feat: refactor signer configuration with local and vault options

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 month ago · 716981469d
16 changed files with 473 additions and 194 deletions
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@ -14,6 +14,7 @@ import (

 	"github.com/dexidp/dex/pkg/featureflags"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/ent"
 	"github.com/dexidp/dex/storage/etcd"
@ -36,7 +37,7 @@ type Config struct {
 	Frontend server.WebConfig `json:"frontend"`

 	// Signer configuration controls signing of JWT tokens issued by Dex.
-	Signer server.SignerConfig `json:"signer"`
+	Signer Signer `json:"signer"`

 	// StaticConnectors are user defined connectors specified in the ConfigMap
 	// Write operations, like updating a connector, will fail.
@ -373,6 +374,74 @@ func (s *Storage) UnmarshalJSON(b []byte) error {
 	return nil
 }

+// Signer holds app's signer configuration.
+type Signer struct {
+	Type   string       `json:"type"`
+	Config SignerConfig `json:"config"`
+}
+
+// SignerConfig is a configuration that can create a signer.
+type SignerConfig interface{}
+
+var (
+	_ SignerConfig = (*signer.LocalConfig)(nil)
+	_ SignerConfig = (*signer.VaultConfig)(nil)
+)
+
+var signerConfigs = map[string]func() SignerConfig{
+	"local": func() SignerConfig { return new(signer.LocalConfig) },
+	"vault": func() SignerConfig { return new(signer.VaultConfig) },
+}
+
+// UnmarshalJSON allows Signer to implement the unmarshaler interface to
+// dynamically determine the type of the signer config.
+func (s *Signer) UnmarshalJSON(b []byte) error {
+	var signerData struct {
+		Type   string          `json:"type"`
+		Config json.RawMessage `json:"config"`
+	}
+	if err := json.Unmarshal(b, &signerData); err != nil {
+		return fmt.Errorf("parse signer: %v", err)
+	}
+
+	f, ok := signerConfigs[signerData.Type]
+	if !ok {
+		return fmt.Errorf("unknown signer type %q", signerData.Type)
+	}
+
+	signerConfig := f()
+	if len(signerData.Config) != 0 {
+		data := []byte(signerData.Config)
+		if featureflags.ExpandEnv.Enabled() {
+			var rawMap map[string]interface{}
+			if err := json.Unmarshal(signerData.Config, &rawMap); err != nil {
+				return fmt.Errorf("unmarshal config for env expansion: %v", err)
+			}
+
+			// Recursively expand environment variables in the map
+			expandEnvInMap(rawMap)
+
+			// Marshal the expanded map back to JSON
+			expandedData, err := json.Marshal(rawMap)
+			if err != nil {
+				return fmt.Errorf("marshal expanded config: %v", err)
+			}
+
+			data = expandedData
+		}
+
+		if err := json.Unmarshal(data, signerConfig); err != nil {
+			return fmt.Errorf("parse signer config: %v", err)
+		}
+	}
+
+	*s = Signer{
+		Type:   signerData.Type,
+		Config: signerConfig,
+	}
+	return nil
+}
+
 // Connector is a magical type that can unmarshal YAML dynamically. The
 // Type field determines the connector type, which is then customized for Config.
 type Connector struct {
--- a/cmd/dex/config_test.go
+++ b/cmd/dex/config_test.go
@ -1,6 +1,7 @@
 package main

 import (
+	"encoding/json"
 	"log/slog"
 	"os"
 	"testing"
@ -11,6 +12,7 @@ import (
 	"github.com/dexidp/dex/connector/mock"
 	"github.com/dexidp/dex/connector/oidc"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
 )
@ -469,3 +471,117 @@ logger:
 		t.Errorf("got!=want: %s", diff)
 	}
 }
+
+func TestSignerConfigUnmarshal(t *testing.T) {
+	tests := []struct {
+		name    string
+		config  string
+		wantErr bool
+		check   func(*Config) error
+	}{
+		{
+			name: "local signer with rotation period",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: local
+  config:
+    keysRotationPeriod: 6h
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "local" {
+					t.Errorf("expected signer type 'local', got %q", c.Signer.Type)
+				}
+				if localConfig, ok := c.Signer.Config.(*signer.LocalConfig); !ok {
+					t.Error("expected LocalConfig")
+				} else if localConfig.KeysRotationPeriod != "6h" {
+					t.Errorf("expected keys rotation period '6h', got %q", localConfig.KeysRotationPeriod)
+				}
+				return nil
+			},
+		},
+		{
+			name: "vault signer",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+signer:
+  type: vault
+  config:
+    addr: http://localhost:8200
+    token: test-token
+    keyName: test-key
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "vault" {
+					t.Errorf("expected signer type 'vault', got %q", c.Signer.Type)
+				}
+				if vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig); !ok {
+					t.Error("expected VaultConfig")
+				} else {
+					if vaultConfig.Addr != "http://localhost:8200" {
+						t.Errorf("expected addr 'http://localhost:8200', got %q", vaultConfig.Addr)
+					}
+					if vaultConfig.Token != "test-token" {
+						t.Errorf("expected token 'test-token', got %q", vaultConfig.Token)
+					}
+					if vaultConfig.KeyName != "test-key" {
+						t.Errorf("expected keyName 'test-key', got %q", vaultConfig.KeyName)
+					}
+				}
+				return nil
+			},
+		},
+		{
+			name: "default to local when no signer specified",
+			config: `
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+enablePasswordDB: true
+`,
+			wantErr: false,
+			check: func(c *Config) error {
+				if c.Signer.Type != "local" {
+					t.Errorf("expected signer type 'local', got %q", c.Signer.Type)
+				}
+				return nil
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var c Config
+			data, err := yaml.YAMLToJSON([]byte(tt.config))
+			if err != nil {
+				t.Fatalf("failed to convert yaml to json: %v", err)
+			}
+
+			err = json.Unmarshal(data, &c)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Unmarshal() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if err == nil && tt.check != nil {
+				if err := tt.check(&c); err != nil {
+					t.Errorf("check failed: %v", err)
+				}
+			}
+		})
+	}
+}
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@ -37,6 +37,7 @@ import (
 	"github.com/dexidp/dex/api/v2"
 	"github.com/dexidp/dex/pkg/featureflags"
 	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 )

@ -290,6 +291,65 @@ func runServe(options serveOptions) error {

 	healthChecker := gosundheit.New()

+	// Parse expiry durations
+	var idTokensValidFor = 24 * time.Hour // default
+	if c.Expiry.IDTokens != "" {
+		var err error
+		idTokensValidFor, err = time.ParseDuration(c.Expiry.IDTokens)
+		if err != nil {
+			return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err)
+		}
+		logger.Info("config id tokens", "valid_for", idTokensValidFor)
+	}
+
+	// Create signer
+	var signerInstance signer.Signer
+	switch c.Signer.Type {
+	case "vault":
+		vaultConfig, ok := c.Signer.Config.(*signer.VaultConfig)
+		if !ok {
+			return fmt.Errorf("invalid vault signer config")
+		}
+		signerInstance, err = vaultConfig.Open(context.Background())
+		if err != nil {
+			return fmt.Errorf("failed to open vault signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "vault")
+	case "local":
+		localConfig, ok := c.Signer.Config.(*signer.LocalConfig)
+		if !ok {
+			return fmt.Errorf("invalid local signer config")
+		}
+		if localConfig.KeysRotationPeriod == "" {
+			return fmt.Errorf("failed to open local signer: signer.config.keysRotationPeriod must be specified")
+		}
+		if c.Expiry.SigningKeys != "" {
+			logger.Warn("both expiry.signingKeys and signer.config.keysRotationPeriod specified, using signer.config.keysRotationPeriod")
+		}
+		signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger)
+		if err != nil {
+			return fmt.Errorf("failed to open local signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod)
+	case "": // Default to local signer
+		// Handle deprecated expiry.signingKeys configuration
+		if c.Expiry.SigningKeys != "" {
+			logger.Warn("config expiry.signingKeys will be removed in a future release",
+				"use_instead", "signer.config.keysRotationPeriod",
+				"current_value", c.Expiry.SigningKeys, "deprecated", true)
+		} else {
+			c.Expiry.SigningKeys = "6h"
+		}
+		localConfig := signer.LocalConfig{KeysRotationPeriod: c.Expiry.SigningKeys}
+		signerInstance, err = localConfig.Open(context.Background(), s, idTokensValidFor, now, logger)
+		if err != nil {
+			return fmt.Errorf("failed to open local signer: %v", err)
+		}
+		logger.Info("signer configured", "type", "local", "keys_rotation_period", localConfig.KeysRotationPeriod)
+	default:
+		return fmt.Errorf("unknown signer type %q", c.Signer.Type)
+	}
+
 	serverConfig := server.Config{
 		AllowedGrantTypes:          c.OAuth2.GrantTypes,
 		SupportedResponseTypes:     c.OAuth2.ResponseTypes,
@ -307,24 +367,10 @@ func runServe(options serveOptions) error {
 		PrometheusRegistry:         prometheusRegistry,
 		HealthChecker:              healthChecker,
 		ContinueOnConnectorFailure: featureflags.ContinueOnConnectorFailure.Enabled(),
-		Signer:                     c.Signer,
-	}
-	if c.Expiry.SigningKeys != "" {
-		signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys)
-		if err != nil {
-			return fmt.Errorf("invalid config value %q for signing keys expiry: %v", c.Expiry.SigningKeys, err)
-		}
-		logger.Info("config signing keys", "expire_after", signingKeys)
-		serverConfig.RotateKeysAfter = signingKeys
-	}
-	if c.Expiry.IDTokens != "" {
-		idTokens, err := time.ParseDuration(c.Expiry.IDTokens)
-		if err != nil {
-			return fmt.Errorf("invalid config value %q for id token expiry: %v", c.Expiry.IDTokens, err)
-		}
-		logger.Info("config id tokens", "valid_for", idTokens)
-		serverConfig.IDTokensValidFor = idTokens
+		Signer:                     signerInstance,
+		IDTokensValidFor:           idTokensValidFor,
 	}
+
 	if c.Expiry.AuthRequests != "" {
 		authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
 		if err != nil {
--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@ -184,9 +184,13 @@ staticPasswords:
 # Settings for signing JWT tokens. Available options:
 # - "local": use local keys (only RSA keys supported)
 # - "vault": use Vault Transit backend (RSA and EC keys supported)
-# signer:
+signer:
+  type: local
+  config:
+    keysRotationPeriod: "6h"
+# signer
 #   type: vault
-#   vault:
+#   config:
 #     addr: http://127.0.0.1:8200
 #     token: root
 #     keyName: dex-key
--- a/server/oauth2.go
+++ b/server/oauth2.go
@ -25,6 +25,7 @@ import (

 	"github.com/dexidp/dex/connector"
 	"github.com/dexidp/dex/server/internal"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 )

@ -699,7 +700,7 @@ func validateConnectorID(connectors []storage.Connector, connectorID string) boo

 // signerKeySet implements the oidc.KeySet interface backed by the Dex signer
 type signerKeySet struct {
-	signer Signer
+	signer signer.Signer
 }

 func (s *signerKeySet) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error) {
--- a/server/refreshhandlers.go
+++ b/server/refreshhandlers.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"strings"
 	"time"
@ -13,6 +14,76 @@ import (
 	"github.com/dexidp/dex/storage"
 )

+type RefreshTokenPolicy struct {
+	rotateRefreshTokens bool // enable rotation
+
+	absoluteLifetime  time.Duration // interval from token creation to the end of its life
+	validIfNotUsedFor time.Duration // interval from last token update to the end of its life
+	reuseInterval     time.Duration // interval within which old refresh token is allowed to be reused
+
+	now func() time.Time
+
+	logger *slog.Logger
+}
+
+func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error) {
+	r := RefreshTokenPolicy{now: time.Now, logger: logger}
+	var err error
+
+	if validIfNotUsedFor != "" {
+		r.validIfNotUsedFor, err = time.ParseDuration(validIfNotUsedFor)
+		if err != nil {
+			return nil, fmt.Errorf("invalid config value %q for refresh token valid if not used for: %v", validIfNotUsedFor, err)
+		}
+		logger.Info("config refresh tokens", "valid_if_not_used_for", validIfNotUsedFor)
+	}
+
+	if absoluteLifetime != "" {
+		r.absoluteLifetime, err = time.ParseDuration(absoluteLifetime)
+		if err != nil {
+			return nil, fmt.Errorf("invalid config value %q for refresh tokens absolute lifetime: %v", absoluteLifetime, err)
+		}
+		logger.Info("config refresh tokens", "absolute_lifetime", absoluteLifetime)
+	}
+
+	if reuseInterval != "" {
+		r.reuseInterval, err = time.ParseDuration(reuseInterval)
+		if err != nil {
+			return nil, fmt.Errorf("invalid config value %q for refresh tokens reuse interval: %v", reuseInterval, err)
+		}
+		logger.Info("config refresh tokens", "reuse_interval", reuseInterval)
+	}
+
+	r.rotateRefreshTokens = !rotation
+	logger.Info("config refresh tokens rotation", "enabled", r.rotateRefreshTokens)
+	return &r, nil
+}
+
+func (r *RefreshTokenPolicy) RotationEnabled() bool {
+	return r.rotateRefreshTokens
+}
+
+func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool {
+	if r.absoluteLifetime == 0 {
+		return false // expiration disabled
+	}
+	return r.now().After(lastUsed.Add(r.absoluteLifetime))
+}
+
+func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool {
+	if r.validIfNotUsedFor == 0 {
+		return false // expiration disabled
+	}
+	return r.now().After(lastUsed.Add(r.validIfNotUsedFor))
+}
+
+func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool {
+	if r.reuseInterval == 0 {
+		return false // expiration disabled
+	}
+	return !r.now().After(lastUsed.Add(r.reuseInterval))
+}
+
 func contains(arr []string, item string) bool {
 	for _, itemFromArray := range arr {
 		if itemFromArray == item {
--- a/server/refreshhandlers_test.go
+++ b/server/refreshhandlers_test.go
@ -3,6 +3,7 @@ package server
 import (
 	"bytes"
 	"encoding/json"
+	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -207,3 +208,25 @@ func TestRefreshTokenExpirationScenarios(t *testing.T) {
 		})
 	}
 }
+
+func TestRefreshTokenPolicy(t *testing.T) {
+	lastTime := time.Now()
+	l := slog.New(slog.DiscardHandler)
+
+	r, err := NewRefreshTokenPolicy(l, true, "1m", "1m", "1m")
+	require.NoError(t, err)
+
+	t.Run("Allowed", func(t *testing.T) {
+		r.now = func() time.Time { return lastTime }
+		require.Equal(t, true, r.AllowedToReuse(lastTime))
+		require.Equal(t, false, r.ExpiredBecauseUnused(lastTime))
+		require.Equal(t, false, r.CompletelyExpired(lastTime))
+	})
+
+	t.Run("Expired", func(t *testing.T) {
+		r.now = func() time.Time { return lastTime.Add(2 * time.Minute) }
+		require.Equal(t, false, r.AllowedToReuse(lastTime))
+		require.Equal(t, true, r.ExpiredBecauseUnused(lastTime))
+		require.Equal(t, true, r.CompletelyExpired(lastTime))
+	})
+}
--- a/server/server.go
+++ b/server/server.go
@ -2,7 +2,6 @@ package server

 import (
 	"context"
-	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -45,6 +44,7 @@ import (
 	"github.com/dexidp/dex/connector/oidc"
 	"github.com/dexidp/dex/connector/openshift"
 	"github.com/dexidp/dex/connector/saml"
+	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/web"
 )
@ -96,7 +96,6 @@ type Config struct {
 	// If enabled, the connectors selection page will always be shown even if there's only one
 	AlwaysShowLoginScreen bool

-	RotateKeysAfter        time.Duration // Defaults to 6 hours.
 	IDTokensValidFor       time.Duration // Defaults to 24 hours
 	AuthRequestsValidFor   time.Duration // Defaults to 24 hours
 	DeviceRequestsValidFor time.Duration // Defaults to 5 minutes
@ -116,7 +115,8 @@ type Config struct {

 	Logger *slog.Logger

-	Signer SignerConfig
+	// Signer is used to sign tokens.
+	Signer signer.Signer

 	PrometheusRegistry *prometheus.Registry

@ -158,12 +158,6 @@ type WebConfig struct {
 	Extra map[string]string
 }

-// SignerConfig holds the server's signer configuration.
-type SignerConfig struct {
-	Type  string            `json:"type"`
-	Vault VaultSignerConfig `json:"vault"`
-}
-
 func value(val, defaultValue time.Duration) time.Duration {
 	if val == 0 {
 		return defaultValue
@ -209,25 +203,15 @@ type Server struct {

 	logger *slog.Logger

-	signer Signer
+	signer signer.Signer
 }

 // NewServer constructs a server from the provided config.
 func NewServer(ctx context.Context, c Config) (*Server, error) {
-	return newServer(ctx, c, defaultRotationStrategy(
-		value(c.RotateKeysAfter, 6*time.Hour),
-		value(c.IDTokensValidFor, 24*time.Hour),
-	))
+	return newServer(ctx, c)
 }

-// NewServerWithKey constructs a server from the provided config and a static signing key.
-func NewServerWithKey(ctx context.Context, c Config, privateKey *rsa.PrivateKey) (*Server, error) {
-	return newServer(ctx, c, staticRotationStrategy(
-		privateKey,
-	))
-}
-
-func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) (*Server, error) {
+func newServer(ctx context.Context, c Config) (*Server, error) {
 	issuerURL, err := url.Parse(c.Issuer)
 	if err != nil {
 		return nil, fmt.Errorf("server: can't parse issuer URL")
@ -326,19 +310,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		templates:              tmpls,
 		passwordConnector:      c.PasswordConnector,
 		logger:                 c.Logger,
-	}
-
-	// Initialize signer
-	if c.Signer.Type == "vault" {
-		s.signer, err = newVaultSigner(c.Signer.Vault)
-		if err != nil {
-			return nil, fmt.Errorf("failed to initialize vault signer: %v", err)
-		}
-		s.logger.Info("signer configured", "type", "vault")
-	} else {
-		// Default to local signer
-		s.signer = newLocalSigner(c.Storage, rotationStrategy, now, c.Logger)
-		s.logger.Info("signer configured", "type", "local")
+		signer:                 c.Signer,
 	}

 	// Retrieves connector objects in backend storage. This list includes the static connectors
--- a/server/signer/local.go
+++ b/server/signer/local.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"context"
@ -11,22 +11,34 @@ import (
 	"github.com/dexidp/dex/storage"
 )

-// localSigner signs payloads using keys stored in the Dex storage.
-// It manages key rotation and storage using the existing keyRotator logic.
-type localSigner struct {
-	storage storage.Storage
-	rotator *keyRotator
-	logger  *slog.Logger
+// LocalConfig holds configuration for the local signer.
+type LocalConfig struct {
+	// KeysRotationPeriod defines the duration of time after which the signing keys will be rotated.
+	KeysRotationPeriod string `json:"keysRotationPeriod"`
 }

-// newLocalSigner creates a new local signer and starts the key rotation loop.
-func newLocalSigner(s storage.Storage, strategy rotationStrategy, now func() time.Time, logger *slog.Logger) *localSigner {
+// Open creates a new local signer.
+func (c *LocalConfig) Open(_ context.Context, s storage.Storage, idTokenValidFor time.Duration, now func() time.Time, logger *slog.Logger) (Signer, error) {
+	rotateKeysAfter, err := time.ParseDuration(c.KeysRotationPeriod)
+	if err != nil {
+		return nil, fmt.Errorf("invalid config value %q for local signer rotation period: %v", c.KeysRotationPeriod, err)
+	}
+
+	strategy := defaultRotationStrategy(rotateKeysAfter, idTokenValidFor)
 	r := &keyRotator{s, strategy, now, logger}
 	return &localSigner{
 		storage: s,
 		rotator: r,
 		logger:  logger,
-	}
+	}, nil
+}
+
+// localSigner signs payloads using keys stored in the Dex storage.
+// It manages key rotation and storage using the existing keyRotator logic.
+type localSigner struct {
+	storage storage.Storage
+	rotator *keyRotator
+	logger  *slog.Logger
 }

 // Start begins key rotation in a new goroutine, closing once the context is canceled.
--- a/server/signer/rotation.go
+++ b/server/signer/rotation.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"context"
@ -147,73 +147,3 @@ func (k keyRotator) rotate() error {
 	k.logger.Info("keys rotated", "next_rotation", nextRotation)
 	return nil
 }
-
-type RefreshTokenPolicy struct {
-	rotateRefreshTokens bool // enable rotation
-
-	absoluteLifetime  time.Duration // interval from token creation to the end of its life
-	validIfNotUsedFor time.Duration // interval from last token update to the end of its life
-	reuseInterval     time.Duration // interval within which old refresh token is allowed to be reused
-
-	now func() time.Time
-
-	logger *slog.Logger
-}
-
-func NewRefreshTokenPolicy(logger *slog.Logger, rotation bool, validIfNotUsedFor, absoluteLifetime, reuseInterval string) (*RefreshTokenPolicy, error) {
-	r := RefreshTokenPolicy{now: time.Now, logger: logger}
-	var err error
-
-	if validIfNotUsedFor != "" {
-		r.validIfNotUsedFor, err = time.ParseDuration(validIfNotUsedFor)
-		if err != nil {
-			return nil, fmt.Errorf("invalid config value %q for refresh token valid if not used for: %v", validIfNotUsedFor, err)
-		}
-		logger.Info("config refresh tokens", "valid_if_not_used_for", validIfNotUsedFor)
-	}
-
-	if absoluteLifetime != "" {
-		r.absoluteLifetime, err = time.ParseDuration(absoluteLifetime)
-		if err != nil {
-			return nil, fmt.Errorf("invalid config value %q for refresh tokens absolute lifetime: %v", absoluteLifetime, err)
-		}
-		logger.Info("config refresh tokens", "absolute_lifetime", absoluteLifetime)
-	}
-
-	if reuseInterval != "" {
-		r.reuseInterval, err = time.ParseDuration(reuseInterval)
-		if err != nil {
-			return nil, fmt.Errorf("invalid config value %q for refresh tokens reuse interval: %v", reuseInterval, err)
-		}
-		logger.Info("config refresh tokens", "reuse_interval", reuseInterval)
-	}
-
-	r.rotateRefreshTokens = !rotation
-	logger.Info("config refresh tokens rotation", "enabled", r.rotateRefreshTokens)
-	return &r, nil
-}
-
-func (r *RefreshTokenPolicy) RotationEnabled() bool {
-	return r.rotateRefreshTokens
-}
-
-func (r *RefreshTokenPolicy) CompletelyExpired(lastUsed time.Time) bool {
-	if r.absoluteLifetime == 0 {
-		return false // expiration disabled
-	}
-	return r.now().After(lastUsed.Add(r.absoluteLifetime))
-}
-
-func (r *RefreshTokenPolicy) ExpiredBecauseUnused(lastUsed time.Time) bool {
-	if r.validIfNotUsedFor == 0 {
-		return false // expiration disabled
-	}
-	return r.now().After(lastUsed.Add(r.validIfNotUsedFor))
-}
-
-func (r *RefreshTokenPolicy) AllowedToReuse(lastUsed time.Time) bool {
-	if r.reuseInterval == 0 {
-		return false // expiration disabled
-	}
-	return !r.now().After(lastUsed.Add(r.reuseInterval))
-}
--- a/server/signer/rotation_test.go
+++ b/server/signer/rotation_test.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"context"
@ -7,8 +7,6 @@ import (
 	"testing"
 	"time"

-	"github.com/stretchr/testify/require"
-
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/memory"
 )
@ -97,25 +95,3 @@ func TestKeyRotator(t *testing.T) {
 		}
 	}
 }
-
-func TestRefreshTokenPolicy(t *testing.T) {
-	lastTime := time.Now()
-	l := slog.New(slog.DiscardHandler)
-
-	r, err := NewRefreshTokenPolicy(l, true, "1m", "1m", "1m")
-	require.NoError(t, err)
-
-	t.Run("Allowed", func(t *testing.T) {
-		r.now = func() time.Time { return lastTime }
-		require.Equal(t, true, r.AllowedToReuse(lastTime))
-		require.Equal(t, false, r.ExpiredBecauseUnused(lastTime))
-		require.Equal(t, false, r.CompletelyExpired(lastTime))
-	})
-
-	t.Run("Expired", func(t *testing.T) {
-		r.now = func() time.Time { return lastTime.Add(2 * time.Minute) }
-		require.Equal(t, false, r.AllowedToReuse(lastTime))
-		require.Equal(t, true, r.ExpiredBecauseUnused(lastTime))
-		require.Equal(t, true, r.CompletelyExpired(lastTime))
-	})
-}
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@ -1,8 +1,7 @@
-package server
+package signer

 import (
 	"context"
-
 	"github.com/go-jose/go-jose/v4"
 )

@ -10,13 +9,10 @@ import (
 type Signer interface {
 	// Sign signs the provided payload.
 	Sign(ctx context.Context, payload []byte) (string, error)
-
 	// ValidationKeys returns the current public keys used for signature validation.
 	ValidationKeys(ctx context.Context) ([]*jose.JSONWebKey, error)
-
 	// Algorithm returns the signing algorithm used by this signer.
 	Algorithm(ctx context.Context) (jose.SignatureAlgorithm, error)
-
 	// Start starts any background tasks required by the signer (e.g., key rotation).
 	Start(ctx context.Context)
 }
--- a/server/signer/utils.go
+++ b/server/signer/utils.go
@ -0,0 +1,58 @@
+package signer
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+
+	"github.com/go-jose/go-jose/v4"
+)
+
+func signatureAlgorithm(jwk *jose.JSONWebKey) (alg jose.SignatureAlgorithm, err error) {
+	if jwk.Key == nil {
+		return alg, errors.New("no signing key")
+	}
+	switch key := jwk.Key.(type) {
+	case *rsa.PrivateKey:
+		// Because OIDC mandates that we support RS256, we always return that
+		// value. In the future, we might want to make this configurable on a
+		// per client basis. For example allowing PS256 or ECDSA variants.
+		//
+		// See https://github.com/dexidp/dex/issues/692
+		return jose.RS256, nil
+	case *ecdsa.PrivateKey:
+		// We don't actually support ECDSA keys yet, but they're tested for
+		// in case we want to in the future.
+		//
+		// These values are prescribed depending on the ECDSA key type. We
+		// can't return different values.
+		switch key.Params() {
+		case elliptic.P256().Params():
+			return jose.ES256, nil
+		case elliptic.P384().Params():
+			return jose.ES384, nil
+		case elliptic.P521().Params():
+			return jose.ES512, nil
+		default:
+			return alg, errors.New("unsupported ecdsa curve")
+		}
+	default:
+		return alg, fmt.Errorf("unsupported signing key type %T", key)
+	}
+}
+
+func signPayload(key *jose.JSONWebKey, alg jose.SignatureAlgorithm, payload []byte) (jws string, err error) {
+	signingKey := jose.SigningKey{Key: key, Algorithm: alg}
+
+	signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{})
+	if err != nil {
+		return "", fmt.Errorf("new signer: %v", err)
+	}
+	signature, err := signer.Sign(payload)
+	if err != nil {
+		return "", fmt.Errorf("signing payload: %v", err)
+	}
+	return signature.CompactSerialize()
+}
--- a/server/signer/vault.go
+++ b/server/signer/vault.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"context"
@ -21,18 +21,18 @@ import (
 	vault "github.com/openbao/openbao/api/v2"
 )

-// VaultSignerConfig holds configuration for the Vault signer.
-type VaultSignerConfig struct {
+// VaultConfig holds configuration for the Vault signer.
+type VaultConfig struct {
 	Addr    string `json:"addr"`
 	Token   string `json:"token"`
 	KeyName string `json:"keyName"`
 }

-// UnmarshalJSON unmarshals a VaultSignerConfig and applies environment variables.
+// UnmarshalJSON unmarshals a VaultConfig and applies environment variables.
 // If Addr or Token are not provided in the config, they are read from VAULT_ADDR
 // and VAULT_TOKEN environment variables respectively.
-func (c *VaultSignerConfig) UnmarshalJSON(data []byte) error {
-	type Alias VaultSignerConfig
+func (c *VaultConfig) UnmarshalJSON(data []byte) error {
+	type Alias VaultConfig
 	aux := &struct {
 		*Alias
 	}{
@ -59,6 +59,11 @@ func (c *VaultSignerConfig) UnmarshalJSON(data []byte) error {
 	return nil
 }

+// Open creates a new Vault signer.
+func (c *VaultConfig) Open(ctx context.Context) (Signer, error) {
+	return newVaultSigner(*c)
+}
+
 // vaultSigner signs payloads using HashiCorp Vault's Transit backend.
 type vaultSigner struct {
 	client  *vault.Client
@ -66,7 +71,7 @@ type vaultSigner struct {
 }

 // newVaultSigner creates a new Vault signer that uses Transit backend for signing.
-func newVaultSigner(c VaultSignerConfig) (*vaultSigner, error) {
+func newVaultSigner(c VaultConfig) (*vaultSigner, error) {
 	config := vault.DefaultConfig()
 	config.Address = c.Addr

--- a/server/signer/vault_integration_test.go
+++ b/server/signer/vault_integration_test.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"context"
@ -136,7 +136,7 @@ func TestVaultSignerConformance_SigningAndVerification(t *testing.T) {
 					defer cleanupTests(t, ctx, client, keyName)

 					// Create signer
-					signerConfig := VaultSignerConfig{
+					signerConfig := VaultConfig{
 						Addr:    config.addr,
 						Token:   config.token,
 						KeyName: keyName,
@ -283,7 +283,7 @@ func TestVaultSignerConformance_KeyRotation(t *testing.T) {
 			defer cleanupTests(t, ctx, client, keyName)

 			// Create signer
-			signerConfig := VaultSignerConfig{
+			signerConfig := VaultConfig{
 				Addr:    config.addr,
 				Token:   config.token,
 				KeyName: keyName,
@ -412,7 +412,7 @@ func TestVaultSignerConformance_PublicKeyDiscovery(t *testing.T) {
 			defer cleanupTests(t, ctx, client, keyName)

 			// Create signer
-			signerConfig := VaultSignerConfig{
+			signerConfig := VaultConfig{
 				Addr:    config.addr,
 				Token:   config.token,
 				KeyName: keyName,
--- a/server/signer/vault_test.go
+++ b/server/signer/vault_test.go
@ -1,4 +1,4 @@
-package server
+package signer

 import (
 	"encoding/json"
@ -6,7 +6,7 @@ import (
 	"testing"
 )

-func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
+func TestVaultConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 	// Save original environment variables
 	originalAddr := os.Getenv("VAULT_ADDR")
 	originalToken := os.Getenv("VAULT_TOKEN")
@ -22,13 +22,13 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 	tests := []struct {
 		name    string
 		json    string
-		want    VaultSignerConfig
+		want    VaultConfig
 		wantErr bool
 	}{
 		{
 			name: "empty config uses env vars",
 			json: `{"keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "http://vault.example.com:8200",
 				Token:   "s.xxxxxxxxxxxxxxxx",
 				KeyName: "signing-key",
@ -38,7 +38,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 		{
 			name: "config values override env vars",
 			json: `{"addr": "http://custom.vault.com:8200", "token": "s.custom", "keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "http://custom.vault.com:8200",
 				Token:   "s.custom",
 				KeyName: "signing-key",
@ -48,7 +48,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 		{
 			name: "partial config uses env vars for missing values",
 			json: `{"addr": "http://custom.vault.com:8200", "keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "http://custom.vault.com:8200",
 				Token:   "s.xxxxxxxxxxxxxxxx",
 				KeyName: "signing-key",
@ -58,7 +58,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 		{
 			name: "empty token in config uses env var",
 			json: `{"addr": "http://custom.vault.com:8200", "token": "", "keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "http://custom.vault.com:8200",
 				Token:   "s.xxxxxxxxxxxxxxxx",
 				KeyName: "signing-key",
@ -69,7 +69,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var got VaultSignerConfig
+			var got VaultConfig
 			err := json.Unmarshal([]byte(tt.json), &got)

 			if (err != nil) != tt.wantErr {
@ -90,7 +90,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithEnvVars(t *testing.T) {
 	}
 }

-func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
+func TestVaultConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
 	// Save original environment variables
 	originalAddr := os.Getenv("VAULT_ADDR")
 	originalToken := os.Getenv("VAULT_TOKEN")
@ -106,13 +106,13 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
 	tests := []struct {
 		name    string
 		json    string
-		want    VaultSignerConfig
+		want    VaultConfig
 		wantErr bool
 	}{
 		{
 			name: "config values used when env vars not set",
 			json: `{"addr": "http://vault.example.com:8200", "token": "s.xxxxxxxxxxxxxxxx", "keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "http://vault.example.com:8200",
 				Token:   "s.xxxxxxxxxxxxxxxx",
 				KeyName: "signing-key",
@ -122,7 +122,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
 		{
 			name: "empty config when env vars not set",
 			json: `{"keyName": "signing-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "",
 				Token:   "",
 				KeyName: "signing-key",
@ -132,7 +132,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
 		{
 			name: "only keyName required in config",
 			json: `{"keyName": "my-key"}`,
-			want: VaultSignerConfig{
+			want: VaultConfig{
 				Addr:    "",
 				Token:   "",
 				KeyName: "my-key",
@ -143,7 +143,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var got VaultSignerConfig
+			var got VaultConfig
 			err := json.Unmarshal([]byte(tt.json), &got)

 			if (err != nil) != tt.wantErr {
@ -164,7 +164,7 @@ func TestVaultSignerConfigUnmarshalJSON_WithoutEnvVars(t *testing.T) {
 	}
 }

-func TestVaultSignerConfigUnmarshalJSON_InvalidJSON(t *testing.T) {
+func TestVaultConfigUnmarshalJSON_InvalidJSON(t *testing.T) {
 	tests := []struct {
 		name    string
 		json    string
@ -184,7 +184,7 @@ func TestVaultSignerConfigUnmarshalJSON_InvalidJSON(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var got VaultSignerConfig
+			var got VaultConfig
 			err := json.Unmarshal([]byte(tt.json), &got)

 			if (err != nil) != tt.wantErr {