feat: allow id token hint verifier to specify algs (#229)

pkg/op/op.go

@@ -190,6 +190,7 @@ type openidProvider struct {
 	interceptors            []HttpInterceptor
 	timer                   <-chan time.Time
 	accessTokenVerifierOpts []AccessTokenVerifierOpt
+	idTokenHintVerifierOpts     []IDTokenHintVerifierOpt
 }
 
 func (o *openidProvider) Issuer() string {
@@ -299,7 +300,7 @@ func (o *openidProvider) Encoder() httphelper.Encoder {
 
 func (o *openidProvider) IDTokenHintVerifier() IDTokenHintVerifier {
 	if o.idTokenHintVerifier == nil {
-		o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet())
+		o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet(), o.idTokenHintVerifierOpts...)
 	}
 	return o.idTokenHintVerifier
 }
@@ -465,6 +466,13 @@ func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option {
 	}
 }
 
+func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option {
+	return func(o *openidProvider) error {
+		o.idTokenHintVerifierOpts = opts
+		return nil
+	}
+}
+
 func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler {
 	return func(handlerFunc http.HandlerFunc) http.Handler {
 		handler := handlerFuncToHandler(handlerFunc)

pkg/op/verifier_id_token_hint.go

@@ -53,11 +53,22 @@ func (i *idTokenHintVerifier) MaxAge() time.Duration {
 	return i.maxAge
 }
 
-func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet) IDTokenHintVerifier {
+type IDTokenHintVerifierOpt func(*idTokenHintVerifier)
+
+func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt {
+	return func(verifier *idTokenHintVerifier) {
+		verifier.supportedSignAlgs = algs
+	}
+}
+
+func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) IDTokenHintVerifier {
 	verifier := &idTokenHintVerifier{
 		issuer: issuer,
 		keySet: keySet,
 	}
+	for _, opt := range opts {
+		opt(verifier)
+	}
 	return verifier
 }