refactor(core): read admin tenant signing keys from the database in OSS

[xiaoyijun]

Summary

In OSS, validating Access Tokens issued by the admin tenant previously relied on fetching the admin tenant's OIDC discovery document and JWKS over HTTP from within the same Logto instance. This required the admin tenant endpoint to be reachable from the instance itself, which breaks several common OSS deployment topologies — reverse-proxied setups, containers where the public admin URL is not self-loopback addressable, environments with split DNS, etc. The issue has caused recurring confusion for self-hosters (see #6048 and related reports).

This PR makes the OSS path read the admin tenant signing keys directly from the database via the shared pool, then derives the public JWKS in process — no HTTP round trip needed. Cloud behavior is unchanged: it continues to use remote OIDC discovery and JWKS, since admin and user tenants may live on different services there.

• getAdminTenantTokenValidationSet now branches on EnvSet.values.isCloud:
  • Cloud → existing remote discovery + JWKS path (unchanged), still cached for 1 hour.
  • OSS → new getOssAdminTenantTokenValidationSet, which reads oidc.privateKeys for the admin tenant from logto_configs and exports the corresponding public JWKs in oidc-provider key order (Current, Next, Previous).
• Adds getAdminTenantPrivateSigningKeys in tenants/utils.ts that goes through EnvSet.sharedPool, mirroring getTenantDatabaseDsn — necessary because the caller may be running inside a user tenant whose pool is RLS-scoped.
• Adds getOidcProviderPublicJwks to libraries/oidc-private-key.ts to centralize the private-to-public JWK export and key ordering.

Why cache the OSS path?

getAdminTenantTokenValidationSet runs for non-admin-tenant koaAuth requests, so OSS Management API traffic against the default tenant can hit this path frequently. To avoid adding a per-request database read and public-key derivation to that hot path, the OSS branch reuses the existing 1-hour JWKS cache.

This keeps the cache semantics aligned with the previous remote JWKS path and the Cloud branch: the data source changes from HTTP to the database in OSS, while the validation set is still cached by admin issuer.

Testing

unit tests

Checklist

• .changeset
• unit tests
• integration tests
• necessary TSDoc comments

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +11.42 KB

Diff by File

Name	Diff
.changeset/oss-admin-jwks-db-read.md	📈 +327 Bytes
packages/core/src/env-set/oidc.ts	📈 +12 Bytes
packages/core/src/libraries/oidc-private-key.test.ts	📈 +1.17 KB
packages/core/src/libraries/oidc-private-key.ts	📈 +523 Bytes
packages/core/src/middleware/koa-auth/utils.test.ts	📈 +7.28 KB
packages/core/src/middleware/koa-auth/utils.ts	📈 +1.08 KB
packages/core/src/tenants/Tenant.test.ts	📈 +52 Bytes
packages/core/src/tenants/utils.ts	📈 +1018 Bytes

[Copilot]

Pull request overview

This PR fixes OSS admin-tenant access-token validation by removing the internal HTTP dependency on the admin tenant’s OIDC discovery/JWKS endpoints. Instead, OSS now reads the admin tenant’s private signing keys from the database via the shared pool and derives public JWKS in-process; Cloud behavior remains unchanged (remote discovery + JWKS with caching).

Changes:

• Add OSS-specific admin token validation set generation from DB-backed oidc.privateKeys, exporting public JWKS in oidc-provider key order.
• Introduce a shared-pool helper to read admin tenant private signing keys from logto_configs (bypassing tenant-scoped RLS pools).
• Add unit tests for Cloud vs OSS behavior and key ordering, plus a changeset entry.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/core/src/tenants/utils.ts	Adds shared-pool DB read helper for admin tenant private signing keys.
packages/core/src/middleware/koa-auth/utils.ts	Branches Cloud vs OSS admin token validation; OSS derives JWKS from DB keys.
packages/core/src/middleware/koa-auth/utils.test.ts	Adds unit tests for OSS DB path, Cloud remote path, ordering, and caching behavior.
packages/core/src/libraries/oidc-private-key.ts	Adds helper to export public JWKS from private keys in oidc-provider order.
packages/core/src/libraries/oidc-private-key.test.ts	Adds unit test for getOidcProviderPublicJwks ordering/export.
.changeset/oss-admin-jwks-db-read.md	Patch changeset documenting OSS behavior change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

[xiaoyijun]

Addressed the review comments in e383841 and 99b7276:

• Reused getOidcProviderPublicJwks from loadOidcValues and added the helper JSDoc.
• Simplified public-key export to call crypto.createPublicKey(value) directly.
• Added OSS derived-JWKS caching through the existing 1-hour jwksCache, and updated the PR body/tests to match.
• Added coverage for empty oidc.privateKeys and schema-mismatch rows.
• Trimmed test descriptors, removed unused createdAt helper parameters, and clarified the Tenant.test.ts full-module mock surface.

Focused checks passed locally with Node 22:

pnpm --filter @logto/core build:test
pnpm --filter @logto/core test:only build/middleware/koa-auth/utils.test.js build/libraries/oidc-private-key.test.js build/tenants/Tenant.test.js

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.