feat(rp): to use signing algorithms from discovery configuration (#574)

pkg/client/rp/relying_party.go

@@ -90,12 +90,13 @@ var DefaultUnauthorizedHandler UnauthorizedHandler = func(w http.ResponseWriter,
 }
 
 type relyingParty struct {
-	issuer            string
+	issuer                      string
-	DiscoveryEndpoint string
+	DiscoveryEndpoint           string
-	endpoints         Endpoints
+	endpoints                   Endpoints
-	oauthConfig       *oauth2.Config
+	oauthConfig                 *oauth2.Config
-	oauth2Only        bool
+	oauth2Only                  bool
-	pkce              bool
+	pkce                        bool
+	useSigningAlgsFromDiscovery bool
 
 	httpClient    *http.Client
 	cookieHandler *httphelper.CookieHandler
@@ -238,6 +239,9 @@ func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, re
 	if err != nil {
 		return nil, err
 	}
+	if rp.useSigningAlgsFromDiscovery {
+		rp.verifierOpts = append(rp.verifierOpts, WithSupportedSigningAlgorithms(discoveryConfiguration.IDTokenSigningAlgValuesSupported...))
+	}
 	endpoints := GetEndpoints(discoveryConfiguration)
 	rp.oauthConfig.Endpoint = endpoints.Endpoint
 	rp.endpoints = endpoints
@@ -348,6 +352,15 @@ func WithLogger(logger *slog.Logger) Option {
 	}
 }
 
+// WithSigningAlgsFromDiscovery appends the [WithSupportedSigningAlgorithms] option to the Verifier Options.
+// The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.
+func WithSigningAlgsFromDiscovery() Option {
+	return func(rp *relyingParty) error {
+		rp.useSigningAlgsFromDiscovery = true
+		return nil
+	}
+}
+
 type SignerFromKey func() (jose.Signer, error)
 
 func SignerFromKeyPath(path string) SignerFromKey {