Support OIDC providers that do not include the algorithm in the JWK document (e.g.: Azure AD).
The OIDC spec states that the alg attribute is optional, and will therefore not be available in all JWKS endpoints. Using the default RS256 algorithm if not explicitly available seems like the best fall-back option that does not involve requiring extra validation steps either in the client that is signing-in or in the controller, and should work in most scenarios.
Support OIDC providers that do not include the algorithm in the JWK document (e.g.: Azure AD).
The OIDC spec states that the
algattribute is optional, and will therefore not be available in all JWKS endpoints. Using the defaultRS256algorithm if not explicitly available seems like the best fall-back option that does not involve requiring extra validation steps either in the client that is signing-in or in the controller, and should work in most scenarios.Signed-off-by: Emiliano Suñé emiliano.sune@gmail.com