ECDSA JWT support for OIDC #79

New issue

Open

opened 2026-04-11 05:10:03 +00:00 by benaryorg · 0 comments

benaryorg commented 2026-04-11 05:10:03 +00:00

Contributor

Copy link

Hi, authentik user here.
It would be nice if we could have ECC support for the OIDC keys.

Currently the code imports only RSA libraries and then does not distinct between key algs.

The key should be able to be distinguished based on kty being either RSA or EC, and Crypt::PK::ECC is probably usable (I don't know anything about perl libraries I'm afraid).
Enforcing the key to be of use=="sig" may also be a good thing.
Maybe.

key dumps for testing

The following is what my jwks_uri endpoint reports for the RSA key:

{"keys": [{"alg": "RS256", "kid": "c02bce57e8e50180974dd6491e14db86", "kty": "RSA", "use": "sig", "n": "ofiG4plxY65pQi6Zelfe3l-DjqDaDusT5Okr43LAl3pqhN9ArZYazf4hV4McNNlGcbxc4RH1PspBX5LpSNwPL1pxZbAbQaJg-I5py51Ilkj6IzHyw1J7GzaA7P4kEZKv_lev_Lk4sFja9ZIerYrUnSn8jKAztQqhaZEY0eCEpm5Eae07r85RJGwVB8JsWOFkINLTXgEMkV8_zJPH0c54DqU-4QJFgLXGA-CVYOy4ALpcRvTPsSlgvlFdNTc0_XH6uIBP1dJPN6EnyQMv335g3CZH0l7JUmwi0B8khBCelMxnvAsf7tDch2bzom4_QaZmZC2HlWFutFhe49gzP-AJbfrge4LZ5Br7Q8zkurknU3NFJFXV84sPAoS5x8mzLcBSd4TncBRR1FFI9lmm6Ci0zYgHmtN5y7OuKvR717oo7hA0nbf0zUlaPkOU24RiaPuqeKCuo_Xl_hO6KW5ymlzVnFkm9m_w3K6nWlKnhZ2utjqapO8h5bnhrKT1MXgf_480sOmDpQBvYC8UfEUBeirQtLyqjD2OmJnAc_gTEBsZmuoKRZt0XTtSL_f4_s3SvDPGkSfIO3Z9WCkpSh14kLO1sIB7O7f5GygS9fEXeINhMYn_dnSzadwTcrDtnnlhiojgjiy3v8X2EbgeFlXwRhYYiIGktz-xgLeyPvSXwTH_SA0", "e": "AQAB", "x5c": ["MIIE8jCCAtqgAwIBAgIRAL3ZOFl+XkbnuycwYVXmvjUwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjUuMTAuMTAeFw0yNjA0MDkxNTM2NDFaFw0yNzA0MTAxNTM2NDFaMEsxHzAdBgNVBAMMFjIwMjYucnNhLmlkLmJlbmFyeS5vcmcxEjAQBgNVBAoMCWF1dGhlbnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh+IbimXFjrmlCLpl6V97eX4OOoNoO6xPk6SvjcsCXemqE30CtlhrN/iFXgxw02UZxvFzhEfU+ykFfkulI3A8vWnFlsBtBomD4jmnLnUiWSPojMfLDUnsbNoDs/iQRkq/+V6/8uTiwWNr1kh6titSdKfyMoDO1CqFpkRjR4ISmbkRp7TuvzlEkbBUHwmxY4WQg0tNeAQyRXz/Mk8fRzngOpT7hAkWAtcYD4JVg7LgAulxG9M+xKWC+UV01NzT9cfq4gE/V0k83oSfJAy/ffmDcJkfSXslSbCLQHySEEJ6UzGe8Cx/u0NyHZvOibj9BpmZkLYeVYW60WF7j2DM/4Alt+uB7gtnkGvtDzOS6uSdTc0UkVdXziw8ChLnHybMtwFJ3hOdwFFHUUUj2WaboKLTNiAea03nLs64q9HvXuijuEDSdt/TNSVo+Q5TbhGJo+6p4oK6j9eX+E7opbnKaXNWcWSb2b/DcrqdaUqeFna62Opqk7yHlueGspPUxeB//jzSw6YOlAG9gLxR8RQF6KtC0vKqMPY6YmcBz+BMQGxma6gpFm3RdO1Iv9/j+zdK8M8aRJ8g7dn1YKSlKHXiQs7WwgHs7t/kbKBL18Rd4g2Exif92dLNp3BNysO2eeWGKiOCOLLe/xfYRuB4WVfBGFhiIgaS3P7GAt7I+9JfBMf9IDQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAvdYmBrmzH8w5tuWQQqLeyc13pGLGvu0uC86llhWAj7X4aj3MPM0METgePC/TWkG4hNult2W08L2nhRioXGr9dyesp7m1lBFxELq3x3IMMrnXVEZ8Yhzoo6nCtuyfqY35afGwUwijbkYSLalHRJfNomabuKcrBWl4qn4FYc+mV2BwQJbcK1ua2Vp2+Lo+4EiCF/a0CjlDx+tnmce48kPyY1FjM/8ZqvJJXBrEggcsfbwJaCjguUvwGME2dWP7FvLcm1mVHdLV0FNTC9jFIQPRrgEOGHgXsqpuI7s1HI4h0evqR1do+OtdVzZdXOQVifBZe9MLtlJCyESdWTTkXrqi6qZ+5sPhi9bk9O83SR5qqkKZDSicuf7sv13u29YlHdYx1nF7Fyc41iloucPU0/vZhVzdSzvaKsVDy+HxWkWQF6/wtt5ln02RjCEowT8BUgnZAxw68+WviI94N5Z7sBybPtn8JLz9xAy2MTbBpM6AstG5qvpU7ebiBxXrN/iSVWPymm8h6FgoboqjON5+RVpdEG/1th+tFv6NJi6/IAEAWQM5kvLkfU6IhR8QWS872u8oFCczD/BCa/DnLzw4sJ4uFeK+ONs4usFsTPkXgfcFFrIoSbioFCexEtMQYU+qDT7V4LoKw0+0Mea4isV9uLJHuYT/uiMPtM02v3lEW03jgdg=="], "x5t": "5Qq0UwfqmYfIpWJ1npRbCR2Xgko", "x5t#S256": "Edm40-kArU9K7Y0OKc8mj2zDlw3pIBSjQVHAaWu13A8"}]}

and this is ECDSA:

{"keys": [{"alg": "ES256", "kid": "3c0922f83ab20e07724a0a144cf28d45", "kty": "EC", "use": "sig", "x": "HhlEnOSYFB6hFx7Q10tZJz3Gc2UAekUYUFmJSO7PAvI", "y": "mfk3dqx3E7vhKN6wI9EAVHvJD_8HqgvVNMqhmLEOSGk", "crv": "P-256", "x5c": ["MIIBYzCCAQigAwIBAgIRAMdr4ofuME12udqdSS1cFywwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjUuMTAuMTAeFw0yNjA0MDkxNTM2MjlaFw0yNzA0MTAxNTM2MjlaMEcxGzAZBgNVBAMMEjIwMjYuaWQuYmVuYXJ5Lm9yZzESMBAGA1UECgwJYXV0aGVudGlrMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB4ZRJzkmBQeoRce0NdLWSc9xnNlAHpFGFBZiUjuzwLymfk3dqx3E7vhKN6wI9EAVHvJD/8HqgvVNMqhmLEOSGkwCgYIKoZIzj0EAwIDSQAwRgIhAJFbk3CLLQb9tTwYvYOTrFWqIneCHrmQtryEiEDrmdycAiEAyB5Z6sFm+qrc4sUZymhbYy0N3npDJR2/jocF4WOG79k="], "x5t": "lGfVde8nllMlKv9eRdyEpV8atTI", "x5t#S256": "XGHxfebarM51WAiEv5pOnCoXbu2_9seH-75SMLu3VTw"}]}

Hi, authentik user here. It would be nice if we could have ECC support for the OIDC keys. Currently the code [imports only RSA libraries](https://git.lix.systems/lix-project/hydra/src/commit/6566a7fa880794fcb90ee2489e085e12f6862291/src/lib/Hydra/Controller/User.pm#L16) and then [does not distinct between key algs](https://git.lix.systems/lix-project/hydra/src/commit/6566a7fa880794fcb90ee2489e085e12f6862291/src/lib/Hydra/Controller/User.pm#L182-L184). The key should be able to be distinguished based on `kty` being either `RSA` or `EC`, and [*Crypt::PK::ECC*](https://metacpan.org/pod/Crypt::PK::ECC) is probably usable (I don't know anything about perl libraries I'm afraid). Enforcing the key to be of `use=="sig"` may also be a good thing. Maybe. <details><summary>key dumps for testing</summary> The following is what my `jwks_uri` endpoint reports for the RSA key: ```json {"keys": [{"alg": "RS256", "kid": "c02bce57e8e50180974dd6491e14db86", "kty": "RSA", "use": "sig", "n": "ofiG4plxY65pQi6Zelfe3l-DjqDaDusT5Okr43LAl3pqhN9ArZYazf4hV4McNNlGcbxc4RH1PspBX5LpSNwPL1pxZbAbQaJg-I5py51Ilkj6IzHyw1J7GzaA7P4kEZKv_lev_Lk4sFja9ZIerYrUnSn8jKAztQqhaZEY0eCEpm5Eae07r85RJGwVB8JsWOFkINLTXgEMkV8_zJPH0c54DqU-4QJFgLXGA-CVYOy4ALpcRvTPsSlgvlFdNTc0_XH6uIBP1dJPN6EnyQMv335g3CZH0l7JUmwi0B8khBCelMxnvAsf7tDch2bzom4_QaZmZC2HlWFutFhe49gzP-AJbfrge4LZ5Br7Q8zkurknU3NFJFXV84sPAoS5x8mzLcBSd4TncBRR1FFI9lmm6Ci0zYgHmtN5y7OuKvR717oo7hA0nbf0zUlaPkOU24RiaPuqeKCuo_Xl_hO6KW5ymlzVnFkm9m_w3K6nWlKnhZ2utjqapO8h5bnhrKT1MXgf_480sOmDpQBvYC8UfEUBeirQtLyqjD2OmJnAc_gTEBsZmuoKRZt0XTtSL_f4_s3SvDPGkSfIO3Z9WCkpSh14kLO1sIB7O7f5GygS9fEXeINhMYn_dnSzadwTcrDtnnlhiojgjiy3v8X2EbgeFlXwRhYYiIGktz-xgLeyPvSXwTH_SA0", "e": "AQAB", "x5c": ["MIIE8jCCAtqgAwIBAgIRAL3ZOFl+XkbnuycwYVXmvjUwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjUuMTAuMTAeFw0yNjA0MDkxNTM2NDFaFw0yNzA0MTAxNTM2NDFaMEsxHzAdBgNVBAMMFjIwMjYucnNhLmlkLmJlbmFyeS5vcmcxEjAQBgNVBAoMCWF1dGhlbnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh+IbimXFjrmlCLpl6V97eX4OOoNoO6xPk6SvjcsCXemqE30CtlhrN/iFXgxw02UZxvFzhEfU+ykFfkulI3A8vWnFlsBtBomD4jmnLnUiWSPojMfLDUnsbNoDs/iQRkq/+V6/8uTiwWNr1kh6titSdKfyMoDO1CqFpkRjR4ISmbkRp7TuvzlEkbBUHwmxY4WQg0tNeAQyRXz/Mk8fRzngOpT7hAkWAtcYD4JVg7LgAulxG9M+xKWC+UV01NzT9cfq4gE/V0k83oSfJAy/ffmDcJkfSXslSbCLQHySEEJ6UzGe8Cx/u0NyHZvOibj9BpmZkLYeVYW60WF7j2DM/4Alt+uB7gtnkGvtDzOS6uSdTc0UkVdXziw8ChLnHybMtwFJ3hOdwFFHUUUj2WaboKLTNiAea03nLs64q9HvXuijuEDSdt/TNSVo+Q5TbhGJo+6p4oK6j9eX+E7opbnKaXNWcWSb2b/DcrqdaUqeFna62Opqk7yHlueGspPUxeB//jzSw6YOlAG9gLxR8RQF6KtC0vKqMPY6YmcBz+BMQGxma6gpFm3RdO1Iv9/j+zdK8M8aRJ8g7dn1YKSlKHXiQs7WwgHs7t/kbKBL18Rd4g2Exif92dLNp3BNysO2eeWGKiOCOLLe/xfYRuB4WVfBGFhiIgaS3P7GAt7I+9JfBMf9IDQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAvdYmBrmzH8w5tuWQQqLeyc13pGLGvu0uC86llhWAj7X4aj3MPM0METgePC/TWkG4hNult2W08L2nhRioXGr9dyesp7m1lBFxELq3x3IMMrnXVEZ8Yhzoo6nCtuyfqY35afGwUwijbkYSLalHRJfNomabuKcrBWl4qn4FYc+mV2BwQJbcK1ua2Vp2+Lo+4EiCF/a0CjlDx+tnmce48kPyY1FjM/8ZqvJJXBrEggcsfbwJaCjguUvwGME2dWP7FvLcm1mVHdLV0FNTC9jFIQPRrgEOGHgXsqpuI7s1HI4h0evqR1do+OtdVzZdXOQVifBZe9MLtlJCyESdWTTkXrqi6qZ+5sPhi9bk9O83SR5qqkKZDSicuf7sv13u29YlHdYx1nF7Fyc41iloucPU0/vZhVzdSzvaKsVDy+HxWkWQF6/wtt5ln02RjCEowT8BUgnZAxw68+WviI94N5Z7sBybPtn8JLz9xAy2MTbBpM6AstG5qvpU7ebiBxXrN/iSVWPymm8h6FgoboqjON5+RVpdEG/1th+tFv6NJi6/IAEAWQM5kvLkfU6IhR8QWS872u8oFCczD/BCa/DnLzw4sJ4uFeK+ONs4usFsTPkXgfcFFrIoSbioFCexEtMQYU+qDT7V4LoKw0+0Mea4isV9uLJHuYT/uiMPtM02v3lEW03jgdg=="], "x5t": "5Qq0UwfqmYfIpWJ1npRbCR2Xgko", "x5t#S256": "Edm40-kArU9K7Y0OKc8mj2zDlw3pIBSjQVHAaWu13A8"}]} ``` and this is ECDSA: ```json {"keys": [{"alg": "ES256", "kid": "3c0922f83ab20e07724a0a144cf28d45", "kty": "EC", "use": "sig", "x": "HhlEnOSYFB6hFx7Q10tZJz3Gc2UAekUYUFmJSO7PAvI", "y": "mfk3dqx3E7vhKN6wI9EAVHvJD_8HqgvVNMqhmLEOSGk", "crv": "P-256", "x5c": ["MIIBYzCCAQigAwIBAgIRAMdr4ofuME12udqdSS1cFywwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjUuMTAuMTAeFw0yNjA0MDkxNTM2MjlaFw0yNzA0MTAxNTM2MjlaMEcxGzAZBgNVBAMMEjIwMjYuaWQuYmVuYXJ5Lm9yZzESMBAGA1UECgwJYXV0aGVudGlrMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB4ZRJzkmBQeoRce0NdLWSc9xnNlAHpFGFBZiUjuzwLymfk3dqx3E7vhKN6wI9EAVHvJD/8HqgvVNMqhmLEOSGkwCgYIKoZIzj0EAwIDSQAwRgIhAJFbk3CLLQb9tTwYvYOTrFWqIneCHrmQtryEiEDrmdycAiEAyB5Z6sFm+qrc4sUZymhbYy0N3npDJR2/jocF4WOG79k="], "x5t": "lGfVde8nllMlKv9eRdyEpV8atTI", "x5t#S256": "XGHxfebarM51WAiEv5pOnCoXbu2_9seH-75SMLu3VTw"}]} ``` </details>

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

hydra.afnix.fr

lix-2.94

cores-setting

lix-2.93

lix-2.91

lix-2.92

bump-lix

jade/include-rearrangement

lix-update

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lix-project/hydra#79

No description provided.