:00
committed by GitHub
parent 1ebbe275b9
commit 016676e1dc
59 changed files with 203 additions and 1614 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
internal/authz/repository/eventsourcing/eventstore/token_verifier.go
View File

@@ -4,7 +4,6 @@ import (
"context"
"encoding/base64"
"fmt"
"slices"
"strings"
"time"
@@ -329,18 +328,10 @@ type openIDKeySet struct {
// VerifySignature implements the oidc.KeySet interface
// providing an implementation for the keys retrieved directly from Queries
func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
keySet := new(jose.JSONWebKeySet)
if authz.GetFeatures(ctx).WebKey {
keySet, err = o.Queries.GetWebKeySet(ctx)
if err != nil {
return nil, err
}
}
legacyKeySet, err := o.Queries.ActivePublicKeys(ctx, time.Now())
keySet, err := o.Queries.GetWebKeySet(ctx)
if err != nil {
return nil, fmt.Errorf("error fetching keys: %w", err)
return nil, err
}
appendPublicKeysToWebKeySet(keySet, legacyKeySet)
keyID, alg := oidc.GetKeyIDAndAlg(jws)
key, err := oidc.FindMatchingKey(keyID, oidc.KeyUseSignature, alg, keySet.Keys...)
if err != nil {
@@ -348,19 +339,3 @@ func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig
}
return jws.Verify(&key)
}
func appendPublicKeysToWebKeySet(keyset *jose.JSONWebKeySet, pubkeys *query.PublicKeys) {
if pubkeys == nil || len(pubkeys.Keys) == 0 {
return
}
keyset.Keys = slices.Grow(keyset.Keys, len(pubkeys.Keys))
for _, key := range pubkeys.Keys {
keyset.Keys = append(keyset.Keys, jose.JSONWebKey{
Key: key.Key(),
KeyID: key.ID(),
Algorithm: key.Algorithm(),
Use: key.Use().String(),
})
}
}