mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 07:27:33 +00:00
fix(oidc): ignore algorithm for legacy signer (#9148)
# Which Problems Are Solved
It was possible to set a diffent algorithm for the legacy signer. This
is not supported howerver and breaks the token endpoint.
# How the Problems Are Solved
Remove the OIDC.SigningKeyAlgorithm config option and hard-code RS256
for the legacy signer.
# Additional Changes
- none
# Additional Context
Only RS256 is supported by the legacy signer. It was mentioned in the
comment of the config not to use it and use the webkeys resource
instead.
- closes #9121
(cherry picked from commit db8d794794)
This commit is contained in:
Tim Möhlmann
committed by
Livio Spring
Livio Spring
parent
fd8e5f8cbd
commit
5f7dd9aa3d
@@ -530,9 +530,6 @@ OIDC:
|
|||||||
GrantTypeRefreshToken: true # ZITADEL_OIDC_GRANTTYPEREFRESHTOKEN
|
GrantTypeRefreshToken: true # ZITADEL_OIDC_GRANTTYPEREFRESHTOKEN
|
||||||
RequestObjectSupported: true # ZITADEL_OIDC_REQUESTOBJECTSUPPORTED
|
RequestObjectSupported: true # ZITADEL_OIDC_REQUESTOBJECTSUPPORTED
|
||||||
|
|
||||||
# Deprecated: The signing algorithm is determined by the generated keys.
|
|
||||||
# Use the web keys resource to generate keys with different algorithms.
|
|
||||||
SigningKeyAlgorithm: RS256 # ZITADEL_OIDC_SIGNINGKEYALGORITHM
|
|
||||||
# Sets the default values for lifetime and expiration for OIDC
|
# Sets the default values for lifetime and expiration for OIDC
|
||||||
# This default can be overwritten in the default instance configuration and for each instance during runtime
|
# This default can be overwritten in the default instance configuration and for each instance during runtime
|
||||||
# !!! Changing this after the initial setup will have no impact without a restart !!!
|
# !!! Changing this after the initial setup will have no impact without a restart !!!
|
||||||
|
|||||||
@@ -354,15 +354,15 @@ func (o *OPStorage) getSigningKey(ctx context.Context) (op.SigningKey, error) {
|
|||||||
if keys.State != nil {
|
if keys.State != nil {
|
||||||
position = keys.State.Position
|
position = keys.State.Position
|
||||||
}
|
}
|
||||||
return nil, o.refreshSigningKey(ctx, o.signingKeyAlgorithm, position)
|
return nil, o.refreshSigningKey(ctx, position)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, position float64) error {
|
func (o *OPStorage) refreshSigningKey(ctx context.Context, position float64) error {
|
||||||
ok, err := o.ensureIsLatestKey(ctx, position)
|
ok, err := o.ensureIsLatestKey(ctx, position)
|
||||||
if err != nil || !ok {
|
if err != nil || !ok {
|
||||||
return zerrors.ThrowInternal(err, "OIDC-ASfh3", "cannot ensure that projection is up to date")
|
return zerrors.ThrowInternal(err, "OIDC-ASfh3", "cannot ensure that projection is up to date")
|
||||||
}
|
}
|
||||||
err = o.lockAndGenerateSigningKeyPair(ctx, algorithm)
|
err = o.lockAndGenerateSigningKeyPair(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return zerrors.ThrowInternal(err, "OIDC-ADh31", "could not create signing key")
|
return zerrors.ThrowInternal(err, "OIDC-ADh31", "could not create signing key")
|
||||||
}
|
}
|
||||||
@@ -393,7 +393,7 @@ func PrivateKeyToSigningKey(key query.PrivateKey, algorithm crypto.EncryptionAlg
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm string) error {
|
func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context) error {
|
||||||
logging.Info("lock and generate signing key pair")
|
logging.Info("lock and generate signing key pair")
|
||||||
|
|
||||||
ctx, cancel := context.WithCancel(ctx)
|
ctx, cancel := context.WithCancel(ctx)
|
||||||
@@ -409,7 +409,7 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), algorithm)
|
return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), "RS256")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {
|
func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {
|
||||||
|
|||||||
@@ -31,7 +31,6 @@ type Config struct {
|
|||||||
AuthMethodPrivateKeyJWT bool
|
AuthMethodPrivateKeyJWT bool
|
||||||
GrantTypeRefreshToken bool
|
GrantTypeRefreshToken bool
|
||||||
RequestObjectSupported bool
|
RequestObjectSupported bool
|
||||||
SigningKeyAlgorithm string
|
|
||||||
DefaultAccessTokenLifetime time.Duration
|
DefaultAccessTokenLifetime time.Duration
|
||||||
DefaultIdTokenLifetime time.Duration
|
DefaultIdTokenLifetime time.Duration
|
||||||
DefaultRefreshTokenIdleExpiration time.Duration
|
DefaultRefreshTokenIdleExpiration time.Duration
|
||||||
@@ -71,7 +70,6 @@ type OPStorage struct {
|
|||||||
defaultLogoutURLV2 string
|
defaultLogoutURLV2 string
|
||||||
defaultAccessTokenLifetime time.Duration
|
defaultAccessTokenLifetime time.Duration
|
||||||
defaultIdTokenLifetime time.Duration
|
defaultIdTokenLifetime time.Duration
|
||||||
signingKeyAlgorithm string
|
|
||||||
defaultRefreshTokenIdleExpiration time.Duration
|
defaultRefreshTokenIdleExpiration time.Duration
|
||||||
defaultRefreshTokenExpiration time.Duration
|
defaultRefreshTokenExpiration time.Duration
|
||||||
encAlg crypto.EncryptionAlgorithm
|
encAlg crypto.EncryptionAlgorithm
|
||||||
@@ -162,7 +160,6 @@ func NewServer(
|
|||||||
jwksCacheControlMaxAge: config.JWKSCacheControlMaxAge,
|
jwksCacheControlMaxAge: config.JWKSCacheControlMaxAge,
|
||||||
fallbackLogger: fallbackLogger,
|
fallbackLogger: fallbackLogger,
|
||||||
hasher: hasher,
|
hasher: hasher,
|
||||||
signingKeyAlgorithm: config.SigningKeyAlgorithm,
|
|
||||||
encAlg: encryptionAlg,
|
encAlg: encryptionAlg,
|
||||||
opCrypto: op.NewAESCrypto(opConfig.CryptoKey),
|
opCrypto: op.NewAESCrypto(opConfig.CryptoKey),
|
||||||
assetAPIPrefix: assets.AssetAPI(),
|
assetAPIPrefix: assets.AssetAPI(),
|
||||||
@@ -232,7 +229,6 @@ func newStorage(config Config, command *command.Commands, query *query.Queries,
|
|||||||
defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
|
defaultLoginURL: fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
|
||||||
defaultLoginURLV2: config.DefaultLoginURLV2,
|
defaultLoginURLV2: config.DefaultLoginURLV2,
|
||||||
defaultLogoutURLV2: config.DefaultLogoutURLV2,
|
defaultLogoutURLV2: config.DefaultLogoutURLV2,
|
||||||
signingKeyAlgorithm: config.SigningKeyAlgorithm,
|
|
||||||
defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime,
|
defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime,
|
||||||
defaultIdTokenLifetime: config.DefaultIdTokenLifetime,
|
defaultIdTokenLifetime: config.DefaultIdTokenLifetime,
|
||||||
defaultRefreshTokenIdleExpiration: config.DefaultRefreshTokenIdleExpiration,
|
defaultRefreshTokenIdleExpiration: config.DefaultRefreshTokenIdleExpiration,
|
||||||
|
|||||||
Reference in New Issue
Block a user