feat(keys): signing_keys テーブル + key rotation 対応の keymanager 導入#136
feat(keys): signing_keys テーブル + key rotation 対応の keymanager 導入#136anko9801 wants to merge 1 commit into
Conversation
…anager Replaces the on-disk PEM file (data/private.pem) with the spec-aligned signing_keys table (traPortal v2 §signing_keys). The new keymanager package owns the lifecycle: - EnsureActiveKey on startup generates an RSA-2048 / RS256 key when no active row exists, otherwise loads and parses the existing one. - ActiveKey supplies the private half to fosite via the existing privateKeyGetter callback, so a Rotate() call is picked up without a process restart. - PublishableKeys returns every active+rotated key so JWKS keeps serving previously-issued tokens after a rotation; revoked keys disappear. The kid scheme is preserved (sha256 over the modulus, base64url) so RPs continue to see the same kid for the same key material. Wired through: - cmd/serve.go: builds the keymanager from the SigningKeyRepository, hands it to the fosite provider and the v1 handler. - cmd/oauth.go: privateKeyGetter resolves the active key at request time. loadOrGenerateKey + the PEM file plumbing are removed. - internal/router/v1/handler.go: introduces a small KeyProvider interface so the router does not import fosite/key types directly. - internal/router/v1/oauth.go: GetJWKS now publishes every publishable key. - internal/router/v1/client_test.go: updated to provision a key via the new manager. - .github/workflows/conformance.yaml: drops the now-dead openssl genpkey step (the server creates its own key on first boot). - cmd/config.go: drops the unused oauth.key_file field. Refs: - traPortal v2 仕様 §signing_keys - RFC 7517 §4 (JWK fields), §5 (JWK Set) https://datatracker.ietf.org/doc/html/rfc7517 - OIDC Discovery 1.0 §10.1 (Key Rotation) https://openid.net/specs/openid-connect-discovery-1_0.html#RotateSigKeys Follow-ups: - Admin endpoint to trigger Rotate() (currently only callable from Go) - Use kid header on issued tokens via fosite Signer (today fosite picks the kid from the JWK set returned by the strategy; the active key is always the most recent so verification still works, but explicit kid pinning would simplify multi-active scenarios) - Update PR #134 (RP-Initiated Logout) to verify id_token_hint against every publishable key instead of the single old PrivateKey field Assisted-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (16)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
概要
JWT 署名鍵を PEM ファイル (`data/private.pem`) から spec 準拠の `signing_keys` テーブルへ移行。複数鍵共存と JWKS でのローテーション公開を可能にする。
背景
仕様の `signing_keys` テーブル定義に対応:
ローテーション時は `active → rotated` で JWKS に残し続け、過去発行トークンが検証可能なまま新トークンは新 active 鍵で署名。
変更
スキーマ・クエリ
Domain / Repository
keymanager パッケージ (新規)
Wiring
互換性
RFC / 仕様根拠
後続 PR
テスト