Skip to content

feat: per-application signing algorithm + multi-algorithm VS support#272

Merged
The127 merged 4 commits intomainfrom
feat/signing-algorithm-per-app
Apr 20, 2026
Merged

feat: per-application signing algorithm + multi-algorithm VS support#272
The127 merged 4 commits intomainfrom
feat/signing-algorithm-per-app

Conversation

@The127
Copy link
Copy Markdown
Owner

@The127 The127 commented Apr 20, 2026

Summary

  • Multi-algorithm signing keys per VS: Each virtual server now supports a primarySigningAlgorithm and additionalSigningAlgorithms. Keys are generated for all configured algorithms, served via JWKS (filtered by VS config), and orphaned keys are cleaned up by the rotation job.
  • Per-application signing algorithm override: Each application can declare a signingAlgorithm field. When set, all tokens issued to that app are signed with that algorithm instead of the VS primary. Removing an algorithm from a VS is rejected if any application still references it.
  • Client tests: Added coverage for the new fields in the Go client test suite.

Test plan

  • just ci passes (unit + integration + e2e — verified locally)
  • e2e: RS256 app issues RS256-signed tokens; default app uses EdDSA
  • e2e: Setting unsupported algorithm on app is rejected
  • e2e: Removing algorithm from VS blocked when app still uses it
  • e2e: JWKS reflects configured algorithms immediately after PATCH

The127 added 4 commits April 20, 2026 19:09
@The127
feat: support multiple signing algorithms per virtual server
b0f2e01 
Each virtual server now has a primary signing algorithm (used to sign new
tokens) and an optional list of additional algorithms. All configured
algorithms get keys generated, are served via JWKS, and are listed in
the discovery document.

Key changes:
- DB migration: replace signing_algorithm with primary_signing_algorithm
  and additional_signing_algorithms columns
- VirtualServer domain model: new fields + AllSigningAlgorithms() helper
- KeyCache keyed by (vsName, algorithm) to avoid cross-algorithm hits
- KeyService.GetAllKeys returns all key pairs for a VS
- KeyStore.RemoveAllForAlgorithm for bulk cleanup
- JWKS handler filters by configured algorithms (DB is authoritative)
- PatchVirtualServer generates keys for newly added algorithms immediately
- Key rotation job seeds keys for new algorithms and purges orphan keys
  for algorithms removed from the VS config
- E2e tests covering add/remove/change-primary scenarios

Signed-off-by: karo <karolinkostial@gmail.com>
@The127
feat: per-application signing algorithm override
25e6f04 
Allow each application to declare a signingAlgorithm field that overrides
the virtual server's primary algorithm for all tokens issued to that app.
Falls back to VS primary when unset. Validation rejects algorithms not
configured on the VS, and removing an algorithm from a VS is rejected if
any application still references it.

Signed-off-by: karo <karolinkostial@gmail.com>
@The127
test: add client tests for signing algorithm fields
31b1dd1 
Cover signingAlgorithm on application create/patch/get and
primarySigningAlgorithm/additionalSigningAlgorithms on virtual server
patch/get. No code changes — fields were already exposed via DTO
pass-through.

Signed-off-by: karo <karolinkostial@gmail.com>
@The127
fix: replace Require in http handlers with non-fatal assertions
310d897 
Signed-off-by: karo <karolinkostial@gmail.com>
@The127 The127 enabled auto-merge April 20, 2026 17:56
@The127 The127 merged commit 8b662ed into main Apr 20, 2026
8 checks passed
@The127 The127 deleted the feat/signing-algorithm-per-app branch April 20, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@The127