standard_id 0.2.5 → 0.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1943644d0423c990ca37c0c666c1bd23f3b968320b3e7ffd573a9c3ce7ee71e1
-  data.tar.gz: ddd8b3e73ec3f949e0b15b680891c0721aa7ef712c95d1fdacde275688ad5539
+  metadata.gz: '088c979a8207e9ed4cf6cdeec8a679985271bea03989b3feeaa187bf28df95f4'
+  data.tar.gz: 0aee93fe07e01a10c1c5133bffac61dae72f59933999c279f1fb54ee178e27e0
 SHA512:
-  metadata.gz: ee653052de174dc0c3fd6577a1edaaced24fdd530d883e08ded724e5a25a3657aa0e9ea3133d7609563ee2f6c34819278869b4476f97271be6c3e290160dacc3
-  data.tar.gz: 5c745b656babf628cf122f385f42dc7dbb33ad724e36637039462d457b28aa6edde5f77acd09a5f5e1bc0af27ec191da6ef86ef7137734f45798b45f0d0e9e87
+  metadata.gz: 0ea65251e2b8a5599ee837d0e35ce8204ae5c98fd701fbba18fa2e53b34450af6d30fb54b89149c3539ffefbdadc60a93db9688b94469df08957a307ce62884a
+  data.tar.gz: bf4af5c23d299ff9488b44a4f5e3a30c59f892a155d4ca01491fb6c3b434946ba43d967f8e2e8c4d4ea4cdaa811d855bebfa8d4632430c7f779339475bdb6004

data/app/controllers/standard_id/api/well_known/jwks_controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module StandardId
+  module Api
+    module WellKnown
+      class JwksController < ActionController::API
+        def show
+          jwks = StandardId::JwtService.jwks
+
+          if jwks.nil?
+            render json: { error: "JWKS not available" }, status: :not_found
+            return
+          end
+
+          response.headers["Cache-Control"] = "public, max-age=3600"
+          render json: jwks
+        end
+      end
+    end
+  end
+end

data/config/routes/api.rb

@@ -19,5 +19,9 @@ StandardId::ApiEngine.routes.draw do
         post ":provider", to: "providers#callback", as: :provider
       end
     end
+
+    scope ".well-known", module: :well_known do
+      get "jwks.json", to: "jwks#show", as: :jwks
+    end
   end
 end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -8,6 +8,10 @@ StandardId.configure do |c|
   # c.logger = Rails.logger
   # c.web_layout = "application"
 
+  # JWT issuer claim (iss) - typically your application's URL
+  # Used in JWT tokens and verified on decode when set
+  # c.issuer = "https://auth.example.com"
+
   # Inertia.js support (requires inertia_rails gem)
   # When enabled, StandardId web controllers will render Inertia components
   # instead of ERB views. You must create the corresponding components in your
@@ -51,6 +55,32 @@ StandardId.configure do |c|
   # }
   # c.oauth.allowed_audiences = %w[web mobile admin] # Empty = no validation
 
+  # JWT Signing Configuration (Asymmetric Algorithms)
+  # By default, JWTs are signed with HS256 using Rails.application.secret_key_base.
+  # For asymmetric signing, configure a private key and expose the public key
+  # via the JWKS endpoint at /.well-known/jwks.json
+  #
+  # Algorithm choices:
+  #   ES256 (ECDSA) - Recommended for new projects. Smaller keys, faster, modern.
+  #   RS256 (RSA)   - Wider compatibility with older systems.
+  #
+  # Generate keys:
+  #   ES256: openssl ecparam -name prime256v1 -genkey -noout -out signing_key.pem
+  #   RS256: openssl genrsa -out signing_key.pem 2048
+  #
+  # Option 1: Rails credentials (recommended)
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = Rails.application.credentials.dig(:standard_id, :signing_key)
+  #
+  # Option 2: Environment variable (replace literal \n with newlines)
+  # Convert PEM to env-safe format: awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' signing_key.pem
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = ENV["JWT_SIGNING_KEY"]&.gsub('\n', "\n")
+  #
+  # Option 3: File path
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = Rails.root.join("config/signing_key.pem")
+
   # Events
   # Enable or disable logging emitted via the internal event system
   # c.events.enable_logging = false

data/lib/standard_id/config/schema.rb

@@ -51,6 +51,16 @@ StandardConfig.schema.draw do
     field :scope_claims, type: :hash, default: -> { {} }
     field :claim_resolvers, type: :hash, default: -> { {} }
     field :allowed_audiences, type: :array, default: -> { [] } # Empty = no validation, any audience allowed
+
+    # JWT signing configuration (for asymmetric algorithms)
+    # If nil, uses HS256 with Rails.application.secret_key_base
+    field :signing_key, type: :any, default: nil
+
+    # Signing algorithm (see JwtService::SUPPORTED_ALGORITHMS for full list)
+    # Symmetric (HMAC): :hs256, :hs384, :hs512
+    # Asymmetric (RSA): :rs256, :rs384, :rs512
+    # Asymmetric (ECDSA): :es256, :es384, :es512
+    field :signing_algorithm, type: :symbol, default: :hs256
   end
 
   scope :social do

data/lib/standard_id/jwt_service.rb

@@ -1,12 +1,31 @@
 require "jwt"
 require "concurrent/delay"
+require "openssl"
+require "digest"
 
 module StandardId
   class JwtService
-    ALGORITHM = "HS256"
     RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
     BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type aud]
 
+    # Supported signing algorithms categorized by type
+    # Symmetric: use shared secret (Rails.application.secret_key_base)
+    # Asymmetric: use key pairs (RSA or EC private key)
+    SUPPORTED_ALGORITHMS = {
+      # HMAC (symmetric)
+      "HS256" => { type: :symmetric },
+      "HS384" => { type: :symmetric },
+      "HS512" => { type: :symmetric },
+      # RSA (asymmetric)
+      "RS256" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      "RS384" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      "RS512" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      # ECDSA (asymmetric)
+      "ES256" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
+      "ES384" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
+      "ES512" => { type: :asymmetric, key_class: OpenSSL::PKey::EC }
+    }.freeze
+
     SESSION_CLASS = Concurrent::Delay.new do
       Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
         def active?
@@ -19,17 +38,73 @@ module StandardId
       SESSION_CLASS.value
     end
 
+    def self.algorithm
+      StandardId.config.oauth.signing_algorithm.to_s.upcase
+    end
+
+    def self.algorithm_config
+      SUPPORTED_ALGORITHMS[algorithm] || raise(ArgumentError, "Unsupported algorithm: #{algorithm}. Supported: #{SUPPORTED_ALGORITHMS.keys.join(', ')}")
+    end
+
+    def self.asymmetric?
+      algorithm_config[:type] == :asymmetric
+    end
+
+    def self.signing_key
+      if asymmetric?
+        @signing_key_cache ||= parse_private_key(StandardId.config.oauth.signing_key)
+      else
+        Rails.application.secret_key_base
+      end
+    end
+
+    def self.verification_key
+      if asymmetric?
+        key = signing_key
+        # For EC keys, the key itself can be used for verification
+        # For RSA keys, we extract the public key
+        key.is_a?(OpenSSL::PKey::EC) ? key : key.public_key
+      else
+        Rails.application.secret_key_base
+      end
+    end
+
+    def self.key_id
+      return nil unless asymmetric?
+
+      # Generate stable key ID from public key fingerprint
+      # Use public_to_pem which works for both RSA and EC keys
+      @key_id ||= Digest::SHA256.hexdigest(signing_key.public_to_pem)[0..7]
+    end
+
+    def self.reset_cached_key!
+      @key_id = nil
+      @signing_key_cache = nil
+      @jwks = nil
+    end
+
     def self.encode(payload, expires_in: 1.hour)
       payload[:exp] = expires_in.from_now.to_i
       payload[:iat] = Time.current.to_i
+      payload[:iss] ||= StandardId.config.issuer if StandardId.config.issuer.present?
+
+      headers = {}
+      headers[:kid] = key_id if asymmetric?
 
-      JWT.encode(payload, secret_key, ALGORITHM)
+      JWT.encode(payload, signing_key, algorithm, headers)
     end
 
     def self.decode(token)
-      decoded = JWT.decode(token, secret_key, true, { algorithm: ALGORITHM })
+      options = { algorithm: algorithm }
+
+      if StandardId.config.issuer.present?
+        options[:iss] = StandardId.config.issuer
+        options[:verify_iss] = true
+      end
+
+      decoded = JWT.decode(token, verification_key, true, options)
       decoded.first.with_indifferent_access
-    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError
+    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError, JWT::InvalidIssuerError
       nil
     end
 
@@ -53,10 +128,22 @@ module StandardId
       )
     end
 
+    def self.jwks
+      return nil unless asymmetric?
+
+      @jwks ||= begin
+        jwk = JWT::JWK.new(verification_key, kid: key_id)
+        { keys: [jwk.export] }
+      end
+    end
+
     private
 
-    def self.secret_key
-      Rails.application.secret_key_base
+    def self.parse_private_key(key_source)
+      pem = key_source.is_a?(Pathname) ? File.read(key_source) : key_source
+      key_class = algorithm_config[:key_class]
+
+      key_class.new(pem)
     end
 
     def self.claim_resolver_keys

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.2.5"
+  VERSION = "0.2.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.2.6
 platform: ruby
 authors:
 - Jaryl Sim
@@ -80,6 +80,7 @@ files:
 - app/controllers/standard_id/api/oidc/logout_controller.rb
 - app/controllers/standard_id/api/passwordless_controller.rb
 - app/controllers/standard_id/api/userinfo_controller.rb
+- app/controllers/standard_id/api/well_known/jwks_controller.rb
 - app/controllers/standard_id/web/account_controller.rb
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
 - app/controllers/standard_id/web/base_controller.rb