chore: unify signing key configuration across modules (#11194)

## Context

the three commits in this series are the first step towards the goal of removing the special casing around `JWT_SECRET`, which is used for various modules via `GetGeneralTokenSigningSecret()`. Ultimately, I want to work towards enabling seamless migration away from general use of the common secret. To enable this, we need proper secret/key rotation support, that is, we need to allow for configuration of additional secrets/keys which are accepted for token validation, but not used to issue tokens.

I have this _Verifier_ support basically implemented, but this PR is not it.

This PR contains cleanup refactoring which I worked on before writing the _Verifier_ support, because I noticed that the existing secret/key handling across modules was inconsistent and required duplicated code.

I am submitting this part now to allow for incremental review of not too large a diff, and because these commits remained unchanged during two weeks since I moved on the the next task.

## The problem being addressed

Configuration of JWT signing secrets/keys was inconsistent:

Under `[oauth2]` the full configuration set was supported:

- `JWT_SIGNING_ALGORITHM` configured the algorithm
- `JWT_SECRET` configured a literal secret for symmetric algorithms
- `JWT_SECRET_URI` configured a `file:` uri of a secret for symmetric algorithms
- `JWT_SIGNING_PRIVATE_KEY_FILE` configured a file for asymmetric algorithms

For `[server]`, the LFS module only supported `LFS_JWT_SECRET`, and the signing method was hardcoded to `HS256`

For `[actions]`, only asymmetric signing methods were supported via `ID_TOKEN_SIGNING_ALGORITHM` and `ID_TOKEN_SIGNING_PRIVATE_KEY_FILE`.

## ini unification

The proposed code centralizes ini parsing to always support the following ini keys:

- `[pfx]SIGNING_ALGORITHM` determines the algorithm
- `[pfx]SECRET` is a literal secret for symmetric algorithms
- `[pfx]SECRET_URI` is the uri of a secret for symmetric algorithms
- `[pfx]SIGNING_PRIVATE_KEY_FILE` is a file with a private key for asymmetric algorithms

`[pfx]` is specific to the module and chosen to support the existing ini keys

Centralizing this code and unifying the ini keys will come handy for at least the following reasons:

- consistent behavior across modules is easier to understand
- less duplicated code
- easier to expand later, which is my main motivation

## implementation notes

as might be apparent by the _take3_ branch name, this is the third iteration of this patch series. The main reason why I abandoned the other two is that I first tried to move all the key initialization into the code called from settings.go when the ini file is parsed. But that lead to a lot of friction with test cases, because private key files which are configured, but do not exist will get created and hence require a writable `AppDataPath` and additional clean up.

To avoid a lot of noise and complications in test cases, I kept the existing two stage process, where

- the settings component creates missing symmetric signing keys and writes them to the .ini
- the settings component creates a simple configuration struct
- which is then used from the module init to create the actual key, which also includes creating a private key file if asymmetric crypto is configured and the key file does not exist.

I would have wished this patch was a net negative in terms of LOCs, but I hope it contributes to clarity and many added lines are in test cases.

## Commits

Because sometimes PRs are merged as squashes with the PR text remaining, I am repeating here the individual messages of the individual commits for future reference:

### Refactor signing key initalization and oauth2 use of it

This commit is the first in a series towards the goal of addressing the
FIXME comment in modules/setting/oauth2.go to remove
GeneralTokenSigningSecret

To do it properly, the task also requires addition of signing secret/key
rotation: We ultimately want to be able to change a signing key, but
continue to accept the previous one. This is particularly relevant to
offer a path from GeneralTokenSigningSecret aka JWT_SECRET to new,
specific component key configuration, where it should be possible to add
the former JWT_SECRET as a key accepted for verification to enable a
seamless transition.

This perspective, in turn, calls for refactoring of the existing secret
initialization code to centralize the common functions of parsing
signing key related configuration directives: The oauth2 module
currently is the only component accepting symmetric and asymmetric keys,
with the limitation of the symmetric key being also the
GeneralTokenSigningSecret. Other components either enforce HS256 or
public key algorithms.

We should really give the choice of algorithm selection and avoid code
duplication in other places, so this commit

- generalizes setting parsing into a configuration struct: A prefix can
  be provided, with which the common configuration directives are
  processed:

  - [pfx]SIGNING_ALGORITHM determines the algorithm
  - [pfx]SECRET is a literal secret for symmetric algorithms
  - [pfx]SECRET_URI is the uri of a secret for symmetric algorithms
  - [pfx]SIGNING_PRIVATE_KEY_FILE is a file with a private key for asymmetric algorithms

- which is then accepted by jwtx.InitSigningKey() to create an actual
  signing key

The reasons for the two stage process are explained in a long-ish
comment in modules/setting/security.go. In short, other options would
either violate sensible module boundaries or cause too much friction.
These other options have actually been tried, this is take 3 of the
proposed changes.

### Refactor services/lfs: Change token code to use SigningKey

This now also enables use of token algorithms other than HS256.

In this case, signing key initialization also happens during settings
initialization, because LFS is also used in CLI commands.

### Refactor api/actions to use new signingkey API

This now also enables use of symmetric token algorithms.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11194
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Nils Goroll <nils.goroll@uplex.de>
Co-committed-by: Nils Goroll <nils.goroll@uplex.de>

modules/setting/actions.go

@@ -5,7 +5,6 @@ package setting
 
 import (
 	"fmt"
-	"path/filepath"
 	"strings"
 	"time"
 
@@ -28,17 +27,15 @@ var (
 		SkipWorkflowStrings          []string          `ini:"SKIP_WORKFLOW_STRINGS"`
 		LimitDispatchInputs          int64             `ini:"LIMIT_DISPATCH_INPUTS"`
 		ConcurrencyGroupQueueEnabled bool              `ini:"CONCURRENCY_GROUP_QUEUE_ENABLED"`
-		IDTokenSigningAlgorithm      idTokenAlgorithm  `ini:"ID_TOKEN_SIGNING_ALGORITHM"`
-		IDTokenSigningPrivateKeyFile string            `ini:"ID_TOKEN_SIGNING_PRIVATE_KEY_FILE"`
 		IDTokenExpirationTime        int64             `ini:"ID_TOKEN_EXPIRATION_TIME"`
+
+		KeyCfg *jwtx.KeyCfg
 	}{
 		Enabled:                      true,
 		DefaultActionsURL:            defaultActionsURLForgejo,
 		SkipWorkflowStrings:          []string{"[skip ci]", "[ci skip]", "[no ci]", "[skip actions]", "[actions skip]"},
 		LimitDispatchInputs:          100,
 		ConcurrencyGroupQueueEnabled: true,
-		IDTokenSigningAlgorithm:      "RS256",
-		IDTokenSigningPrivateKeyFile: "actions_id_token/private.pem",
 		IDTokenExpirationTime:        3600,
 	}
 )
@@ -76,15 +73,9 @@ func (c logCompression) IsZstd() bool {
 	return c == "" || strings.ToLower(string(c)) == "zstd"
 }
 
-type idTokenAlgorithm string
-
-func (c idTokenAlgorithm) IsValid() bool {
-	// Empty string implies RS256
-	return jwtx.IsValidAsymmetricAlgorithm(string(c)) || string(c) == ""
-}
-
 func loadActionsFrom(rootCfg ConfigProvider) error {
-	sec := rootCfg.Section("actions")
+	secName := "actions"
+	sec := rootCfg.Section(secName)
 	err := sec.MapTo(&Actions)
 	if err != nil {
 		return fmt.Errorf("failed to map Actions settings: %v", err)
@@ -120,13 +111,9 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 		return fmt.Errorf("invalid [actions] LOG_COMPRESSION: %q", Actions.LogCompression)
 	}
 
-	if !Actions.IDTokenSigningAlgorithm.IsValid() {
-		return fmt.Errorf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm)
+	Actions.KeyCfg, err = loadKeyCfg(rootCfg, secName, "ID_TOKEN_", "RS256", "actions_id_token/private.pem", onlyAsymmetric())
+	if err != nil {
+		return err
 	}
-
-	if !filepath.IsAbs(Actions.IDTokenSigningPrivateKeyFile) {
-		Actions.IDTokenSigningPrivateKeyFile = filepath.Join(AppDataPath, Actions.IDTokenSigningPrivateKeyFile)
-	}
-
 	return nil
 }

modules/setting/actions_test.go

@@ -4,7 +4,6 @@
 package setting
 
 import (
-	"fmt"
 	"path/filepath"
 	"testing"
 
@@ -176,8 +175,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "RS256", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/home/app/data/actions_id_token/private.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "RS256", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/home/app/data/actions_id_token/private.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 3600, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -190,8 +189,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "ES256", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "ES256", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/test/test.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 120, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -204,8 +203,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "EdDSA", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/home/app/data/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "EdDSA", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/home/app/data/test/test.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 123, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -215,6 +214,23 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	cfg, err = NewConfigProviderFromData(iniStr)
 	require.NoError(t, err)
 	err = loadActionsFrom(cfg)
-	require.ErrorContains(t, err,
-		fmt.Sprintf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm))
+	require.ErrorContains(t, err, "[actions] Unexpected algorithm: ID_TOKEN_SIGNING_ALGORITHM = HS256, needs to be one of [RS256 RS384 RS512 ES256 ES384 ES512 EdDSA]")
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SECRET = ABC
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	err = loadActionsFrom(cfg)
+	require.ErrorContains(t, err, "[actions] Invalid config key: ID_TOKEN_SECRET - must be removed")
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SECRET_URI = ABC
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	err = loadActionsFrom(cfg)
+	require.ErrorContains(t, err, "[actions] Invalid config key: ID_TOKEN_SECRET_URI - must be removed")
 }

modules/setting/lfs.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
 
-	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 )
 
 // LFS represents the server-side configuration for Git LFS.
@@ -16,13 +16,13 @@ import (
 // Could be refactored in the future while keeping backwards compatibility.
 var LFS = struct {
 	StartServer    bool          `ini:"LFS_START_SERVER"`
-	JWTSecretBytes []byte        `ini:"-"`
 	HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
 	MaxFileSize    int64         `ini:"LFS_MAX_FILE_SIZE"`
 	LocksPagingNum int           `ini:"LFS_LOCKS_PAGING_NUM"`
 	MaxBatchSize   int           `ini:"LFS_MAX_BATCH_SIZE"`
 
-	Storage *Storage
+	SigningKey jwtx.SigningKey
+	Storage    *Storage
 }{}
 
 // LFSClient represents configuration for Gitea's LFS clients, for example: mirroring upstream Git LFS
@@ -77,20 +77,14 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
 		return nil
 	}
 
-	jwtSecretBase64 := loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
-	LFS.JWTSecretBytes, err = generate.DecodeJwtSecret(jwtSecretBase64)
-	if err != nil {
-		LFS.JWTSecretBytes, jwtSecretBase64 = generate.NewJwtSecret()
-
-		// Save secret
-		saveCfg, err := rootCfg.PrepareSaving()
-		if err != nil {
-			return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
+	// TODO: #11024 check nil because settings loaded twice
+	if LFS.SigningKey == nil {
+		keyCfg, err := loadKeyCfg(rootCfg, "server", "LFS_JWT_", "HS256", "lfs/private.pem")
+		if err == nil {
+			LFS.SigningKey, err = jwtx.InitSigningKey(&keyCfg.Signing)
 		}
-		rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
-		saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
-		if err := saveCfg.Save(); err != nil {
-			return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
+		if err != nil {
+			return fmt.Errorf("lfs key initialization failed: %v", err)
 		}
 	}
 

modules/setting/oauth2.go

@@ -5,10 +5,10 @@ package setting
 
 import (
 	"math"
-	"path/filepath"
 	"sync/atomic"
 
 	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/log"
 )
 
@@ -96,18 +96,15 @@ var OAuth2 = struct {
 	AccessTokenExpirationTime   int64
 	RefreshTokenExpirationTime  int64
 	InvalidateRefreshTokens     bool
-	JWTSigningAlgorithm         string `ini:"JWT_SIGNING_ALGORITHM"`
-	JWTSigningPrivateKeyFile    string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
 	MaxTokenLength              int
 	DefaultApplications         []string
 	EnableAdditionalGrantScopes bool
+	KeyCfg                      *jwtx.KeyCfg
 }{
 	Enabled:                     true,
 	AccessTokenExpirationTime:   3600,
 	RefreshTokenExpirationTime:  730,
 	InvalidateRefreshTokens:     true,
-	JWTSigningAlgorithm:         "RS256",
-	JWTSigningPrivateKeyFile:    "jwt/private.pem",
 	MaxTokenLength:              math.MaxInt16,
 	DefaultApplications:         []string{"git-credential-oauth", "git-credential-manager", "tea"},
 	EnableAdditionalGrantScopes: false,
@@ -126,30 +123,26 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 		OAuth2.Enabled = sec.Key("ENABLE").MustBool(OAuth2.Enabled)
 	}
 
-	if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
-		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
-	}
-
 	// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
 	// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
 	// Including: CSRF token, account validation token, etc ...
 	// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
-	jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
 	if InstallLock {
-		jwtSecretBytes, err := generate.DecodeJwtSecret(jwtSecretBase64)
+		signingKey, err := loadSymmeticSigningKeyCfg(rootCfg, sec, "JWT_")
 		if err != nil {
-			jwtSecretBytes, jwtSecretBase64 = generate.NewJwtSecret()
-			saveCfg, err := rootCfg.PrepareSaving()
-			if err != nil {
-				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
-			}
-			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
-			saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
-			if err := saveCfg.Save(); err != nil {
-				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
-			}
+			log.Fatal("%v", err)
 		}
-		generalSigningSecret.Store(&jwtSecretBytes)
+		generalSigningSecret.Store(signingKey)
+	}
+
+	if !OAuth2.Enabled {
+		return
+	}
+
+	var err error
+	OAuth2.KeyCfg, err = loadKeyCfg(rootCfg, "oauth2", "JWT_", "RS256", "jwt/private.pem")
+	if err != nil {
+		log.Fatal("oauth2 key initialization failed: %v", err)
 	}
 }
 

modules/setting/security.go

@@ -4,12 +4,15 @@
 package setting
 
 import (
+	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"forgejo.org/modules/auth/password/hash"
 	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 )
@@ -39,6 +42,31 @@ var (
 	DisableQueryAuthToken              bool
 )
 
+/*
+ * key loading is a two-stage process to avoid complications for unit tests:
+ *
+ * For symmetric keys, we want to add a random key to the configuration. We would
+ * not want to change the configuration after loading has completed to maintain
+ * isolation. So from this perspective, we would want to initialize keys only
+ * during setting.load...From()
+ *
+ * For asymmetric keys, we want to create a random private key _file_.
+ * Doing so during the setting load phase, however, creates key files for unit
+ * tests, because they usually complete the full settings load phase, but do not
+ * initialize modules which they do not need. Depending on the test case, it
+ * might not provide a writable AppDataPath, or it would leave private key files
+ * in the source tree. All of this can be avoided with
+ * specifically adjusting the ini loaded for unit tests, but adds considerable
+ * friction.
+ *
+ * So to avoid all this, we split key loading in two phases:
+ * - settings parse the config and save missing symmetric keys
+ * - module init takes the parsed config, creates missing asymmetric keys and
+ *   creates the actual signingkey objects
+ *
+ * jwtx.SigningKeyCfg and jwtx.KeyCfg are used for handover
+ */
+
 // loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
 // If the secret is loaded from uriKey (file), the file should be non-empty, to guarantee the behavior stable and clear.
 func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
@@ -53,16 +81,29 @@ func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
 	if uri == "" {
 		return verbatim
 	}
+	verbatim, err := loadSecretFromURI(uri)
+	if err == nil {
+		return verbatim
+	}
+	log.Fatal("%s: %w", uriKey, err)
+	// unreached
+	return ""
+}
 
+func loadSecretFromURI(uri string) (string, error) {
 	tempURI, err := url.Parse(uri)
 	if err != nil {
-		log.Fatal("Failed to parse %s (%s): %v", uriKey, uri, err)
+		return "", fmt.Errorf("Failed to parse %s: %v", uri, err)
 	}
 	switch tempURI.Scheme {
 	case "file":
-		buf, err := os.ReadFile(tempURI.RequestURI())
+		path := tempURI.RequestURI()
+		if !filepath.IsAbs(path) {
+			path = filepath.Join(AppDataPath, path)
+		}
+		buf, err := os.ReadFile(path)
 		if err != nil {
-			log.Fatal("Failed to read %s (%s): %v", uriKey, tempURI.RequestURI(), err)
+			return "", fmt.Errorf("Failed to read %s: %v", path, err)
 		}
 		val := strings.TrimSpace(string(buf))
 		if val == "" {
@@ -70,17 +111,135 @@ func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
 			// For example: if INTERNAL_TOKEN_URI=file:///empty-file,
 			// Then if the token is re-generated during installation and saved to INTERNAL_TOKEN
 			// Then INTERNAL_TOKEN and INTERNAL_TOKEN_URI both exist, that's a fatal error (they shouldn't)
-			log.Fatal("Failed to read %s (%s): the file is empty", uriKey, tempURI.RequestURI())
+			return "", fmt.Errorf("Failed to read %s: the file is empty", path)
 		}
-		return val
+		return val, nil
 
 	// only file URIs are allowed
 	default:
-		log.Fatal("Unsupported URI-Scheme %q (%q = %q)", tempURI.Scheme, uriKey, uri)
-		return ""
+		return "", fmt.Errorf("Unsupported URI-Scheme %q in %q", tempURI.Scheme, uri)
 	}
 }
 
+// createSymmeticSigningKey creates a new symmetric signing key and saves it to
+// the setting named cfgSecret (usually [PFX_]SECRET) in section cfgSection
+func createSymmeticSigningKeyCfg(rootCfg ConfigProvider, cfgSection, cfgSecret string) (*[]byte, error) {
+	jwtSecretBytes, jwtSecretBase64 := generate.NewJwtSecret()
+	saveCfg, err := rootCfg.PrepareSaving()
+	if err == nil {
+		rootCfg.Section(cfgSection).Key(cfgSecret).SetValue(jwtSecretBase64)
+		saveCfg.Section(cfgSection).Key(cfgSecret).SetValue(jwtSecretBase64)
+		err = saveCfg.Save()
+	}
+	if err != nil {
+		return nil, fmt.Errorf("save %s.%s failed: %v", cfgSection, cfgSecret, err)
+	}
+	return &jwtSecretBytes, nil
+}
+
+// loadSymmeticSigningKey loads a signing key and creates it unless present
+// loads from [pfx]SECRET_URI
+// loads from or saves to [pfx]SECRET
+// in section sec
+func loadSymmeticSigningKeyCfg(rootCfg ConfigProvider, sec ConfigSection, pfx string) (*[]byte, error) {
+	cfgSecretURI := pfx + "SECRET_URI"
+	cfgSecret := pfx + "SECRET"
+
+	secretBase64 := loadSecret(sec, cfgSecretURI, cfgSecret)
+	secret, err := generate.DecodeJwtSecret(secretBase64)
+	if err == nil {
+		return &secret, nil
+	}
+
+	log.Info("[%s] %s or %s failed loading: %v - creating new key", sec.Name(), cfgSecret, cfgSecretURI, err)
+	return createSymmeticSigningKeyCfg(rootCfg, sec.Name(), cfgSecret)
+}
+
+// loadAsymmeticSigningKey loads a signing key from [pfx]SIGNING_PRIVATE_KEY_FILE
+// or creates it if it does not exist
+func loadAsymmeticSigningKeyPath(sec ConfigSection, pfx, defaultFile string) *string {
+	cfgFile := pfx + "SIGNING_PRIVATE_KEY_FILE"
+	keyPath := sec.Key(cfgFile).MustString(defaultFile)
+	if !filepath.IsAbs(keyPath) {
+		keyPath = filepath.Join(AppDataPath, keyPath)
+	}
+	return &keyPath
+}
+
+type checkKeyCfg func(rootCfg ConfigProvider, cfgSection, pfx string) error
+
+func onlyAsymmetric() checkKeyCfg {
+	return func(rootCfg ConfigProvider, cfgSection, pfx string) error {
+		sec := rootCfg.Section(cfgSection)
+		cfgAlg := pfx + "SIGNING_ALGORITHM"
+
+		if sec.HasKey(cfgAlg) {
+			alg := sec.Key(cfgAlg).String()
+			if !jwtx.IsValidAsymmetricAlgorithm(alg) {
+				return fmt.Errorf("Unexpected algorithm: %s = %s, needs to be one of %v",
+					cfgAlg, alg, jwtx.ValidAsymmetricAlgorithms)
+			}
+		}
+
+		noCfg := []string{
+			pfx + "SECRET_URI",
+			pfx + "SECRET",
+		}
+
+		for _, cfg := range noCfg {
+			if sec.HasKey(cfg) {
+				return fmt.Errorf("Invalid config key: %s - must be removed", cfg)
+			}
+		}
+
+		return nil
+	}
+}
+
+// loadSigningKey() loads a or creates signing key based on settings in section cfgSection
+// [pfx]SIGNING_ALGORITHM determines the algorithm
+// [pfx]SECRET is a literal secret for symmetric algorithms
+// [pfx]SECRET_URI is the uri of a secret for symmetric algorithms
+// [pfx]SIGNING_PRIVATE_KEY_FILE is a file with a private key for asymmetric algorithms
+//
+// [pfx]SECRET might get written to literally in the config if needed but not present
+
+func loadSigningKeyCfg(rootCfg ConfigProvider, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile string, checks ...checkKeyCfg) (*jwtx.SigningKeyCfg, error) {
+	for _, check := range checks {
+		err := check(rootCfg, cfgSection, pfx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	sec := rootCfg.Section(cfgSection)
+	cfgAlg := pfx + "SIGNING_ALGORITHM"
+
+	algorithm := sec.Key(cfgAlg).MustString(defaultAlg)
+
+	cfg := jwtx.SigningKeyCfg{Algorithm: algorithm}
+	var err error
+
+	if jwtx.IsValidSymmetricAlgorithm(algorithm) {
+		cfg.SecretBytes, err = loadSymmeticSigningKeyCfg(rootCfg, sec, pfx)
+	} else if jwtx.IsValidAsymmetricAlgorithm(algorithm) {
+		cfg.PrivateKeyPath = loadAsymmeticSigningKeyPath(sec, pfx, defaultPrivateKeyFile)
+	} else {
+		err = fmt.Errorf("invalid algorithm: %s = %s", cfgAlg, algorithm)
+	}
+
+	return &cfg, err
+}
+
+func loadKeyCfg(rootCfg ConfigProvider, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile string, checks ...checkKeyCfg) (*jwtx.KeyCfg, error) {
+	signing, err := loadSigningKeyCfg(rootCfg, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile, checks...)
+	if err != nil {
+		err = fmt.Errorf("[%s] %v", cfgSection, err)
+		return nil, err
+	}
+	return &jwtx.KeyCfg{Signing: signing}, nil
+}
+
 // generateSaveInternalToken generates and saves the internal token to app.ini
 func generateSaveInternalToken(rootCfg ConfigProvider) {
 	token, err := generate.NewInternalToken()