add a configuration check for public/private keys when using DPoP

closes #1293; thanks @ahus1

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,6 @@
+01/02/2025
+- add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1
+
 12/17/2024
 - code: address SonarQube warnings in src/cache/*.c
 

src/mod_auth_openidc.c

@@ -1470,6 +1470,15 @@ static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg_t *c) {
 		}
 	}
 
+	if (oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(c)) != OIDC_DPOP_MODE_OFF) {
+		if (oidc_util_key_list_first(oidc_cfg_private_keys_get(c), -1, OIDC_JOSE_JWK_SIG_STR) == NULL) {
+			oidc_serror(s,
+				    "'" OIDCDPoPMode "' is configured but the required signing keys have not been "
+						     "provided in '" OIDCPrivateKeyFiles "'/'" OIDCPublicKeyFiles "'");
+			return HTTP_INTERNAL_SERVER_ERROR;
+		}
+	}
+
 	return OK;
 }
 

src/proto/jwt.c

@@ -252,7 +252,6 @@ apr_byte_t oidc_proto_jwt_create_from_first_pkey(request_rec *r, oidc_cfg_t *cfg
 	oidc_debug(r, "enter");
 
 	*jwk = oidc_util_key_list_first(oidc_cfg_private_keys_get(cfg), -1, OIDC_JOSE_JWK_SIG_STR);
-	// TODO: detect at config time
 	if (*jwk == NULL) {
 		oidc_error(r, "no RSA/EC private signing keys have been configured (in " OIDCPrivateKeyFiles ")");
 		goto end;