fix: EdDSA to Ed25519 token migration

[Stellatsuu]

cc @aldbr
Closes: #718

Changes:

• changed token creation algorithm to be Ed25519 instead of EdDSA
• added Ed25519 to the authorized algorithm list. EdDSA is still listed as authorized algorithm so people have time to rotate keys before full migration

TODO:

• create documentation about keys rotation

[aldbr]

That looks good, thank you 🙂
I just have a few minor comments around the tests.
Next step: making sure there is a documentation page to rotate the keys (and delete old ones if needed). If it does not exist, then we need to create one based on #499 (comment)

[read-the-docs-community]

Documentation build overview

📚 diracx | 🛠️ Build #31354735 | 📁 Comparing fb73096 against latest (60e5846)

🔍 Preview build

Show files changed (1 files in total): 📝 1 modified | ➕ 0 added | ➖ 0 deleted

File	Status
admin/reference/env-variables/index.html	📝 modified

[Stellatsuu]

TODOs:

Rotation:

1. Launch demo
2. kubectl get secrets (optional, check if diracx-jwks is here)
3. kubectl get secret diracx-jwks -o yaml (retrieve old keys)
4. python -m diracx.logic rotate-jwk --jwks-path jwks.json (rotate)
5. kubectl create secret generic diracx-jwks \ --namespace=$namespace \ --from-file=jwks.json \ -> check if update exists (update new keys)

How to check rotation:

1. dirac login -> rotate key -> submit job -> check if ok
2. re-login -> /.cache/diracx/credentials.json -> decode -> check if alg = Ed25519

Also check https://jose.authlib.org/en/rfc/9864/#rfc9864

[Stellatsuu]

joserfc error breaking the demo when trying to login as diracAdmin:

• HttpResponseError: Operation returned an invalid status 'Internal Server Error'
• kubectl logs diracx-demo-...

Full Logs:

File "/diracx_source/diracx/diracx-logic/src/diracx/logic/auth/token.py", line 380, in create_token
   return jwt.encode(
          ^^^^^^^^^^^
 File "/opt/conda/lib/python3.11/site-packages/joserfc/jwt.py", line 80, in encode
   return serialize_compact(_header, payload, key, algorithms, registry)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/opt/conda/lib/python3.11/site-packages/joserfc/jws.py", line 105, in serialize_compact
   alg: JWSAlgModel = registry.get_alg(protected["alg"])
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/opt/conda/lib/python3.11/site-packages/joserfc/_rfc7515/registry.py", line 81, in get_alg
   raise UnsupportedAlgorithmError(f"Algorithm of '{name}' is not supported")
joserfc.errors.UnsupportedAlgorithmError: unsupported_algorithm: Algorithm of 'Ed25519' is not supported

See: https://jose.authlib.org/en/guide/errors/#unsupportedalgorithmerror