Failed to decode `id_token_hint` when using different signer for `id_token` and others

[hijiki51]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

• In OpenIDConnectRequestValidator.ValidatePrompt, decode id_token_hint when passed.
• This Decode function using jwt.Signer passed here.
  • this signer is a compose.CommonStrategy.Signer.
  • ref
• But, id_token is singed by another singer passed here
• Therefore, If we use different singer for id_token and other (like access_token), failed to decode id_token_hint,

I think OpenIDConnectRequestValidator should use compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer instead of compose.CommonStrategy.Signer.

Reproducing the bug

1. Setup two different private key

2. Configure fosite.OAuth2Provider using two different key like this:

   keyGetter1 := func(context.Context) (interface{}, error) {
   return key1, nil
   }
   keyGetter2 := func(context.Context) (interface{}, error) {
   return key2, nil
   }
   oauth2 := compose.Compose(
   config,
   storage,
   &CommonStrategy{
       CoreStrategy:               NewOAuth2HMACStrategy(config),
       OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter1 , config),
       Signer:                     &jwt.DefaultSigner{GetPrivateKey: keyGetter2},
   },
   OAuth2AuthorizeExplicitFactory,
   OAuth2AuthorizeImplicitFactory,
   OAuth2ClientCredentialsGrantFactory,
   OAuth2RefreshTokenGrantFactory,
   OAuth2ResourceOwnerPasswordCredentialsFactory,
   RFC7523AssertionGrantFactory,
   
   OpenIDConnectExplicitFactory,
   OpenIDConnectImplicitFactory,
   OpenIDConnectHybridFactory,
   OpenIDConnectRefreshFactory,
   
   OAuth2TokenIntrospectionFactory,
   OAuth2TokenRevocationFactory,
   
   OAuth2PKCEFactory,
   PushedAuthorizeHandlerFactory,
   )

3. Access authorization endpoint with id_token_hint parameter

Relevant log output

2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: invalid_request
github.com/ory/x/errorsx.WithStack
        github.com/ory/x@v0.0.589/errorsx/errors.go:41
github.com/ory/fosite/handler/openid.(*OpenIDConnectRequestValidator).ValidatePrompt
        github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/validator.go:141
github.com/ory/fosite/handler/openid.(*OpenIDConnectExplicitHandler).HandleAuthorizeEndpointRequest
        github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/flow_explicit_auth.go:50
github.com/ory/fosite.(*Fosite).NewAuthorizeResponse
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: go-jose/go-jose: error in cryptographic primitive

Relevant configuration

No response

Version

github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response