diff --git a/src/blobs.js b/src/blobs.js index 71c242336..d9bb3e3b4 100644 --- a/src/blobs.js +++ b/src/blobs.js @@ -22,7 +22,8 @@ exports = module.exports = { PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret', - OIDC_KEY: 'oidc_key', // this is only JWT private key, the public key will be derived + OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived + OIDC_KEY_RS256: 'oidc_key_rs256', CERT_PREFIX: 'cert', CERT_SUFFIX: 'cert', diff --git a/src/oidc.js b/src/oidc.js index ac00289af..4f9216a6f 100644 --- a/src/oidc.js +++ b/src/oidc.js @@ -601,15 +601,30 @@ async function start() { const { Provider } = await import('oidc-provider'); // TODO we may want to rotate those in the future - let key = await blobs.getString(blobs.OIDC_KEY); - if (!key) { + const jwksKeys = []; + + let keyEdDsa = await blobs.getString(blobs.OIDC_KEY_EDDSA); + if (!keyEdDsa) { debug('Generating new OIDC EdDSA key'); const { privateKey } = await jose.generateKeyPair('EdDSA'); - key = await jose.exportJWK(privateKey); - await blobs.setString(blobs.OIDC_KEY, JSON.stringify(key)); + keyEdDsa = await jose.exportJWK(privateKey); + await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa)); + jwksKeys.push(keyEdDsa); } else { debug('Using existing OIDC EdDSA key'); - key = JSON.parse(key); + jwksKeys.push(JSON.parse(keyEdDsa)); + } + + let keyRs256 = await blobs.getString(blobs.OIDC_KEY_RS256); + if (!keyRs256) { + debug('Generating new OIDC EdDSA key'); + const { privateKey } = await jose.generateKeyPair('RS256'); + keyRs256 = await jose.exportJWK(privateKey); + await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256)); + jwksKeys.push(keyRs256); + } else { + debug('Using existing OIDC EdDSA key'); + jwksKeys.push(JSON.parse(keyRs256)); } const configuration = { @@ -622,7 +637,7 @@ async function start() { } }, jwks: { - keys: [ key ] + jwksKeys }, claims: { email: ['email', 'email_verified'],