feat(rp): to use signing algorithms from discovery configuration (#574)

2024-04-05 01:40:28 +09:00 · 2024-04-05 01:40:28 +09:00 · 42c4af0e7d
commit 42c4af0e7d
parent a3b73a6950
1 changed files with 19 additions and 6 deletions
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@ -96,6 +96,7 @@ type relyingParty struct {
 	oauthConfig                 *oauth2.Config
 	oauth2Only                  bool
 	pkce                        bool
+	useSigningAlgsFromDiscovery bool

 	httpClient    *http.Client
 	cookieHandler *httphelper.CookieHandler
@ -238,6 +239,9 @@ func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, re
 	if err != nil {
 		return nil, err
 	}
+	if rp.useSigningAlgsFromDiscovery {
+		rp.verifierOpts = append(rp.verifierOpts, WithSupportedSigningAlgorithms(discoveryConfiguration.IDTokenSigningAlgValuesSupported...))
+	}
 	endpoints := GetEndpoints(discoveryConfiguration)
 	rp.oauthConfig.Endpoint = endpoints.Endpoint
 	rp.endpoints = endpoints
@ -348,6 +352,15 @@ func WithLogger(logger *slog.Logger) Option {
 	}
 }

+// WithSigningAlgsFromDiscovery appends the [WithSupportedSigningAlgorithms] option to the Verifier Options.
+// The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.
+func WithSigningAlgsFromDiscovery() Option {
+	return func(rp *relyingParty) error {
+		rp.useSigningAlgsFromDiscovery = true
+		return nil
+	}
+}
+
 type SignerFromKey func() (jose.Signer, error)

 func SignerFromKeyPath(path string) SignerFromKey {