Closed jukkaleh-atoz closed 2 months ago
@jukkaleh-atoz
I'm not able to pass MacAlgorithm to
TokenSettings.Builder.idTokenSignatureAlgorithm
since it only acceptsSignatureAlgorithm
Please see 2. Client Metadata:
id_token_signed_response_alg OPTIONAL. JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
Notice the text in bold - the public key is used to validate the signature. This implies asymmetric keys and the default is RS256.
For symmetric keys, see 3.1.3.7. ID Token Validation:
- If the JWT alg Header Parameter uses a MAC based algorithm such as HS256, HS384, or HS512, the octets of the UTF-8 [RFC3629] representation of the client_secret corresponding to the client_id
The client_secret
is used as the symmetric key.
I'm going to close this as TokenSettings.IdTokenSignatureAlgorithm
is expected to be a SignatureAlgorithm
.
Describe the bug I have a client that expects JWT to be signed with symmetric secret using HMAC SHA-256 (HS256). I'm not able to pass MacAlgorithm to
TokenSettings.Builder.idTokenSignatureAlgorithm
since it only accepts SignatureAlgorithmTo Reproduce Try to register client with HS256 signing algorithm
Expected behavior
MacAlgorithm and SignatureAlgorithm both implement the same interface JwsAlgorithm.
or
Sample
Workaround
Use OAuth2TokenCustomizer to change algorithm