TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(oidc): ignore algorithm for legacy signer (#9148)

Browse Source 
# Which Problems Are Solved

It was possible to set a diffent algorithm for the legacy signer. This
is not supported howerver and breaks the token endpoint.

# How the Problems Are Solved

Remove the OIDC.SigningKeyAlgorithm config option and hard-code RS256
for the legacy signer.

# Additional Changes

- none

# Additional Context

Only RS256 is supported by the legacy signer. It was mentioned in the
comment of the config not to use it and use the webkeys resource
instead.

- closes #9121
This commit is contained in:
Tim Möhlmann
2025-01-08 10:40:33 +02:00
committed by GitHub
parent 42cc6dce79
commit db8d794794
3 changed files with 5 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/api/oidc/key.go
View File

@@ -354,15 +354,15 @@ func (o *OPStorage) getSigningKey(ctx context.Context) (op.SigningKey, error) {
if keys.State != nil {
position = keys.State.Position
}
return nil, o.refreshSigningKey(ctx, o.signingKeyAlgorithm, position)
return nil, o.refreshSigningKey(ctx, position)
}
func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, position float64) error {
func (o *OPStorage) refreshSigningKey(ctx context.Context, position float64) error {
ok, err := o.ensureIsLatestKey(ctx, position)
if err != nil || !ok {
return zerrors.ThrowInternal(err, "OIDC-ASfh3", "cannot ensure that projection is up to date")
}
err = o.lockAndGenerateSigningKeyPair(ctx, algorithm)
err = o.lockAndGenerateSigningKeyPair(ctx)
if err != nil {
return zerrors.ThrowInternal(err, "OIDC-ADh31", "could not create signing key")
}
@@ -393,7 +393,7 @@ func PrivateKeyToSigningKey(key query.PrivateKey, algorithm crypto.EncryptionAlg
}, nil
}
func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm string) error {
func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context) error {
logging.Info("lock and generate signing key pair")
ctx, cancel := context.WithCancel(ctx)
@@ -409,7 +409,7 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
return err
}
return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), algorithm)
return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), "RS256")
}
func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {