id_token_signed_response_alg must support string[] #700
Replies: 1 comment 3 replies
-
|
You're describing a behaviour which will be in v6.x of which a beta release is available. |
Beta Was this translation helpful? Give feedback.
-
|
Nice! Is there a chance of back-porting that behavior the the current stable? We're not allowed to use beta versions in production, and we had to hold an upgrade on our ID provider because of this restriction. This is unfortunately holding us back. To my eyes look like changing the attribute from |
Beta Was this translation helpful? Give feedback.
-
|
No, there isn't. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
An identity provider may use multiple algorithms to sign the id token issued after an OpenID authentication. This is explicitly allowed in the specification of OpenID Discovery, by having the attribute
id_token_signing_alg_values_supportedbeing a string array. There are multiple scenarios where this is necessary, one of which being allowing migration from one algorithm to another without disruption, but there are more.When a client is declared like this:
It will only accept the specified algorithm. When the identity provider is changed to RSA or EdDSA, the code must support both the old and the new algorithms simultaneously, at least during the transition, and possibly forever. But the documentation and the client library code appears to clearly require
id_token_signed_response_algto be a string, with a single algorithm.This feature request is change
id_token_signed_response_algto bestring | string[], bringing it on pair with the expectations from the general behavior and common practices in OAuth 2.0. Since migration between algorithms is not possible without this feature, it may be classified close the border of feature request and bug.Beta Was this translation helpful? Give feedback.
All reactions