From 187389638c2f3e6ee97447b0b08bb69a27472b4f Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Tue, 4 Apr 2023 11:32:32 +0200
Subject: [PATCH] oidc: add RSA-SHA256 aka rs256 signature algorithm

---
 src/blobs.js |  3 ++-
 src/oidc.js  | 27 +++++++++++++++++++++------
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/blobs.js b/src/blobs.js
index 71c242336..d9bb3e3b4 100644
--- a/src/blobs.js
+++ b/src/blobs.js
@@ -22,7 +22,8 @@ exports = module.exports = {
 
     PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',
 
-    OIDC_KEY: 'oidc_key', // this is only JWT private key, the public key will be derived
+    OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived
+    OIDC_KEY_RS256: 'oidc_key_rs256',
 
     CERT_PREFIX: 'cert',
     CERT_SUFFIX: 'cert',
diff --git a/src/oidc.js b/src/oidc.js
index ac00289af..4f9216a6f 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -601,15 +601,30 @@ async function start() {
     const { Provider } = await import('oidc-provider');
 
     // TODO we may want to rotate those in the future
-    let key = await blobs.getString(blobs.OIDC_KEY);
-    if (!key) {
+    const jwksKeys = [];
+
+    let keyEdDsa = await blobs.getString(blobs.OIDC_KEY_EDDSA);
+    if (!keyEdDsa) {
         debug('Generating new OIDC EdDSA key');
         const { privateKey } = await jose.generateKeyPair('EdDSA');
-        key = await jose.exportJWK(privateKey);
-        await blobs.setString(blobs.OIDC_KEY, JSON.stringify(key));
+        keyEdDsa = await jose.exportJWK(privateKey);
+        await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa));
+        jwksKeys.push(keyEdDsa);
     } else {
         debug('Using existing OIDC EdDSA key');
-        key = JSON.parse(key);
+        jwksKeys.push(JSON.parse(keyEdDsa));
+    }
+
+    let keyRs256 = await blobs.getString(blobs.OIDC_KEY_RS256);
+    if (!keyRs256) {
+        debug('Generating new OIDC EdDSA key');
+        const { privateKey } = await jose.generateKeyPair('RS256');
+        keyRs256 = await jose.exportJWK(privateKey);
+        await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256));
+        jwksKeys.push(keyRs256);
+    } else {
+        debug('Using existing OIDC EdDSA key');
+        jwksKeys.push(JSON.parse(keyRs256));
     }
 
     const configuration = {
@@ -622,7 +637,7 @@ async function start() {
             }
         },
         jwks: {
-            keys: [ key ]
+            jwksKeys
         },
         claims: {
             email: ['email', 'email_verified'],