diff --git a/example/client/app/app.go b/example/client/app/app.go
index 448c530..0b9b19d 100644
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@@ -56,6 +56,7 @@ func main() {
 		rp.WithVerifierOpts(rp.WithIssuedAtOffset(5 * time.Second)),
 		rp.WithHTTPClient(client),
 		rp.WithLogger(logger),
+		rp.WithSigningAlgsFromDiscovery(),
 	}
 	if clientSecret == "" {
 		options = append(options, rp.WithPKCE(cookieHandler))
diff --git a/pkg/crypto/hash.go b/pkg/crypto/hash.go
index ab9f8c1..14acdee 100644
--- a/pkg/crypto/hash.go
+++ b/pkg/crypto/hash.go
@@ -21,6 +21,14 @@ func GetHashAlgorithm(sigAlgorithm jose.SignatureAlgorithm) (hash.Hash, error) {
 		return sha512.New384(), nil
 	case jose.RS512, jose.ES512, jose.PS512:
 		return sha512.New(), nil
+
+	// There is no published spec for this yet, but we have confirmation it will get published.
+	// There is consensus here: https://bitbucket.org/openid/connect/issues/1125/_hash-algorithm-for-eddsa-id-tokens
+	// Currently Go and go-jose only supports the ed25519 curve key for EdDSA, so we can safely assume sha512 here.
+	// It is unlikely ed448 will ever be supported: https://github.com/golang/go/issues/29390
+	case jose.EdDSA:
+		return sha512.New(), nil
+
 	default:
 		return nil, fmt.Errorf("%w: %q", ErrUnsupportedAlgorithm, sigAlgorithm)
 	}
diff --git a/pkg/oidc/keyset.go b/pkg/oidc/keyset.go
index 833878d..a8b89b0 100644
--- a/pkg/oidc/keyset.go
+++ b/pkg/oidc/keyset.go
@@ -6,6 +6,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"errors"
+	"strings"
 
 	jose "github.com/go-jose/go-jose/v4"
 )
@@ -92,17 +93,17 @@ func FindMatchingKey(keyID, use, expectedAlg string, keys ...jose.JSONWebKey) (k
 }
 
 func algToKeyType(key any, alg string) bool {
-	switch alg[0] {
-	case 'R', 'P':
+	if strings.HasPrefix(alg, "RS") || strings.HasPrefix(alg, "PS") {
 		_, ok := key.(*rsa.PublicKey)
 		return ok
-	case 'E':
+	}
+	if strings.HasPrefix(alg, "ES") {
 		_, ok := key.(*ecdsa.PublicKey)
 		return ok
-	case 'O':
-		_, ok := key.(*ed25519.PublicKey)
-		return ok
-	default:
-		return false
 	}
+	if alg == string(jose.EdDSA) {
+		_, ok := key.(ed25519.PublicKey)
+		return ok
+	}
+	return false
 }
diff --git a/pkg/op/error_test.go b/pkg/op/error_test.go
index 170039c..107f9d0 100644
--- a/pkg/op/error_test.go
+++ b/pkg/op/error_test.go
@@ -428,7 +428,8 @@ func TestTryErrorRedirect(t *testing.T) {
 				parent: oidc.ErrInteractionRequired().WithDescription("sign in"),
 			},
 			want: &Redirect{
-				URL: "http://example.com/callback?error=interaction_required&error_description=sign+in&state=state1",
+				Header: make(http.Header),
+				URL:    "http://example.com/callback?error=interaction_required&error_description=sign+in&state=state1",
 			},
 			wantLog: `{
 						"level":"WARN",
diff --git a/pkg/op/server.go b/pkg/op/server.go
index 6faee87..b500e43 100644
--- a/pkg/op/server.go
+++ b/pkg/op/server.go
@@ -218,7 +218,8 @@ type Response struct {
 // without custom headers.
 func NewResponse(data any) *Response {
 	return &Response{
-		Data: data,
+		Header: make(http.Header),
+		Data:   data,
 	}
 }
 
@@ -242,7 +243,10 @@ type Redirect struct {
 }
 
 func NewRedirect(url string) *Redirect {
-	return &Redirect{URL: url}
+	return &Redirect{
+		Header: make(http.Header),
+		URL:    url,
+	}
 }
 
 func (red *Redirect) writeOut(w http.ResponseWriter, r *http.Request) {