fix: EdDSA to Ed25519 token migration (#786)

* refactor: changed EdDSA to Ed25519 algorithm in tokens

Author: Stellatsuu

diracx-core/pyproject.toml

@@ -18,7 +18,7 @@ dependencies = [
     "cachetools",
     "email_validator",
     "gitpython",
-    "joserfc >=1.1.0",
+    "joserfc >=1.5.0",
     "pydantic >=2.10",
     "pydantic-settings",
     "pyyaml",

diracx-core/src/diracx/core/settings.py

@@ -204,11 +204,12 @@ class AuthSettings(ServiceSettingsBase):
     generation and verification.
     """
 
-    token_allowed_algorithms: list[str] = ["RS256", "EdDSA"]  # noqa: S105
+    # TODO: EdDSA should be removed later due to "SecurityWarning: EdDSA is deprecated via RFC 9864"
+    token_allowed_algorithms: list[str] = ["RS256", "EdDSA", "Ed25519"]  # noqa: S105
     """List of allowed cryptographic algorithms for JWT token signing.
 
-    Supported algorithms include RS256 (RSA with SHA-256) and EdDSA
-    (Edwards-curve Digital Signature Algorithm). Default: ["RS256", "EdDSA"]
+    Supported algorithms include RS256 (RSA with SHA-256) and Ed25519
+    (Edwards-curve Digital Signature Algorithm). Default: ["RS256", "Ed25519"]
     """
 
     access_token_expire_minutes: int = 20

diracx-core/tests/test_secrets.py

@@ -15,7 +15,7 @@ def test_token_signing_key(tmp_path):
             OKPKey.generate_key(
                 parameters={
                     "key_ops": ["sign", "verify"],
-                    "alg": "EdDSA",
+                    "alg": "Ed25519",
                     "kid": uuid7().hex,
                 }
             )

diracx-logic/src/diracx/logic/__main__.py

@@ -40,7 +40,7 @@ def new_key(
     """Create a fresh private signing key."""
     parameters = {
         "key_ops": ["sign", "verify"],
-        "alg": "EdDSA",
+        "alg": "Ed25519",
         "kid": uuid7().hex,
     }
     return JWKRegistry.generate_key(

diracx-routers/tests/auth/test_standard.py

@@ -783,7 +783,7 @@ async def test_refresh_token_invalid(test_client, auth_httpx_mock: HTTPXMock):
 
     new_auth_settings = AuthSettings(
         token_issuer="https://iam-auth.web.cern.ch/",
-        token_allowed_algorithms=["EdDSA", "RS256"],
+        token_allowed_algorithms=["RS256", "Ed25519"],
         token_keystore=json.dumps(KeySet(keys=[key]).as_dict(private=True)),
         state_key=Fernet.generate_key(),
         allowed_redirects=[
@@ -833,34 +833,34 @@ async def test_keystore(test_client):
             "kid": uuid7().hex,
         },
     )
-    eddsa_key = OKPKey.generate_key(
+    ed25519_key = OKPKey.generate_key(
         "Ed25519",
         {
             "key_ops": ["sign", "verify"],
-            "alg": "EdDSA",
+            "alg": "Ed25519",
             "kid": uuid7().hex,
         },
     )
 
-    # Generate the keystore with eddsa key only first
-    jwks = KeySet(keys=[eddsa_key])
+    # Generate the keystore with ed25519 key only first
+    jwks = KeySet(keys=[ed25519_key])
 
     # Generate the keystore with rsa key only first
     auth_settings = AuthSettings(
         token_issuer=issuer,
-        token_allowed_algorithms=["RS256"],  # We purposefully remove EdDSA
+        token_allowed_algorithms=["RS256"],  # We purposefully remove Ed25519
         token_keystore=json.dumps(jwks.as_dict(private=True)),
         state_key=state_key,
         allowed_redirects=allowed_redirects,
     )
 
     # Encode/Decode with the keystore: should not work
-    # because EdDSA is not part of the allowed algorithms
+    # because Ed25519 is not part of the allowed algorithms
     with pytest.raises(UnsupportedAlgorithmError):
         token = create_token(payload, auth_settings)
 
-    # Add EdDSA to the allowed algorithms
-    auth_settings.token_allowed_algorithms.append("EdDSA")
+    # Add Ed25519 to the allowed algorithms
+    auth_settings.token_allowed_algorithms.append("Ed25519")
 
     # Encode/Decode with the keystore: should work
     token = create_token(payload, auth_settings)
@@ -871,7 +871,10 @@ async def test_keystore(test_client):
 
     auth_settings = AuthSettings(
         token_issuer=issuer,
-        token_allowed_algorithms=["RS256", "EdDSA"],  # We purposefully remove EdDSA
+        token_allowed_algorithms=[
+            "RS256",
+            "Ed25519",
+        ],
         token_keystore=json.dumps(jwks.as_dict(private=True)),
         state_key=state_key,
         allowed_redirects=allowed_redirects,
@@ -882,7 +885,7 @@ async def test_keystore(test_client):
     await verify_dirac_refresh_token(token, auth_settings)
 
     # Remove 'sign' operation from the RSA key:
-    # should still work because eddsa_key is still there
+    # should still work because ed25519_key is still there
     auth_settings.token_keystore.jwks.keys[1].get("key_ops").remove("sign")
     token = create_token(payload, auth_settings)
     await verify_dirac_refresh_token(token, auth_settings)

diracx-testing/src/diracx/testing/utils.py

@@ -61,7 +61,7 @@ def private_key() -> OKPKey:
     return OKPKey.generate_key(
         parameters={
             "key_ops": ["sign", "verify"],
-            "alg": "EdDSA",
+            "alg": "Ed25519",
             "kid": uuid7().hex,
         }
     )

docs/admin/reference/env-variables.md

@@ -71,12 +71,12 @@ generation and verification.
 
 ### `DIRACX_SERVICE_AUTH_TOKEN_ALLOWED_ALGORITHMS`
 
-*Optional*, default value: `['RS256', 'EdDSA']`
+*Optional*, default value: `['RS256', 'EdDSA', 'Ed25519']`
 
 List of allowed cryptographic algorithms for JWT token signing.
 
-Supported algorithms include RS256 (RSA with SHA-256) and EdDSA
-(Edwards-curve Digital Signature Algorithm). Default: ["RS256", "EdDSA"]
+Supported algorithms include RS256 (RSA with SHA-256) and Ed25519
+(Edwards-curve Digital Signature Algorithm). Default: ["RS256", "Ed25519"]
 
 ### `DIRACX_SERVICE_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES`