From 1aa75ec9533f7cb1f00533f5cf3d7dac7619242e Mon Sep 17 00:00:00 2001
From: David Sharnoff <dsharnoff@singlestore.com>
Date: Mon, 14 Nov 2022 07:59:33 -0800
Subject: [PATCH] feat: allow id token hint verifier to specify algs (#229)

---
 pkg/op/op.go                     | 10 +++++++++-
 pkg/op/verifier_id_token_hint.go | 13 ++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pkg/op/op.go b/pkg/op/op.go
index db35a87..59f1897 100644
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@@ -190,6 +190,7 @@ type openidProvider struct {
 	interceptors            []HttpInterceptor
 	timer                   <-chan time.Time
 	accessTokenVerifierOpts []AccessTokenVerifierOpt
+	idTokenHintVerifierOpts     []IDTokenHintVerifierOpt
 }
 
 func (o *openidProvider) Issuer() string {
@@ -299,7 +300,7 @@ func (o *openidProvider) Encoder() httphelper.Encoder {
 
 func (o *openidProvider) IDTokenHintVerifier() IDTokenHintVerifier {
 	if o.idTokenHintVerifier == nil {
-		o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet())
+		o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet(), o.idTokenHintVerifierOpts...)
 	}
 	return o.idTokenHintVerifier
 }
@@ -465,6 +466,13 @@ func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option {
 	}
 }
 
+func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option {
+	return func(o *openidProvider) error {
+		o.idTokenHintVerifierOpts = opts
+		return nil
+	}
+}
+
 func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler {
 	return func(handlerFunc http.HandlerFunc) http.Handler {
 		handler := handlerFuncToHandler(handlerFunc)
diff --git a/pkg/op/verifier_id_token_hint.go b/pkg/op/verifier_id_token_hint.go
index e0372ee..d36bbd8 100644
--- a/pkg/op/verifier_id_token_hint.go
+++ b/pkg/op/verifier_id_token_hint.go
@@ -53,11 +53,22 @@ func (i *idTokenHintVerifier) MaxAge() time.Duration {
 	return i.maxAge
 }
 
-func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet) IDTokenHintVerifier {
+type IDTokenHintVerifierOpt func(*idTokenHintVerifier)
+
+func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt {
+	return func(verifier *idTokenHintVerifier) {
+		verifier.supportedSignAlgs = algs
+	}
+}
+
+func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) IDTokenHintVerifier {
 	verifier := &idTokenHintVerifier{
 		issuer: issuer,
 		keySet: keySet,
 	}
+	for _, opt := range opts {
+		opt(verifier)
+	}
 	return verifier
 }