Address review: restore OIDC pubkey file loading and well-known config

- oidc_service.go: revert to loading public key from PublicKeyPath (parse
  PEM/PKIX) instead of deriving from privateKey.PublicKey. Lets operators
  supply their own public key; more predictable behavior.
- well_known_controller.go: restore RequestParameterSupported=true and
  RequestObjectSigningAlgValuesSupported=["none"]. #864 is a false
  positive — frontend parses the JWT.
- well_known_controller_test.go: restore matching expected values.

Author: Dredsen

internal/controller/well_known_controller.go

@@ -65,7 +65,8 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
 		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-		RequestParameterSupported: false,
+		RequestParameterSupported:              true,
+		RequestObjectSigningAlgValuesSupported: []string{"none"},
 	})
 }
 

internal/controller/well_known_controller_test.go

@@ -57,7 +57,8 @@ func TestWellKnownController(t *testing.T) {
 					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
 					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-					RequestParameterSupported: false,
+					RequestParameterSupported:              true,
+					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 
 				assert.Equal(t, expected, res)

internal/service/oidc_service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
@@ -120,6 +121,7 @@ type OIDCService struct {
 
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
+	publicKey  crypto.PublicKey
 	issuer     string
 }
 
@@ -192,17 +194,49 @@ func NewOIDCService(
 		}
 	}
 
-	der := x509.MarshalPKCS1PublicKey(&privateKey.PublicKey)
-	if der == nil {
-		return nil, errors.New("failed to marshal public key")
+	var publicKey crypto.PublicKey
+
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
+
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return nil, fmt.Errorf("failed to read public key: %w", err)
 	}
-	encoded := pem.EncodeToMemory(&pem.Block{
-		Type:  "RSA PUBLIC KEY",
-		Bytes: der,
-	})
-	err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
-	if err != nil {
-		return nil, err
+
+	if errors.Is(err, os.ErrNotExist) {
+		publicKey = privateKey.Public()
+		der := x509.MarshalPKCS1PublicKey(publicKey.(*rsa.PublicKey))
+		if der == nil {
+			return nil, errors.New("failed to marshal public key")
+		}
+		encoded := pem.EncodeToMemory(&pem.Block{
+			Type:  "RSA PUBLIC KEY",
+			Bytes: der,
+		})
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		block, _ := pem.Decode(fpublicKey)
+		if block == nil {
+			return nil, errors.New("failed to decode public key")
+		}
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		switch block.Type {
+		case "RSA PUBLIC KEY":
+			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse public key: %w", err)
+			}
+		case "PUBLIC KEY":
+			publicKey, err = x509.ParsePKIXPublicKey(block.Bytes)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse public key: %w", err)
+			}
+		default:
+			return nil, fmt.Errorf("unsupported public key type: %s", block.Type)
+		}
 	}
 
 	// We will reorganize the client into a map with the client ID as the key
@@ -237,6 +271,7 @@ func NewOIDCService(
 
 		clients:    clients,
 		privateKey: privateKey,
+		publicKey:  publicKey,
 		issuer:     issuer,
 	}