diff --git a/migrations/20260212170000-oidc-keys-add-alg.js b/migrations/20260212170000-oidc-keys-add-alg.js new file mode 100644 index 000000000..b50906c38 --- /dev/null +++ b/migrations/20260212170000-oidc-keys-add-alg.js @@ -0,0 +1,21 @@ +'use strict'; + +exports.up = async function (db) { + const eddsaResult = await db.runSql('SELECT value FROM blobs WHERE id = ?', [ 'oidc_key_eddsa' ]); + if (eddsaResult.length) { + const key = JSON.parse(eddsaResult[0].value.toString('utf8')); + key.alg = 'EdDSA'; + await db.runSql('UPDATE blobs SET value = ? WHERE id = ?', [ JSON.stringify(key), 'oidc_key_eddsa' ]); + } + + const rs256Result = await db.runSql('SELECT value FROM blobs WHERE id = ?', [ 'oidc_key_rs256' ]); + if (rs256Result.length) { + const key = JSON.parse(rs256Result[0].value.toString('utf8')); + key.alg = 'RS256'; + await db.runSql('UPDATE blobs SET value = ? WHERE id = ?', [ JSON.stringify(key), 'oidc_key_rs256' ]); + } +}; + +exports.down = async function (db) { +}; + diff --git a/src/oidcserver.js b/src/oidcserver.js index 0f668a380..b4188dc1d 100644 --- a/src/oidcserver.js +++ b/src/oidcserver.js @@ -528,7 +528,7 @@ async function start() { if (!keyEdDsa) { debug('Generating new OIDC EdDSA key'); const { privateKey } = await jose.generateKeyPair('EdDSA', { extractable: true }); - keyEdDsa = await jose.exportJWK(privateKey); + keyEdDsa = Object.assign(await jose.exportJWK(privateKey), { alg: 'EdDSA' }); // alg is optional, but wp requires it await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa)); jwksKeys.push(keyEdDsa); } else { @@ -540,7 +540,7 @@ async function start() { if (!keyRs256) { debug('Generating new OIDC RS256 key'); const { privateKey } = await jose.generateKeyPair('RS256', { extractable: true }); - keyRs256 = await jose.exportJWK(privateKey); + keyRs256 = Object.assign(await jose.exportJWK(privateKey), { alg: 'RS256' }); // alg is optional, but wp requires it await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256)); jwksKeys.push(keyRs256); } else {