Skip to content

feat: add static key file support for OIDC authentication with per-issuer configuration#874

Merged
mattisonchao merged 6 commits intomainfrom
copilot/add-static-key-file-support
Jan 29, 2026
Merged

feat: add static key file support for OIDC authentication with per-issuer configuration#874
mattisonchao merged 6 commits intomainfrom
copilot/add-static-key-file-support

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

Plan for Static Key File Support in OIDC Authentication

  • 1. Add StaticKeyFiles map field to OIDCOptions struct
  • 2. Implement issuer-specific static key file loading
    • Support loading PEM-encoded public keys from different files per issuer
    • Create verifier from static keys when file is provided for an issuer
    • Allow mixing: some issuers with static keys, others with remote JWKS
    • Maintain backward compatibility (use remote JWKS if no static key file for issuer)
  • 3. Add unit tests for static key file functionality
    • Test successful authentication with static key files
    • Test multiple issuers with different key files
    • Test mixed configuration (static + remote)
    • Test fallback to remote JWKS when no static key file
    • Test error handling for invalid key files
    • Test ECDSA keys and certificate extraction
  • 4. Verify backward compatibility with existing tests
  • 5. Address code review feedback
    • Changed from single StaticKeyFile to StaticKeyFiles map
    • Each issuer can have its own key file
    • Properly handles mixed configurations
  • 6. Fix golangci-lint issues
    • Add default case to switch statement
    • Preallocate slice to avoid unnecessary allocations

Security Summary

  • No new vulnerabilities introduced
  • Dependencies checked: github.com/coreos/go-oidc/v3@3.17.0 and github.com/golang-jwt/jwt/v5@5.3.1 - no known vulnerabilities
  • Static key file loading uses standard crypto/x509 package
  • Proper error handling for malformed keys and certificates
  • No sensitive data exposed in logs or errors
  • Per-issuer key files provide better security isolation
  • All golangci-lint checks pass
Original prompt

This section details on the original issue you should resolve

<issue_title>feat: support load static key file when user config the auth oidc</issue_title>
<issue_description>### Motivation

We need to support loading the static key file when the user configures the OIDC. There are some requirements:

  1. Add the new filed in the auth-provider-params
  2. Don't change the existing behaviour.
  3. Add the unit testing for that.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits January 29, 2026 10:27
@mattisonchao
feat: add static key file support for OIDC authentication
52adf08 
- Add StaticKeyFile field to OIDCOptions
- Implement loadPublicKeysFromFile function to load PEM-encoded keys
- Update NewOIDCProvider to support both static keys and remote JWKS
- Add comprehensive unit tests for static key functionality
- Update CLI help text with new parameter
- Maintain full backward compatibility with existing OIDC configuration

Co-authored-by: mattisonchao <74767115+mattisonchao@users.noreply.github.com>
@mattisonchao
fix: address code review feedback
169bf9d 
- Remove unused ErrInvalidKeyFile error
- Improve key parsing logic to handle different key types properly
- Add strings.TrimSpace() for issuer URLs and audiences
- Add comprehensive tests for ECDSA keys and certificates
- Improve error messages with more specific context

Co-authored-by: mattisonchao <74767115+mattisonchao@users.noreply.github.com>
@mattisonchao
docs: update progress - all tasks complete
73c7d62 
Co-authored-by: mattisonchao <74767115+mattisonchao@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for loading static key file in OIDC auth feat: add static key file support for OIDC authentication Jan 29, 2026
Copilot AI requested a review from mattisonchao January 29, 2026 10:34
@mattisonchao mattisonchao marked this pull request as ready for review January 29, 2026 10:37
@mattisonchao
Copy link
Copy Markdown
Member

mattisonchao commented Jan 29, 2026

HI @copilot

We should consider the load public key for different issuers. You have to split them into a map structure.

@mattisonchao
refactor: use map structure for issuer-specific static key files
085b1f7 
- Change StaticKeyFile (string) to StaticKeyFiles (map[string]string)
- Support different key files for different issuers
- Allow mixing static keys and remote JWKS per issuer
- Add comprehensive tests for multiple issuers with different keys
- Update CLI documentation with map example

Co-authored-by: mattisonchao <74767115+mattisonchao@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 29, 2026
edited
Loading

HI @copilot

We should consider the load public key for different issuers. You have to split them into a map structure.

Changed to use a map structure! Now StaticKeyFiles is a map[string]string where keys are issuer URLs and values are paths to key files. This allows:

  • Different key files for different issuers
  • Mixing static keys (some issuers) with remote JWKS (other issuers)
  • Better security isolation per issuer

Commit: 085b1f7

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build3342158786/b001/auth.test /tmp/go-build3342158786/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=TestNewOIDCProviderWithStaticKeyFile ux-amd64/src/net (dns block)
    • Triggering command: /tmp/go-build1385471047/b001/auth.test /tmp/go-build1385471047/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true /tmp/go-build3342158786/b269/vet.cfg g_.a (dns block)
  • remote.example.com
    • Triggering command: /tmp/go-build3342158786/b001/auth.test /tmp/go-build3342158786/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=TestNewOIDCProviderWithStaticKeyFile ux-amd64/src/net (dns block)
    • Triggering command: /tmp/go-build1385471047/b001/auth.test /tmp/go-build1385471047/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true /tmp/go-build3342158786/b269/vet.cfg g_.a (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title feat: add static key file support for OIDC authentication feat: add static key file support for OIDC authentication with per-issuer configuration Jan 29, 2026
mattisonchao
mattisonchao approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mattisonchao mattisonchao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mattisonchao mattisonchao self-requested a review January 29, 2026 11:30
@mattisonchao
Copy link
Copy Markdown
Member

mattisonchao commented Jan 29, 2026

Hi @copilot

please fix the golanglint.

@mattisonchao
fix: resolve golangci-lint issues
946baba 
- Add default case to switch statement in loadPublicKeysFromFile
- Preallocate pemData slice in test to avoid unnecessary allocations
- All golangci-lint checks now pass

Co-authored-by: mattisonchao <74767115+mattisonchao@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 29, 2026
edited
Loading

Hi @copilot

please fix the golanglint.

Fixed all golangci-lint issues:

  • Added default case to switch statement
  • Preallocated pemData slice in test
    All linter checks now pass. Commit: 946baba

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build2909393554/b001/auth.test /tmp/go-build2909393554/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • remote.example.com
    • Triggering command: /tmp/go-build2909393554/b001/auth.test /tmp/go-build2909393554/b001/auth.test -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from mattisonchao January 29, 2026 11:46
@mattisonchao mattisonchao merged commit a58b80b into main Jan 29, 2026
8 checks passed
@mattisonchao mattisonchao deleted the copilot/add-static-key-file-support branch January 29, 2026 13:07
mattisonchao added a commit that referenced this pull request Jan 29, 2026
@mattisonchao
Revert "feat: add static key file support for OIDC authentication wit…
472e6cb 
…h per-issuer configuration (#874)"

This reverts commit a58b80b.
mattisonchao added a commit that referenced this pull request Jan 29, 2026
@mattisonchao
Revert "feat: add static key file support for OIDC authentication wit…
e975f16 
…h per-issuer configuration (#874)" (#875)

This reverts commit a58b80b.


because the OIDC supports multiple issuers, we'd better support a
better JSON structure like:

```
{
  [issue_url]: { .. conf}
}
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@merlimat merlimat Awaiting requested review from merlimat merlimat is a code owner

@coderzc coderzc Awaiting requested review from coderzc coderzc is a code owner

@RobertIndie RobertIndie Awaiting requested review from RobertIndie RobertIndie is a code owner

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

Assignees

@mattisonchao mattisonchao

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: support load static key file when user config the auth oidc

2 participants

@mattisonchao