randName
commented
6 months ago ok, something was up with getAccessTokenPayload from the helper library, so my app doesn't abort, but this warning still appears, so perhaps something to look at.
Closed randName closed 6 months ago
randName
commented
6 months ago ok, something was up with getAccessTokenPayload from the helper library, so my app doesn't abort, but this warning still appears, so perhaps something to look at.
cflee
commented
6 months ago Looks like Corppass does report "token_endpoint_auth_signing_alg_values_supported": [ "ES256" ] on their discovery endpoint.
@randName just to confirm, so it works with the key in oidc-v2-rp-secret.json if you force your client to just sign the client assertion with the P-521/ES512 key anyway? Do things work without the warning if you use the CP_RP_JWKS_ENDPOINT config instead to point to your own P-256/ES256 signing key?
randName
commented
6 months ago I'm not sure about forcing the signing, but I think that is what the helper library is doing.
can confirm that CP_RP_JWKS_ENDPOINT pointing at our endpoint with a ES256 key works
cflee
commented
6 months ago Thanks for confirming that. I guess it would be ideal to provide and load a static ES256 key, while preserving the current key for backward compatibility.
the keys provided in
oidc-v2-rp-secret.jsonusesES512, but Corppass only supportsES256according to https://github.com/opengovsg/mockpass/blob/main/lib/express/oidc/v2-ndi.js#L41I tried
ndi_mock_01fromoidc-v2-asp-secret.jsonbut it didn't work either, not sure if there is a missing key? the original keys inoidc-v2-rp-secret.jsonwork with Singpass.