fix: accept active signing keys for oidc logout

Author: mallendeo

server/lib/oauth/keys.ts

@@ -15,13 +15,16 @@ function getEncryptionKey(): string {
     return key;
 }
 
-export async function ensureSigningKey(): Promise<void> {
-    const [existingKey] = await db
+async function selectActiveSigningKeys() {
+    return db
         .select()
         .from(oauthSigningKeys)
         .where(eq(oauthSigningKeys.active, true))
-        .orderBy(desc(oauthSigningKeys.createdAt))
-        .limit(1);
+        .orderBy(desc(oauthSigningKeys.createdAt));
+}
+
+export async function ensureSigningKey(): Promise<void> {
+    const [existingKey] = await selectActiveSigningKeys();
 
     if (existingKey) {
         return;
@@ -57,12 +60,7 @@ export async function getActiveSigningKey(): Promise<{
     publicKeyPem: string;
     privateKeyPem: string;
 }> {
-    const [activeKey] = await db
-        .select()
-        .from(oauthSigningKeys)
-        .where(eq(oauthSigningKeys.active, true))
-        .orderBy(desc(oauthSigningKeys.createdAt))
-        .limit(1);
+    const [activeKey] = await selectActiveSigningKeys();
 
     if (!activeKey) {
         throw new Error("No active OAuth signing key found");
@@ -76,12 +74,24 @@ export async function getActiveSigningKey(): Promise<{
     };
 }
 
+export async function getActiveSigningPublicKeys(): Promise<
+    {
+        keyId: string;
+        algorithm: string;
+        publicKeyPem: string;
+    }[]
+> {
+    const activeKeys = await selectActiveSigningKeys();
+
+    return activeKeys.map((key) => ({
+        keyId: key.keyId,
+        algorithm: key.algorithm,
+        publicKeyPem: key.publicKeyPem
+    }));
+}
+
 export async function getJWKS(): Promise<JsonWebKey[]> {
-    const activeKeys = await db
-        .select()
-        .from(oauthSigningKeys)
-        .where(eq(oauthSigningKeys.active, true))
-        .orderBy(desc(oauthSigningKeys.createdAt));
+    const activeKeys = await selectActiveSigningKeys();
 
     return activeKeys.map((key) => {
         const exported = createPublicKey(key.publicKeyPem).export({

server/routers/oauth/endSession.ts

@@ -8,7 +8,7 @@ import {
     oauthClients,
     oauthRefreshTokens
 } from "@server/db";
-import { getActiveSigningKey } from "@server/lib/oauth/keys";
+import { getActiveSigningPublicKeys } from "@server/lib/oauth/keys";
 import { getIssuerUrl } from "@server/lib/oauth/issuer";
 import {
     createBlankSessionTokenCookie,
@@ -40,16 +40,29 @@ export async function handleEndSession(
 
         if (idTokenHint) {
             try {
-                const signingKey = await getActiveSigningKey();
-                const decoded = jsonwebtoken.verify(
-                    idTokenHint,
-                    signingKey.publicKeyPem,
-                    {
-                        algorithms: ["RS256"],
-                        issuer: getIssuerUrl(),
-                        ignoreExpiration: true
+                const signingKeys = await getActiveSigningPublicKeys();
+                let decoded: string | jsonwebtoken.JwtPayload | undefined;
+
+                for (const signingKey of signingKeys) {
+                    try {
+                        decoded = jsonwebtoken.verify(
+                            idTokenHint,
+                            signingKey.publicKeyPem,
+                            {
+                                algorithms: ["RS256"],
+                                issuer: getIssuerUrl(),
+                                ignoreExpiration: true
+                            }
+                        );
+                        break;
+                    } catch {
+                        continue;
                     }
-                );
+                }
+
+                if (!decoded) {
+                    throw new Error("Invalid id_token_hint");
+                }
 
                 if (
                     typeof decoded === "object" &&