Skip to content

fix JWK endpoints returning empty keys #4662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
olamilekan000 wants to merge 1 commit into from
Closed

fix JWK endpoints returning empty keys #4662

olamilekan000 wants to merge 1 commit into from

Conversation

@olamilekan000
Copy link

@olamilekan000 olamilekan000 commented Dec 23, 2025

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

The JWKS endpoint (/auth/v1/.well-known/jwks.json) returns an empty keys array ({"keys": []}) for local Supabase instances because signing keys are not automatically generated during supabase init. Users must manually generate signing keys using supabase gen signingkeys and configure signing_keys_path in config.toml.
Issue: #4614

What is the new behavior?

  • Automatically generates a default RS256 signing key during supabase init
  • Saves the key to supabase/signing_keys.json (already in .gitignore)
  • Skips generation if the signing key file already exists
  • The JWKS endpoint now returns the public key, matching cloud behavior

Additional context

Add any other context or screenshots.
Screenshot 2025-12-23 at 23 02 57

@olamilekan000 olamilekan000 requested a review from a team as a code owner December 23, 2025 22:04
@olamilekan000
Copy link
Author

olamilekan000 commented Dec 23, 2025

@sweatybridge kindly review. Thanks

@olamilekan000 olamilekan000 force-pushed the fix-jwk-endpoint-returning-empty-keys branch 2 times, most recently from 6e88d0e to 159381e Compare December 24, 2025 21:20
@coveralls
Copy link

coveralls commented Dec 25, 2025

Pull Request Test Coverage Report for Build 20494065924

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 28 of 34 (82.35%) changed or added relevant lines in 1 file are covered.
  • 5 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.04%) to 56.133%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/init/init.go 28 34 82.35%
Files with Coverage Reduction New Missed Lines %
internal/gen/keys/keys.go 5 12.9%
Totals Coverage Status
Change from base Build 20484757308: 0.04%
Covered Lines: 6864
Relevant Lines: 12228
💛 - Coveralls

@olamilekan000 olamilekan000 force-pushed the fix-jwk-endpoint-returning-empty-keys branch from 159381e to b8cad1c Compare January 6, 2026 02:39
sweatybridge
sweatybridge requested changes Jan 7, 2026
View reviewed changes
pkg/config/config.go
return errors.Errorf("failed to read signing keys: %w", err)
} else if c.Auth.SigningKeys, err = fetcher.ParseJSON[[]JWK](f); err != nil {
return errors.Errorf("failed to decode signing keys: %w", err)
if err := c.loadSigningKeys(fsys); err != nil {
Copy link
Contributor

@sweatybridge sweatybridge Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this refactor is unnecessary because ParseJSON closes the reader automatically

internal/init/init.go

func Run(ctx context.Context, fsys afero.Fs, interactive bool, params utils.InitParams) error {
// 1. Write `config.toml`.
// 1. Generate default signing key if it doesn't exist.
Copy link
Contributor

@sweatybridge sweatybridge Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since supabase init is no longer a prerequisite for supabase start, we cannot assume users will always run init before start. Let's handle signing key generation as part of config loading instead.

@sweatybridge sweatybridge mentioned this pull request Jan 7, 2026
Merged
@olamilekan000
Copy link
Author

olamilekan000 commented Jan 7, 2026

@sweatybridge just to confirm, this PR isn't necessary anymore with the recent merge right?

@sweatybridge
Copy link
Contributor

sweatybridge commented Jan 7, 2026

Yea it's no longer needed but thanks for picking up this issue anyway!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sweatybridge sweatybridge sweatybridge requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olamilekan000 @coveralls @sweatybridge