feat: publish only public key to JWKS

cemalkilic · cemalkilic · commit 419dd46ad4ef · 2025-08-14T22:57:22.000+02:00
diff --git a/pkg/config/auth.go b/pkg/config/auth.go
@@ -108,6 +108,44 @@ type JWK struct {
 	Y     string `json:"y,omitempty"`
 }
 
+// ToPublicJWK converts a JWK to a public-only version by removing private key components
+func (j JWK) ToPublicJWK() JWK {
+	publicJWK := JWK{
+		KeyType:     j.KeyType,
+		KeyID:       j.KeyID,
+		Use:         j.Use,
+		Algorithm:   j.Algorithm,
+		Extractable: j.Extractable,
+	}
+	
+	// Only include key_ops for verification (not signing) for public keys
+	if len(j.KeyOps) > 0 {
+		var publicOps []string
+		for _, op := range j.KeyOps {
+			if op == "verify" {
+				publicOps = append(publicOps, op)
+			}
+		}
+		if len(publicOps) > 0 {
+			publicJWK.KeyOps = publicOps
+		}
+	}
+	
+	switch j.KeyType {
+	case "RSA":
+		// Include only public key components for RSA
+		publicJWK.Modulus = j.Modulus
+		publicJWK.Exponent = j.Exponent
+	case "EC":
+		// Include only public key components for ECDSA
+		publicJWK.Curve = j.Curve
+		publicJWK.X = j.X
+		publicJWK.Y = j.Y
+	}
+	
+	return publicJWK
+}
+
 type (
 	auth struct {
 		Enabled bool   `toml:"enabled"`
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -1441,17 +1441,25 @@ func (a *auth) ResolveJWKS(ctx context.Context, fsys afero.Fs) (string, error) {
 		jwks.Keys = append(jwks.Keys, rJWKS.Keys...)
 	}
 
-	// If SIGNING_KEYS_PATH is provided, read from file
+	// If SIGNING_KEYS_PATH is provided, read from file and convert to public keys
 	if len(a.SigningKeysPath) > 0 {
 		f, err := fsys.Open(a.SigningKeysPath)
 		if err != nil {
 			return "", errors.Errorf("failed to read signing key: %w", err)
 		}
-		jwtKeysArray, err := fetcher.ParseJSON[[]json.RawMessage](f)
+		jwtKeysArray, err := fetcher.ParseJSON[[]JWK](f)
 		if err != nil {
 			return "", err
 		}
-		jwks.Keys = append(jwks.Keys, jwtKeysArray...)
+		// Convert each signing key to public-only version
+		for _, key := range jwtKeysArray {
+			publicKey := key.ToPublicJWK()
+			publicKeyEncoded, err := json.Marshal(publicKey)
+			if err != nil {
+				return "", errors.Errorf("failed to marshal public key: %w", err)
+			}
+			jwks.Keys = append(jwks.Keys, json.RawMessage(publicKeyEncoded))
+		}
 	} else {
 		// Fallback to JWT_SECRET for backward compatibility
 		jwtSecret := secretJWK{
