feat: explicit config of id token alg (#1567)

[drewtoto]

• support to configure id_token_signed_response_alg field in the configuration object passed to issuer.Client in src/lib/server/auth.ts.

• allow id_token_signed_response_alg to be set from environment variable OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG or obtained via OP metadata during issuer discovery when RS256 is not included.

[nsarrazin]

Hi, out of curiosity why is this needed? Not opposed to adding it, but I'm interested in what the use case is.

[drewtoto]

Hi nsarrazin,

I have a project using OIDC auth with an on-prem hosted Authentik (https://goauthentik.io/) as the IdP. In our case, the provider in Authentik only supports HS256 for id_token_signing_alg_values_supported (see .well-known/openid-configuration below).

I only discovered this situation after debugging chat-ui and finding an RPError thrown by the openid-client module (here https://github.com/panva/openid-client/blob/v5.6.5/lib/client.js#L911).

I could not find another way around this issue, and implementing this optional parameter solved my case. If I missed something and this situation is solved another way, that would be great as well. I don't know how widespread this case is, but I did not find very much related to it, so I thought it might be worth sharing.

.well-known/openid-configuration:

{
  "issuer": "http://idp.site.com:9000/application/o/myapp/",
  "authorization_endpoint": "http://idp.site.com:9000/application/o/authorize/",
  "token_endpoint": "http://idp.site.com:9000/application/o/token/",
  "userinfo_endpoint": "http://idp.site.com:9000/application/o/userinfo/",
  "end_session_endpoint": "http://idp.site.com:9000/application/o/myapp/end-session/",
  "introspection_endpoint": "http://idp.site.com:9000/application/o/introspect/",
  "revocation_endpoint": "http://idp.site.com:9000/application/o/revoke/",
  "device_authorization_endpoint": "http://idp.site.com:9000/application/o/device/",
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code token",
    "code id_token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "jwks_uri": "http://idp.site.com:9000/application/o/myapp/jwks/",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit",
    "client_credentials",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "acr_values_supported": [
    "goauthentik.io/providers/oauth2/default"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile",
    "offline_access"
  ],
  "request_parameter_supported": false,
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "amr",
    "nonce",
    "email",
    "email_verified",
    "name",
    "given_name",
    "preferred_username",
    "nickname",
    "groups"
  ],
  "claims_parameter_supported": false,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

[nsarrazin]

Hi 👋 sorry for the delay on this, I updated the code a bit to ensure it passes all checks. Let me know if it still works for you!

I also made sure to add ID_TOKEN_SIGNED_RESPONSE_ALG in the zod object. For now it's an optional string. Do you think we could narrow it down to some literals option ? Not super familiar with the spec so let me know if you think it's possible.