bug: correctly generate oauth2 jwt signing key

- When RS256, RS384, ES384, ES512 was specified as the JWT signing algorithm they would generate RS512 and ES256 respectively. - Added unit test.
2025-10-23 18:42:26 +00:00 · 2024-11-16 14:57:02 +01:00 · 2024-11-16 14:57:02 +01:00 · 7d59060dc6
commit 7d59060dc6
parent 1e1b162cbe
2 changed files with 136 additions and 2 deletions
--- a/services/auth/source/oauth2/jwtsigningkey.go
+++ b/services/auth/source/oauth2/jwtsigningkey.go
@ -347,12 +347,30 @@ func loadOrCreateAsymmetricKey() (any, error) {
 			key, err := func() (any, error) {
 				switch {
 				case strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS"):
-					return rsa.GenerateKey(rand.Reader, 4096)
+					var bits int
+					switch setting.OAuth2.JWTSigningAlgorithm {
+					case "RS256":
+						bits = 2048
+					case "RS384":
+						bits = 3072
+					case "RS512":
+						bits = 4096
+					}
+					return rsa.GenerateKey(rand.Reader, bits)
 				case setting.OAuth2.JWTSigningAlgorithm == "EdDSA":
 					_, pk, err := ed25519.GenerateKey(rand.Reader)
 					return pk, err
 				default:
-					return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+					var curve elliptic.Curve
+					switch setting.OAuth2.JWTSigningAlgorithm {
+					case "ES256":
+						curve = elliptic.P256()
+					case "ES384":
+						curve = elliptic.P384()
+					case "ES512":
+						curve = elliptic.P521()
+					}
+					return ecdsa.GenerateKey(curve, rand.Reader)
 				}
 			}()
 			if err != nil {