oidc: give every Cloudron its own EdDSA key

src/oidc.js

@@ -14,6 +14,7 @@ exports = module.exports = {
 
 const assert = require('assert'),
     BoxError = require('./boxerror.js'),
+    blobs = require('./blobs.js'),
     constants = require('./constants.js'),
     database = require('./database.js'),
     debug = require('debug')('box:oidc'),
@@ -25,6 +26,7 @@ const assert = require('assert'),
     paths = require('./paths.js'),
     http = require('http'),
     HttpError = require('connect-lastmile').HttpError,
+    jose = require('jose'),
     safe = require('safetydance'),
     settings = require('./settings.js'),
     users = require('./users.js'),
@@ -547,6 +549,18 @@ async function start() {
 
     const { Provider } = await import('oidc-provider');
 
+    // TODO we may want to rotate those in the future
+    let key = await blobs.getString(blobs.OIDC_KEY);
+    if (!key) {
+        debug('Generating new OIDC EdDSA key');
+        const { privateKey } = await jose.generateKeyPair('EdDSA');
+        key = await jose.exportJWK(privateKey);
+        await blobs.setString(blobs.OIDC_KEY, JSON.stringify(key));
+    } else {
+        debug('Using existing OIDC EdDSA key');
+        key = JSON.parse(key);
+    }
+
     const configuration = {
         findAccount,
         renderError,
@@ -556,6 +570,9 @@ async function start() {
                 return `${ROUTE_PREFIX}/interaction/${interaction.uid}`;
             }
         },
+        jwks: {
+            keys: [ key ]
+        },
         claims: {
             email: ['email', 'email_verified'],
             profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username' ]