fix(oidc): enable webkey feature by default (#10683)

# Which Problems Are Solved When the webkey feature flag was not enabled before an upgrade to v4, all JWT tokens became invalid. This created a couple of issues: - All users with JWT access tokens are logged-out - Clients that are unable to refresh keys based on key ID break - id_token_hint could no longer be validated. # How the Problems Are Solved Force-enable the webkey feature on the v3 version, so that the upgrade path is cleaner. Sessions now have time to role-over to the new keys before initiating the upgrade to v4. # Additional Changes - none # Additional Context - Related https://github.com/zitadel/zitadel/issues/10673 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-12-24 01:47:21 +00:00 · 2025-09-10 08:53:29 +03:00
parent 330928f8b5
commit ca510c52dd
4 changed files with 26 additions and 23 deletions
--- a/internal/api/oidc/integration_test/keys_test.go
+++ b/internal/api/oidc/integration_test/keys_test.go
@@ -25,6 +25,10 @@ import (

 func TestServer_Keys(t *testing.T) {
 	instance := integration.NewInstance(CTX)
+	// As we want to test the legacy keys as well, we need to ensure the webkey feature is off
+	// at the beginning since the instance creation enables it by default.
+	ensureWebKeyFeature(t, instance, false)
+
 	ctxLogin := instance.WithAuthorization(CTX, integration.UserTypeLogin)

 	clientID, _ := createClient(t, instance)