auth/oidc: Add support for static JWKS and PEM key verification in OIDC

[johnvox]

WHY

This PR introduces support for static key verification in the OIDC authentication flow, allowing the use of JWKS (JSON Web Key Set) and PEM-encoded certificates/public keys as alternatives to dynamic OIDC provider-based verification.

Enables OIDC token verification in offline or restricted environments.

New Configuration:

• Added AuthOIDCIssuer struct to support static key configuration via:
  • Inline JWKS (JWKS).
  • JWKS file path (JWKSFile).
  • PEM file path (CertificatesFile).

Here Config Snippet used during dev

# frpc.toml
serverAddr = "127.0.0.1"
serverPort = 7000

[log]
disablePrintColor = true

[auth]
method = "oidc"

[auth.oidc.tokenSource]
type = "file"

  [auth.oidc.tokenSource.file]
  path = "/var/run/secrets/kubernetes.io/serviceaccount/token"

# frps.toml
bindPort = 7000
kcpBindPort = 7000

[log]
disablePrintColor = true
level = "trace"

[auth]
method = "oidc"

  [auth.oidc]
  audience = "k3s"
  issuer = "https://kubernetes.default.svc.cluster.local"

    [auth.oidc.issuerSpec]
    # pemFile = "/home/jynolen/oss/frp/dist/ca.crt"
    # jwksFile = "/home/jynolen/oss/frp/dist/jwks.json"

[[auth.oidc.issuerSpec.jwks.keys]]
use = "sig"
kty = "RSA"
kid = "00000000-0000-0000-0000-000000000000"
alg = "RS256"
n = "tgguCdoYMBpTNREKeRIAQ-kMVTRtpofs5mveaUAmCnDkKYzIWBXyRNoCiB5RVshB1fYAVACohnidsXX1r2407sD7CQIYxsb3p8hu8dHfBILFdGBViYJD6vGBH6JW13M_giyjj1U0qiiOq7mxw8UhKdK_TAqzTizQkhAM5lkas2GyTwONXhMMdHI2y9wdZ1zhgQZ_IYfote-PScW_IZt_F21kW258UXldEb1d5s9zS3ewkvhuGolR8uTz_FvJ_-whpsuhbZT9Psqd64eEtej2-Prbzm-zO2OzBLTpt_jjnkpSz80J4DrfLTD3pbxYOK9AsrxIXkTepp-8RSW_s4_Q1w"
e = "AQAB"

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
pkg/auth/utils.go	55	Nil JWKS creates an empty static verifier instead of reporting missing static key configuration; this remains an active carried-forward finding from the previous review.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
-	-	No additional unchanged-code issues beyond the carried-forward active inline finding.

Files Reviewed (1 file)

• pkg/auth/oidc_test.go - 0 new issues

Fix these issues in Kilo Cloud

---

_{Reviewed by gpt-5.5-2026-04-23 · 394,710 tokens}

[github-actions]

PRs go stale after 14d of inactivity. Stale PRs rot after an additional 3d of inactivity and eventually close.

[johnvox]

/not stale

[github-actions]

PRs go stale after 14d of inactivity. Stale PRs rot after an additional 3d of inactivity and eventually close.

[johnvox]

/not stale

[Qodo-Free-For-OSS]

Hi, NewTokenVerifierFromStatic can call DecodeJWKS with a nil *JSONWebKeySet, which dereferences jwks.Keys and panics, potentially crashing the server at startup when the dynamic provider lookup fails and static config is incomplete.

Severity: action required | Category: reliability

How to fix: Validate IssuerSpec and nil-check

Agent prompt to fix - you can give this to your LLM of choice:

Issue description

NewTokenVerifierFromStatic may call DecodeJWKS(nil) which panics because DecodeJWKS dereferences jwks.Keys without a nil guard.

Issue Context

This is reachable when oidc.NewProvider fails and the code falls back to static verification; if the user didn’t provide issuerSpec.jwksFile, issuerSpec.pemFile, or inline issuerSpec.jwks, the server can crash.

Fix Focus Areas

• pkg/auth/oidc.go[288-311]
• pkg/auth/utils.go[53-59]

Expected fix

• Return a clear error if no static key source is configured (or if IssuerSpec.JWKS == nil).
• Optionally make DecodeJWKS return an error (or empty slice + error) instead of panicking on nil.
• Consider rejecting empty decoded key lists early (before creating verifier).

We noticed a couple of other issues in this PR as well - happy to share if helpful.

---

Found by Qodo code review