From 8cbf0731e00d7a3baf10e254c33d3f557d797a70 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Thu, 23 Oct 2025 20:39:45 +1100
Subject: [PATCH] JWT service

---
 .env.example                     | 10 ++++++++++
 app/services/oidc_jwt_service.rb | 16 +++++++++-------
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/.env.example b/.env.example
index 57a8363..9386361 100644
--- a/.env.example
+++ b/.env.example
@@ -19,6 +19,16 @@ SMTP_ENABLE_STARTTLS=true
 CLINCH_HOST=http://localhost:9000
 CLINCH_FROM_EMAIL=noreply@example.com
 
+# OIDC Configuration
+# RSA private key for signing ID tokens (JWT)
+# Generate with: openssl genrsa 2048
+# Important: Generate once and keep the same key across deployments
+# If you change this key, all existing OIDC sessions will be invalidated
+# OIDC_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
+# MIIEpAIBAAKCAQEAyZ0qaICMiLVWSFs+ef9Xok3fzy0p6k/7D5TQzmxf...
+# ...your key content here...
+# -----END RSA PRIVATE KEY-----"
+
 # Optional: Force SSL in production
 # FORCE_SSL=true
 
diff --git a/app/services/oidc_jwt_service.rb b/app/services/oidc_jwt_service.rb
index 6fce9ea..94c0cc3 100644
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -63,15 +63,17 @@ class OidcJwtService
     # Get or generate RSA private key
     def private_key
       @private_key ||= begin
-        # Try to load from Rails credentials first
-        key_pem = Rails.application.credentials.oidc_private_key
-
-        if key_pem.present?
-          OpenSSL::PKey::RSA.new(key_pem)
+        # Try ENV variable first (best for Docker/Kamal)
+        if ENV["OIDC_PRIVATE_KEY"].present?
+          OpenSSL::PKey::RSA.new(ENV["OIDC_PRIVATE_KEY"])
+        # Then try Rails credentials
+        elsif Rails.application.credentials.oidc_private_key.present?
+          OpenSSL::PKey::RSA.new(Rails.application.credentials.oidc_private_key)
         else
           # Generate a new key for development
-          # In production, you should generate this once and store in credentials
-          Rails.logger.warn "OIDC: No private key found in credentials, generating new key (development only)"
+          # In production, you MUST set OIDC_PRIVATE_KEY env var or add to credentials
+          Rails.logger.warn "OIDC: No private key found in ENV or credentials, generating new key (development only)"
+          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable in production!"
           OpenSSL::PKey::RSA.new(2048)
         end
       end