Request for support of rotating ID Token algorithm

dutta-arnab1 commented 4 months ago

Checklist

[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

We use express-openid-connect library for performing Authorization Code flow login from a Node.js Express server. The purpose of this server is to enforce the user to be authenticated before we serve the actual web application.

A recent change in the private hosted organization level IDP had changed the default ID Token algorithm from RS256 to PS256. We could resolve the problem just by loading the discovery document and set the first value in the id_token_signing_alg_values_supported array from discovery document into the config of express-openid-connect -> auth middleware -> idTokenSigningAlg.

However, the IDP team has announced that they would be supporting multiple ID Token algorithm and would rotate between them. So, the ID Token that would get generated could be signed with one of few defined algorithms.

I could not find a way to make it work with this library.

idTokenSigningAlg receives only one algorithm.
There is no option within the library to get the kid and algorithm out of JWT header and validate it against JWKS endpoint.
Any option to pass on custom token verification and not perform the default JWT verification.

Describe the ideal solution

Either of the three options mentioned would be nice to have.

idTokenSigningAlg supporting an array of algorithms to be configured.
Option within the library to get the kid and algorithm out of JWT header and validate it against JWKS endpoint.
Any option to pass on custom token verification and not perform the default JWT verification.

Alternatives and current workarounds

No response

Additional context

No response

madaster97 commented 3 months ago

For your first option (supporting config of multiple algorithms), the library (openid-client) we provide the config to also doesn't support multiple values. It may be worth creating an issue with that library as well.

The alternative to that would be complicated: supporting multiple instances of the library (clients) in this SDK. That sounds like a worse solution than having openid-client implement it.

dutta-arnab1 commented 3 months ago

I agree, the alternative is not an option at all. So unless openid-client provides that option, there's nothing much we can do here.

Thanks @madaster97 for looking into this.

auth0 / express-openid-connect