Skip to content

feat: support jwt signing keys for local auth #3841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Jul 21, 2025
Merged

feat: support jwt signing keys for local auth #3841

merged 22 commits into from
Jul 21, 2025

Conversation

cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Jul 10, 2025
edited
Loading

What kind of change does this PR introduce?

command to generate jwt signing keys & spin up auth server with the configured JWK keys

Steps

  1. Generate the jwt signing keys by supabase gen signing-key ES256
  2. Enable signing_keys_path line in the config.toml.
  3. Once the auth server is up and running, the configured JWK should be available in http://localhost:54321/auth/v1/.well-known/jwks.json
$ ./bin/supabase gen signing-key --help
Securely generate a private JWT signing key for use in the CLI or to import in the dashboard.

Supported algorithms:
	ES256 - ECDSA with P-256 curve and SHA-256 (recommended)
	RS256 - RSA with SHA-256

Usage:
  supabase gen signing-key [flags]

Examples:
  supabase gen signing-key --algorithm RS256
  supabase gen signing-key --algorithm ES256
  supabase gen signing-key --algorithm RS256 --append

Flags:
      --algorithm [ RS256 | ES256 ]   Algorithm for signing key generation. (default ES256)
      --append                        Append new key to existing keys file instead of overwriting.
  -h, --help                          help for signing-key

...

Command output

$ ./bin/supabase gen signing-key --algorithm RS256
/Users/cemalkilic/projects/cli/signing_keys.json
JWT signing keys saved to: /Users/cemalkilic/projects/cli/signing_keys.json
⚠️  IMPORTANT: Add this file to your .gitignore to prevent committing signing keys to version control

To enable JWT signing keys in your project:
1. Add the following to your config.toml file:
   signing_keys_path = "/Users/cemalkilic/projects/cli/signing_keys.json"
2. Restart your local development server:
   supabase start

Run with --append flag

$ ./bin/supabase gen signing-key --algorithm RS256 --append
/Users/user/projects/cli/signing_keys.json
JWT signing key appended to: /Users/user/projects/cli/signing_keys.json (now contains 2 keys)
⚠️  IMPORTANT: Add this file to your .gitignore to prevent committing signing keys to version control

To enable JWT signing keys in your project:
1. Add the following to your config.toml file:
   signing_keys_path = "/Users/cemalkilic/projects/cli/signing_keys.json"
2. Restart your local development server:
   supabase start

@cemalkilic cemalkilic requested a review from a team as a code owner July 10, 2025 19:44
@coveralls
Copy link

coveralls commented Jul 10, 2025
edited
Loading

Pull Request Test Coverage Report for Build 16416756141

Details

  • 94 of 198 (47.47%) changed or added relevant lines in 4 files are covered.
  • 5 unchanged lines in 1 file lost coverage.
  • Overall coverage decreased (-0.2%) to 55.325%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/start/start.go 3 5 60.0%
cmd/gen.go 0 7 0.0%
internal/utils/misc.go 0 16 0.0%
internal/gen/signingkeys/signingkeys.go 91 170 53.53%
Files with Coverage Reduction New Missed Lines %
internal/gen/keys/keys.go 5 12.9%
Totals Coverage Status
Change from base Build 16410144347: -0.2%
Covered Lines: 6171
Relevant Lines: 11154
💛 - Coveralls

hf
hf approved these changes Jul 11, 2025
View reviewed changes
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks OK to me, however you may want to explore a jwk library if you want.

@hf
Copy link
Contributor

hf commented Jul 11, 2025

Maybe the default output format should be the key, while passing another parameter to give you the config.toml setting?

Reason being this command can be used for people who want to import a private key they control.

@cemalkilic cemalkilic changed the title feat: add generate-key cmd for generating jwt signing keys feat: support jwt signing keys for local auth Jul 11, 2025
@cemalkilic cemalkilic force-pushed the cemal/add-cmd-generate-jwt-signing-keys branch from e23950b to edf8d7e Compare July 11, 2025 10:28
sweatybridge
sweatybridge reviewed Jul 11, 2025
View reviewed changes
sweatybridge
sweatybridge requested changes Jul 11, 2025
View reviewed changes
sweatybridge
sweatybridge reviewed Jul 11, 2025
View reviewed changes
@cemalkilic cemalkilic force-pushed the cemal/add-cmd-generate-jwt-signing-keys branch from f6a01d7 to 0cbcee0 Compare July 15, 2025 12:31
hf
hf approved these changes Jul 16, 2025
View reviewed changes
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

sweatybridge
sweatybridge reviewed Jul 16, 2025
View reviewed changes
sweatybridge
sweatybridge reviewed Jul 18, 2025
View reviewed changes
sweatybridge
sweatybridge reviewed Jul 18, 2025
View reviewed changes
internal/gen/signingkeys/signingkeys.go
}
out = f
}
jwkArray = append(jwkArray, keyPair.PrivateKey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cemalkilic do we need to show or save the public key to user?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think at this point, no.

sweatybridge
sweatybridge reviewed Jul 21, 2025
View reviewed changes
internal/start/start.go Outdated

// Add JWT keys from file if configured
if keysData, err := utils.Config.Auth.GetSigningKeysData(fsys); err == nil && keysData != "" {
env = append(env, "GOTRUE_JWT_KEYS="+keysData)
Copy link
Contributor

@sweatybridge sweatybridge Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cemalkilic can we add the jwks parsed from line 148 directly here?

			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
			"GOTRUE_JWT_KEYS=" + jwks,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, that jwks is consumed by the other services (storage, realtime etc) to accept tokens from the third party auth (docs).
Supabase Auth server shouldn't serve the JWKS of the third party auth providers.

@sweatybridge sweatybridge force-pushed the cemal/add-cmd-generate-jwt-signing-keys branch from 62c58f7 to df6a75f Compare July 21, 2025 10:33
@sweatybridge sweatybridge merged commit 63a8891 into develop Jul 21, 2025
14 checks passed
@sweatybridge sweatybridge deleted the cemal/add-cmd-generate-jwt-signing-keys branch July 21, 2025 12:26
@logemann
Copy link

is there an easy way to track when this will be available as docker gotrue image? Happy to instantly use it ;-)

@github-actions github-actions bot mentioned this pull request Jul 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hf hf hf approved these changes

@sweatybridge sweatybridge sweatybridge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cemalkilic @coveralls @hf @logemann @sweatybridge