fix: ensure signer has key on OP creation

pkg/op/op.go

@@ -125,8 +125,8 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
 	}
 
 	keyCh := make(chan jose.SigningKey)
-	o.signer = NewSigner(ctx, storage, keyCh)
 	go storage.GetSigningKey(ctx, keyCh)
+	o.signer = NewSigner(ctx, storage, keyCh)
 
 	o.httpHandler = CreateRouter(o, o.interceptors...)
 

pkg/op/signer.go

@@ -25,6 +25,12 @@ func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.Signi
 		storage: storage,
 	}
 
+	select {
+	case <-ctx.Done():
+		return nil
+	case key := <-keyCh:
+		s.exchangeSigningKey(key)
+	}
 	go s.refreshSigningKey(ctx, keyCh)
 
 	return s
@@ -50,21 +56,25 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
 		case <-ctx.Done():
 			return
 		case key := <-keyCh:
+			s.exchangeSigningKey(key)
+		}
+	}
+}
+
+func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
 	s.alg = key.Algorithm
 	if key.Algorithm == "" || key.Key == nil {
 		s.signer = nil
 		logging.Log("OP-DAvt4").Warn("signer has no key")
-				continue
+		return
 	}
 	var err error
 	s.signer, err = jose.NewSigner(key, &jose.SignerOptions{})
 	if err != nil {
 		logging.Log("OP-pf32aw").WithError(err).Error("error creating signer")
-				continue
+		return
 	}
 	logging.Log("OP-agRf2").Info("signer exchanged signing key")
-		}
-	}
 }
 
 func (s *tokenSigner) SignatureAlgorithm() jose.SignatureAlgorithm {