The jwk endpoint to retrieve the JWK sets seems to usually accept application/json as an accept header.
However, some OIDC provider implementations explicitly expect Accept: 'application/jwk-set+json' (which is valid for JWKS according to the spec). As a result they send back a 406 Not Acceptable.
Other libraries seem to have added this header, see Tomcat OIDC auth and others.
I do not have access to a public endpoint with this behavior, but would be able to verify once the header is added.
Expected behaviour
Setting the headers to Accept: 'application/json, application/jwk-set+json'
results in a successful request.
The line responsible is the GET request in function getKeyStore (lib/helpers/issuer.js). The following headers result in a successful request
Describe the bug
The jwk endpoint to retrieve the JWK sets seems to usually accept application/json as an accept header. However, some OIDC provider implementations explicitly expect Accept: 'application/jwk-set+json' (which is valid for JWKS according to the spec). As a result they send back a 406 Not Acceptable.
Other libraries seem to have added this header, see Tomcat OIDC auth and others.
I do not have access to a public endpoint with this behavior, but would be able to verify once the header is added.
Expected behaviour
Setting the headers to Accept: 'application/json, application/jwk-set+json' results in a successful request.
The line responsible is the GET request in function getKeyStore (lib/helpers/issuer.js). The following headers result in a successful request
I'd be happy to submit a pull request, if this is accepted as a bug.
Environment:
Additional context Add any other context about the problem here.
Thanks for this great library and the work you put into it 😃 !