From c913406926eeeb837ee3d8dff2a1ef7a42d25121 Mon Sep 17 00:00:00 2001
From: Charles Zhao <charleszhao@silverhand.io>
Date: Mon, 9 Oct 2023 05:05:07 -0500
Subject: [PATCH] refactor(core): support oidc configuration hot replace
 (#4590)

---
 packages/core/src/oidc/init.ts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/packages/core/src/oidc/init.ts b/packages/core/src/oidc/init.ts
index 5ada2cd73..1d4bd603f 100644
--- a/packages/core/src/oidc/init.ts
+++ b/packages/core/src/oidc/init.ts
@@ -42,7 +42,6 @@ export default function initOidc(
   queries: Queries,
   libraries: Libraries
 ): Provider {
-  const { issuer, cookieKeys, privateJwks, jwkSigningAlg } = envSet.oidc;
   const {
     resources: { findResourceByIndicator, findDefaultResource },
     users: { findUserById },
@@ -58,7 +57,9 @@ export default function initOidc(
     signed: true,
   } as const);
 
-  const oidc = new Provider(issuer, {
+  // Do NOT deconstruct variables from `envSet` earlier, since we might reload `envSet` on the fly,
+  // and keeping the reference of the `envSet` object helps dynamically update oidc provider configs.
+  const oidc = new Provider(envSet.oidc.issuer, {
     adapter: postgresAdapter.bind(null, envSet, queries),
     // Align the error response regardless of the request format. It will be `application/json` by default.
     // Rendering different error response based on the request format is okay, but it brought more trouble
@@ -71,12 +72,12 @@ export default function initOidc(
       ctx.body = out;
     },
     cookies: {
-      keys: cookieKeys,
+      keys: envSet.oidc.cookieKeys,
       long: cookieConfig,
       short: cookieConfig,
     },
     jwks: {
-      keys: privateJwks,
+      keys: envSet.oidc.privateJwks,
     },
     enabledJWA: {
       authorizationSigningAlgValues: [...supportedSigningAlgs],
@@ -126,7 +127,7 @@ export default function initOidc(
             accessTokenFormat: 'jwt',
             accessTokenTTL,
             jwt: {
-              sign: { alg: jwkSigningAlg },
+              sign: { alg: envSet.oidc.jwkSigningAlg },
             },
             scope: '',
           } satisfies ResourceServer;