oidc: add RSA-SHA256 aka rs256 signature algorithm

2023-04-04 11:32:32 +02:00
parent f40c4b9b2c
commit 187389638c
2 changed files with 23 additions and 7 deletions
@@ -601,15 +601,30 @@ async function start() {
    const { Provider } = await import('oidc-provider');

    // TODO we may want to rotate those in the future
-    let key = await blobs.getString(blobs.OIDC_KEY);
-    if (!key) {
+    const jwksKeys = [];
+
+    let keyEdDsa = await blobs.getString(blobs.OIDC_KEY_EDDSA);
+    if (!keyEdDsa) {
        debug('Generating new OIDC EdDSA key');
        const { privateKey } = await jose.generateKeyPair('EdDSA');
-        key = await jose.exportJWK(privateKey);
-        await blobs.setString(blobs.OIDC_KEY, JSON.stringify(key));
+        keyEdDsa = await jose.exportJWK(privateKey);
+        await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa));
+        jwksKeys.push(keyEdDsa);
    } else {
        debug('Using existing OIDC EdDSA key');
-        key = JSON.parse(key);
+        jwksKeys.push(JSON.parse(keyEdDsa));
+    }
+
+    let keyRs256 = await blobs.getString(blobs.OIDC_KEY_RS256);
+    if (!keyRs256) {
+        debug('Generating new OIDC EdDSA key');
+        const { privateKey } = await jose.generateKeyPair('RS256');
+        keyRs256 = await jose.exportJWK(privateKey);
+        await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256));
+        jwksKeys.push(keyRs256);
+    } else {
+        debug('Using existing OIDC EdDSA key');
+        jwksKeys.push(JSON.parse(keyRs256));
    }

    const configuration = {
@@ -622,7 +637,7 @@ async function start() {
            }
        },
        jwks: {
-            keys: [ key ]
+            jwksKeys
        },
        claims: {
            email: ['email', 'email_verified'],