fix: bearer token encryption (#1524)

* fix: bearer token encryption * remove some todos
2025-08-12 03:47:33 +00:00 · 2021-04-06 08:31:18 +02:00
parent 18aec74222
commit 27fcf4739d
9 changed files with 26 additions and 21 deletions
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -12,6 +12,7 @@ import (
 	"github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/types"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/id"
 	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/telemetry/metrics"
@@ -57,9 +58,16 @@ type OPStorage struct {
 	signingKeyAlgorithm        string
 }

-func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
+func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, keyConfig *crypto.KeyConfig, localDevMode bool) op.OpenIDProvider {
 	cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
 	logging.Log("OIDC-sd4fd").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("cannot user agent handler")
+	tokenKey, err := crypto.LoadKey(keyConfig, keyConfig.EncryptionKeyID)
+	logging.Log("OIDC-ADvbv").OnError(err).Panic("cannot load OP crypto key")
+	cryptoKey := []byte(tokenKey)
+	if len(cryptoKey) != 32 {
+		logging.Log("OIDC-Dsfds").Panic("OP crypto key must be exactly 32 bytes")
+	}
+	copy(config.OPConfig.CryptoKey[:], cryptoKey)
 	config.OPConfig.CodeMethodS256 = true
 	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
 	provider, err := op.NewOpenIDProvider(