[Epic]: OIDC signing key management

[muhlemmer]

As an admin I want to be able to create, rotate and disable signing keys for OIDC tokens manually. Keys only exist on instance level, as they represent the issuer (instance domain).

Background / proposal was done in the Improve OIDC key management discussion.

• [x] https://github.com/zitadel/zitadel/issues/8030
• [x] https://github.com/zitadel/zitadel/issues/8031
• [ ] https://github.com/zitadel/zitadel/issues/8033

[eliobischof]

To make it smaller, I'd create a story for api/oidc, frontend and migration each, put this one behind a feature flag and estimate it 3

[muhlemmer]

+1

When the access token lifetime on instance level is more than then public key lifetime from the zitadel runtime config (30 hrs in defaults.yaml), userinfo and introspection will fail when JWTs are used.

• https://discord.com/channels/927474939156643850/1232959992953442386. This user configured 36hrs token lifetime on zitadel cloud, where 30hrs is the public key lifetime.

[muhlemmer]

To make it smaller, I'd create a story for api/oidc, frontend and migration each, put this one behind a feature flag and estimate it 3

Done, this issue is now an epic.

As now we want to use the feature flag, we can take care of migration this way: once the feature flag gets enabled we generate the keys as with instance creation. This has been added to the resource user story.