starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

[PR #359] [MERGED] feat: Add support for ECDSA and EdDSA keys #859

New Issue
Closed
opened 2025-10-08 00:18:31 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-08 00:18:31 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/359
Author: @ItalyPaleAle
Created: 3/19/2025
Status: Merged
Merged: 3/27/2025
Merged by: @stonith404

Base: mainHead: non-rsa-keys

📝 Commits (10+)

📊 Changes

21 files changed (+1074 additions, -201 deletions)

View changed files

📝 .github/workflows/e2e-tests.yml (+20 -0)
📝 backend/go.mod (+2 -2)
📝 backend/go.sum (+2 -2)
📝 backend/internal/controller/app_config_controller.go (+3 -2)
📝 backend/internal/controller/oidc_controller.go (+14 -8)
📝 backend/internal/controller/user_controller.go (+3 -6)
📝 backend/internal/controller/webauthn_controller.go (+1 -3)
📝 backend/internal/controller/well_known_controller.go (+24 -3)
📝 backend/internal/job/ldap_job.go (+1 -1)
📝 backend/internal/middleware/jwt_auth.go (+18 -9)
📝 backend/internal/model/app_config.go (+11 -0)
backend/internal/model/app_config_test.go (+60 -0)
📝 backend/internal/service/audit_log_service.go (+1 -1)
📝 backend/internal/service/email_service.go (+8 -7)
📝 backend/internal/service/jwt_service.go (+154 -97)
📝 backend/internal/service/jwt_service_test.go (+734 -48)
📝 backend/internal/service/ldap_service.go (+2 -2)
📝 backend/internal/service/oidc_service.go (+9 -6)
📝 backend/internal/service/user_group_service.go (+2 -2)
📝 backend/internal/utils/paging_util.go (+4 -2)

...and 1 more files

📄 Description

Fixes #322

  1. Adds support for using ECDSA (e.g. P-256), EdDSA (e.g. Curve25519) keys, as well as RSA keys of arbitrary size.
    • The important caveat is that Pocket ID will not generate these keys. Users will need to provide their own JWK file containing a key in the desired format.
  2. Completes the switch from golang-jwt to jwx for generating and validating JWTs, to use the same library. This simplifies the code a lot too.

To validate the PR, I have:

  • Manually validated that users can authenticate with Pocket ID, and third-party apps can authenticate using tokens issued by Pocket ID, when the key is not RSA (I tested with Ed25519)
  • Added unit tests for the jwt service that use non-RSA keys, as well as RSA-4096 keys (different than the default size)

To generate a non-RSA key, one way is to use the step CLI. For example:

step crypto jwk create \
  jwt_public_key.json jwt_private_key.json \
  --kty=OKP \
  --alg=EdDSA \
  --use=sig \
  --crv=Ed25519 \
  --no-password --insecure

TODO @ItalyPaleAle: Create docs for this

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/359 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 3/19/2025 **Status:** ✅ Merged **Merged:** 3/27/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `non-rsa-keys` --- ### 📝 Commits (10+) - [`e87c205`](https://github.com/pocket-id/pocket-id/commit/e87c2054bb0c922133346a9fbf37e44105e2f76f) Add support for non-RSA keys - [`da6f06b`](https://github.com/pocket-id/pocket-id/commit/da6f06b7b35a11054fce8c489fe9bba3c84b5eda) Fix alg in openid-configuration document + pre-compute - [`8f49f74`](https://github.com/pocket-id/pocket-id/commit/8f49f746fa895ad1485c7b317beaa7daa381580b) Bug fixes - [`68c7d9a`](https://github.com/pocket-id/pocket-id/commit/68c7d9a2352ca7df0d1c19c31480767438269640) Update jwx - [`ae94d25`](https://github.com/pocket-id/pocket-id/commit/ae94d251a49d5ee74a3bdc8527651d625638084e) Save backend logs while running E2E tests - [`2f29a47`](https://github.com/pocket-id/pocket-id/commit/2f29a472739ed07c64cdfb730e19933a35dcef08) Fix path - [`a327e41`](https://github.com/pocket-id/pocket-id/commit/a327e41114a78b9c1b3c4aa02fc83052aab7d6c4) Should redirect logs now - [`b0c4f1f`](https://github.com/pocket-id/pocket-id/commit/b0c4f1f9b0d43d338b15b33c869de244566f9c89) Temp logs for debugging - [`f141135`](https://github.com/pocket-id/pocket-id/commit/f141135a0af7ab7d828b598475b23e33677e4a40) Update token that had expired - [`2bf1861`](https://github.com/pocket-id/pocket-id/commit/2bf1861764a63f60943896687ce399ed335aa19f) Fix ### 📊 Changes **21 files changed** (+1074 additions, -201 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/e2e-tests.yml` (+20 -0) 📝 `backend/go.mod` (+2 -2) 📝 `backend/go.sum` (+2 -2) 📝 `backend/internal/controller/app_config_controller.go` (+3 -2) 📝 `backend/internal/controller/oidc_controller.go` (+14 -8) 📝 `backend/internal/controller/user_controller.go` (+3 -6) 📝 `backend/internal/controller/webauthn_controller.go` (+1 -3) 📝 `backend/internal/controller/well_known_controller.go` (+24 -3) 📝 `backend/internal/job/ldap_job.go` (+1 -1) 📝 `backend/internal/middleware/jwt_auth.go` (+18 -9) 📝 `backend/internal/model/app_config.go` (+11 -0) ➕ `backend/internal/model/app_config_test.go` (+60 -0) 📝 `backend/internal/service/audit_log_service.go` (+1 -1) 📝 `backend/internal/service/email_service.go` (+8 -7) 📝 `backend/internal/service/jwt_service.go` (+154 -97) 📝 `backend/internal/service/jwt_service_test.go` (+734 -48) 📝 `backend/internal/service/ldap_service.go` (+2 -2) 📝 `backend/internal/service/oidc_service.go` (+9 -6) 📝 `backend/internal/service/user_group_service.go` (+2 -2) 📝 `backend/internal/utils/paging_util.go` (+4 -2) _...and 1 more files_ </details> ### 📄 Description Fixes #322 1. Adds support for using ECDSA (e.g. P-256), EdDSA (e.g. Curve25519) keys, as well as RSA keys of arbitrary size. - The important caveat is that Pocket ID **will not** generate these keys. Users will need to provide their own JWK file containing a key in the desired format. 1. Completes the switch from golang-jwt to jwx for generating and validating JWTs, to use the same library. This simplifies the code a lot too. To validate the PR, I have: - Manually validated that users can authenticate with Pocket ID, and third-party apps can authenticate using tokens issued by Pocket ID, when the key is not RSA (I tested with Ed25519) - Added unit tests for the jwt service that use non-RSA keys, as well as RSA-4096 keys (different than the default size) > To generate a non-RSA key, one way is to use the [step CLI](https://smallstep.com/docs/step-cli/installation/). For example: > > ```sh > step crypto jwk create \ > jwt_public_key.json jwt_private_key.json \ > --kty=OKP \ > --alg=EdDSA \ > --use=sig \ > --crv=Ed25519 \ > --no-password --insecure > ``` > > TODO @ItalyPaleAle: Create docs for this --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-08 00:18:31 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#859
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?