From 88a44ee0657069afaf96db2cde2fd9cd4ebaf9c4 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Thu, 12 Feb 2026 19:39:18 +0100
Subject: [PATCH] oidc: add alg to the jwks keys

---
 .../20260212170000-oidc-keys-add-alg.js       | 21 +++++++++++++++++++
 src/oidcserver.js                             |  4 ++--
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 migrations/20260212170000-oidc-keys-add-alg.js

diff --git a/migrations/20260212170000-oidc-keys-add-alg.js b/migrations/20260212170000-oidc-keys-add-alg.js
new file mode 100644
index 000000000..b50906c38
--- /dev/null
+++ b/migrations/20260212170000-oidc-keys-add-alg.js
@@ -0,0 +1,21 @@
+'use strict';
+
+exports.up = async function (db) {
+    const eddsaResult = await db.runSql('SELECT value FROM blobs WHERE id = ?', [ 'oidc_key_eddsa' ]);
+    if (eddsaResult.length) {
+        const key = JSON.parse(eddsaResult[0].value.toString('utf8'));
+        key.alg = 'EdDSA';
+        await db.runSql('UPDATE blobs SET value = ? WHERE id = ?', [ JSON.stringify(key), 'oidc_key_eddsa' ]);
+    }
+
+    const rs256Result = await db.runSql('SELECT value FROM blobs WHERE id = ?', [ 'oidc_key_rs256' ]);
+    if (rs256Result.length) {
+        const key = JSON.parse(rs256Result[0].value.toString('utf8'));
+        key.alg = 'RS256';
+        await db.runSql('UPDATE blobs SET value = ? WHERE id = ?', [ JSON.stringify(key), 'oidc_key_rs256' ]);
+    }
+};
+
+exports.down = async function (db) {
+};
+
diff --git a/src/oidcserver.js b/src/oidcserver.js
index 0f668a380..b4188dc1d 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -528,7 +528,7 @@ async function start() {
     if (!keyEdDsa) {
         debug('Generating new OIDC EdDSA key');
         const { privateKey } = await jose.generateKeyPair('EdDSA', { extractable: true });
-        keyEdDsa = await jose.exportJWK(privateKey);
+        keyEdDsa = Object.assign(await jose.exportJWK(privateKey), { alg: 'EdDSA' }); // alg is optional, but wp requires it
         await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa));
         jwksKeys.push(keyEdDsa);
     } else {
@@ -540,7 +540,7 @@ async function start() {
     if (!keyRs256) {
         debug('Generating new OIDC RS256 key');
         const { privateKey } = await jose.generateKeyPair('RS256', { extractable: true });
-        keyRs256 = await jose.exportJWK(privateKey);
+        keyRs256 = Object.assign(await jose.exportJWK(privateKey), { alg: 'RS256' }); // alg is optional, but wp requires it
         await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256));
         jwksKeys.push(keyRs256);
     } else {