Set IDTokenSigningAlgValuesSupported of DiscoveryConfiguration obtained by Discover when initializing RelyingParty.

[otakakot]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

When IDTokenVerifier is executed on a RelyingParty created with NewRelyingPartyOIDC, only RS256 is supported.

CheckSignature is performed on VerifyIDToken, but only RS256 is supported because supportedSigAlgs is always set to 0.

To solve this, specify WithSupportedSigningAlgorithms in the options argument of NewRelyingPartyOIDC.

To determine the value of WithSupportedSigningAlgorithms, create a DiscoveryConfiguration using the Discover method and specify IDTokenSigningAlgValuesSupported.

It is inefficient to use the Discover method twice with NewRelyingPartyOIDC and WithSupportedSigningAlgorithms.

Describe your ideal solution

Add the following processing in NewRelyingPartyOIDC.

	rp.verifierOpts = append(rp.verifierOpts, WithSupportedSigningAlgorithms(discoveryConfiguration.IDTokenSigningAlgValuesSupported...))

Version

v3.18.0

Additional Context

No response

[muhlemmer]

Similar to #506 where duplicate calls are used for obtaining and setting PKCE config. I would want to propose a configuration option for the RP which will let it take the signing algorithms from the discovery call.

// WithSigningAlgsFromDiscovery appends the [WithSupportedSigningAlgorithms] option to the Verifier Options.
// The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.
func WithSigningAlgsFromDiscovery()

We are open for a PR.

[otakakot]

@muhlemmer

Thank you for your comment.
My revised proposal did not maintain public relations compatibility.
I will consider PR based on your revised proposal.

[github-actions]

🎉 This issue has been resolved in version 3.22.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀