feat: support ES256 local signer (#4682)

Signed-off-by: Ilia Andreev <ilia.andreev@palark.com>
Co-authored-by: Ilia Andreev <ilia.andreev@palark.com>

Author: space-arens

cmd/dex/config.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/go-jose/go-jose/v4"
 	"golang.org/x/crypto/bcrypt"
 
 	"github.com/dexidp/dex/pkg/featureflags"
@@ -525,6 +526,11 @@ func (s *Signer) UnmarshalJSON(b []byte) error {
 			return fmt.Errorf("parse signer config: %v", err)
 		}
 	}
+	if localConfig, ok := signerConfig.(*signer.LocalConfig); ok {
+		if err := normalizeLocalSignerConfig(localConfig); err != nil {
+			return fmt.Errorf("parse signer config: %v", err)
+		}
+	}
 
 	*s = Signer{
 		Type:   signerData.Type,
@@ -533,6 +539,17 @@ func (s *Signer) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func normalizeLocalSignerConfig(c *signer.LocalConfig) error {
+	if c.Algorithm == "" {
+		c.Algorithm = jose.RS256
+		return nil
+	}
+	if c.Algorithm == jose.RS256 || c.Algorithm == jose.ES256 {
+		return nil
+	}
+	return fmt.Errorf("unsupported local signer algorithm %q", c.Algorithm)
+}
+
 // Connector is a magical type that can unmarshal YAML dynamically. The
 // Type field determines the connector type, which is then customized for Config.
 type Connector struct {

cmd/dex/config_test.go

@@ -4,9 +4,11 @@ import (
 	"encoding/json"
 	"log/slog"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/ghodss/yaml"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/kylelemons/godebug/pretty"
 
 	"github.com/dexidp/dex/connector/mock"
@@ -481,10 +483,11 @@ logger:
 
 func TestSignerConfigUnmarshal(t *testing.T) {
 	tests := []struct {
-		name    string
-		config  string
-		wantErr bool
-		check   func(*Config) error
+		name        string
+		config      string
+		wantErr     bool
+		errContains string
+		check       func(*Config) error
 	}{
 		{
 			name: "local signer with rotation period",
@@ -507,8 +510,84 @@ enablePasswordDB: true
 				}
 				if localConfig, ok := c.Signer.Config.(*signer.LocalConfig); !ok {
 					t.Error("expected LocalConfig")
-				} else if localConfig.KeysRotationPeriod != "6h" {
-					t.Errorf("expected keys rotation period '6h', got %q", localConfig.KeysRotationPeriod)
+				} else {
+					if localConfig.KeysRotationPeriod != "6h" {
+						t.Errorf("expected keys rotation period '6h', got %q", localConfig.KeysRotationPeriod)
+					}
+					if localConfig.Algorithm != jose.RS256 {
+						t.Errorf("expected default algorithm 'RS256', got %q", localConfig.Algorithm)
+					}
+				}
+				return nil
+			},
+		},
+		{
+			name: "local signer with ES256 algorithm",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: local
+  config:
+    keysRotationPeriod: 6h
+    algorithm: ES256
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				localConfig, ok := c.Signer.Config.(*signer.LocalConfig)
+				if !ok {
+					t.Error("expected LocalConfig")
+					return nil
+				}
+				if localConfig.Algorithm != jose.ES256 {
+					t.Errorf("expected algorithm 'ES256', got %q", localConfig.Algorithm)
+				}
+				return nil
+			},
+		},
+		{
+			name: "local signer with invalid algorithm",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: local
+  config:
+    keysRotationPeriod: 6h
+    algorithm: ES512
+enablePasswordDB: true
+`,
+			wantErr:     true,
+			errContains: `parse signer config: unsupported local signer algorithm "ES512"`,
+		},
+		{
+			name: "local signer without config",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: local
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				localConfig, ok := c.Signer.Config.(*signer.LocalConfig)
+				if !ok {
+					t.Error("expected LocalConfig")
+					return nil
+				}
+				if localConfig.Algorithm != jose.RS256 {
+					t.Errorf("expected default algorithm 'RS256', got %q", localConfig.Algorithm)
 				}
 				return nil
 			},
@@ -583,6 +662,10 @@ enablePasswordDB: true
 				t.Errorf("Unmarshal() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
+			if tt.errContains != "" && (err == nil || !strings.Contains(err.Error(), tt.errContains)) {
+				t.Errorf("Unmarshal() error = %v, want substring %q", err, tt.errContains)
+				return
+			}
 
 			if err == nil && tt.check != nil {
 				if err := tt.check(&c); err != nil {

config.docker.yaml

@@ -22,10 +22,15 @@ telemetry:
 
 expiry:
   deviceRequests: {{ getenv "DEX_EXPIRY_DEVICE_REQUESTS" "5m" }}
-  signingKeys: {{ getenv "DEX_EXPIRY_SIGNING_KEYS" "6h" }}
   idTokens: {{ getenv "DEX_EXPIRY_ID_TOKENS" "24h" }}
   authRequests: {{ getenv "DEX_EXPIRY_AUTH_REQUESTS" "24h" }}
 
+signer:
+  type: local
+  config:
+    keysRotationPeriod: {{ getenv "DEX_EXPIRY_SIGNING_KEYS" "6h" }}
+    algorithm: {{ getenv "DEX_SIGNER_LOCAL_ALGORITHM" "RS256" }}
+
 logger:
   level: {{ getenv "DEX_LOG_LEVEL" "info" }}
   format: {{ getenv "DEX_LOG_FORMAT" "text" }}

config.yaml.dist

@@ -87,13 +87,19 @@ web:
 # Expiration configuration for tokens, signing keys, etc.
 # expiry:
 #   deviceRequests: "5m"
-#   signingKeys: "6h"
+#   signingKeys: "6h" # deprecated, use signer.config.keysRotationPeriod
 #   idTokens: "24h"
 #   refreshTokens:
 #     disableRotation: false
 #     reuseInterval: "3s"
 #     validIfNotUsedFor: "2160h" # 90 days
 #     absoluteLifetime: "3960h" # 165 days
+#
+# signer:
+#   type: local
+#   config:
+#     keysRotationPeriod: "6h"
+#     algorithm: "RS256" # supported values: "RS256" (default) and "ES256"; changes apply on the next key rotation
 
 # OAuth2 configuration
 # oauth2:

examples/config-dev.yaml

@@ -88,7 +88,7 @@ telemetry:
 # Is possible to specify units using only s, m and h suffixes.
 # expiry:
 #   deviceRequests: "5m"
-#   signingKeys: "6h"
+#   signingKeys: "6h" # deprecated, use signer.config.keysRotationPeriod
 #   idTokens: "24h"
 #   refreshTokens:
 #     reuseInterval: "3s"
@@ -239,13 +239,14 @@ staticPasswords:
   - "team-a/admins"
   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
 
-# Settings for signing JWT tokens. Available options:
-# - "local": use local keys (only RSA keys supported)
-# - "vault": use Vault Transit backend (RSA and EC keys supported)
+# Configuration for signing JWT tokens.
+# - "local": use local keys (supports RS256 (default) and ES256)
+# - "vault": use Vault Transit backend (supports RSA, ECDSA, and Ed25519)
 signer:
   type: local
   config:
     keysRotationPeriod: "6h"
+    algorithm: "RS256" # changes apply on the next key rotation
 # signer
 #   type: vault
 #   config:

server/handlers_test.go

@@ -20,12 +20,14 @@ import (
 	gosundheit "github.com/AppsFlyer/go-sundheit"
 	"github.com/AppsFlyer/go-sundheit/checks"
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 
 	"github.com/dexidp/dex/connector"
 	"github.com/dexidp/dex/server/internal"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 )
 
@@ -112,6 +114,29 @@ func TestHandleDiscovery(t *testing.T) {
 	}, res)
 }
 
+func TestHandleDiscoveryWithES256LocalSigner(t *testing.T) {
+	httpServer, server := newTestServer(t, func(c *Config) {
+		localConfig := signer.LocalConfig{
+			KeysRotationPeriod: time.Hour.String(),
+			Algorithm:          jose.ES256,
+		}
+
+		sig, err := localConfig.Open(context.Background(), c.Storage, time.Hour, time.Now, c.Logger)
+		require.NoError(t, err)
+		c.Signer = sig
+	})
+	defer httpServer.Close()
+
+	rr := httptest.NewRecorder()
+	server.ServeHTTP(rr, httptest.NewRequest("GET", "/.well-known/openid-configuration", nil))
+	require.Equal(t, http.StatusOK, rr.Code)
+
+	var res discovery
+	err := json.NewDecoder(rr.Result().Body).Decode(&res)
+	require.NoError(t, err)
+	require.Equal(t, []string{string(jose.ES256)}, res.IDTokenAlgs)
+}
+
 func TestHandleHealthFailure(t *testing.T) {
 	httpServer, server := newTestServer(t, func(c *Config) {
 		c.HealthChecker = gosundheit.New()