chore(oidc): graduate webkey to stable (#10122)

# Which Problems Are Solved Stabilize the usage of webkeys. # How the Problems Are Solved - Remove all legacy signing key code from the OIDC API - Remove the webkey feature flag from proto - Remove the webkey feature flag from console - Cleanup documentation # Additional Changes - Resolved some canonical header linter errors in OIDC - Use the constant for `projections.lock` in the saml package. # Additional Context - Closes #10029 - After #10105 - After #10061
2025-08-11 19:07:30 +00:00 · 2025-06-26 19:17:45 +03:00
parent 1ebbe275b9
commit 016676e1dc
59 changed files with 203 additions and 1614 deletions
--- a/internal/command/instance_features.go
+++ b/internal/command/instance_features.go
@@ -3,11 +3,8 @@ package command
 import (
 	"context"

-	"github.com/muhlemmer/gu"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command/preparation"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/feature"
@@ -21,7 +18,6 @@ type InstanceFeatures struct {
 	UserSchema                      *bool
 	TokenExchange                   *bool
 	ImprovedPerformance             []feature.ImprovedPerformanceType
-	WebKey                          *bool
 	DebugOIDCParentError            *bool
 	OIDCSingleV1SessionTermination  *bool
 	DisableUserTokenEvent           *bool
@@ -38,7 +34,6 @@ func (m *InstanceFeatures) isEmpty() bool {
 		m.TokenExchange == nil &&
 		// nil check to allow unset improvements
 		m.ImprovedPerformance == nil &&
-		m.WebKey == nil &&
 		m.DebugOIDCParentError == nil &&
 		m.OIDCSingleV1SessionTermination == nil &&
 		m.DisableUserTokenEvent == nil &&
@@ -55,9 +50,6 @@ func (c *Commands) SetInstanceFeatures(ctx context.Context, f *InstanceFeatures)
 	if err := c.eventstore.FilterToQueryReducer(ctx, wm); err != nil {
 		return nil, err
 	}
-	if err := c.setupWebKeyFeature(ctx, wm, f); err != nil {
-		return nil, err
-	}
 	commands := wm.setCommands(ctx, f)
 	if len(commands) == 0 {
 		return writeModelToObjectDetails(wm.WriteModel), nil
@@ -78,21 +70,6 @@ func prepareSetFeatures(instanceID string, f *InstanceFeatures) preparation.Vali
 	}
 }

-// setupWebKeyFeature generates the initial web keys for the instance,
-// if the feature is enabled in the request and the feature wasn't enabled already in the writeModel.
-// [Commands.GenerateInitialWebKeys] checks if keys already exist and does nothing if that's the case.
-// The default config of a RSA key with 2048 and the SHA256 hasher is assumed.
-// Users can customize this after using the webkey/v3 API.
-func (c *Commands) setupWebKeyFeature(ctx context.Context, wm *InstanceFeaturesWriteModel, f *InstanceFeatures) error {
-	if !gu.Value(f.WebKey) || gu.Value(wm.WebKey) {
-		return nil
-	}
-	return c.GenerateInitialWebKeys(ctx, &crypto.WebKeyRSAConfig{
-		Bits:   crypto.RSABits2048,
-		Hasher: crypto.RSAHasherSHA256,
-	})
-}
-
 func (c *Commands) ResetInstanceFeatures(ctx context.Context) (*domain.ObjectDetails, error) {
 	instanceID := authz.GetInstance(ctx).InstanceID()
 	wm := NewInstanceFeaturesWriteModel(instanceID)