From e1ae48f2e4a4bf4bc52b19fdaca5fb4a5472a089 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 7 Dec 2020 14:15:31 -0800 Subject: [PATCH] Discovery does not return `token_endpoint_auth_signing_alg_values_supported` `token_endpoint_auth_signing_alg_values_supported` is only related to private_key_jwt and client_secret_jwt client authentication methods at the token endpoint, which we do not support. See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata for more details. Signed-off-by: Aram Price --- internal/oidc/discovery/discovery_handler.go | 12 +++++------- internal/oidc/discovery/discovery_handler_test.go | 5 ++--- test/integration/supervisor_discovery_test.go | 1 - 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/oidc/discovery/discovery_handler.go index c6d8f666..5eb6c481 100644 --- a/internal/oidc/discovery/discovery_handler.go +++ b/internal/oidc/discovery/discovery_handler.go @@ -31,10 +31,9 @@ type Metadata struct { // vvv Optional vvv - TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` - TokenEndpointAuthSigningAlgoValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"` - ScopesSupported []string `json:"scopes_supported"` - ClaimsSupported []string `json:"claims_supported"` + TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` + ScopesSupported []string `json:"scopes_supported"` + ClaimsSupported []string `json:"claims_supported"` // ^^^ Optional ^^^ } @@ -58,9 +57,8 @@ func NewHandler(issuerURL string) http.Handler { SubjectTypesSupported: []string{"public"}, IDTokenSigningAlgValuesSupported: []string{"ES256"}, TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, - TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"}, - ScopesSupported: []string{"openid", "offline"}, - ClaimsSupported: []string{"groups"}, + ScopesSupported: []string{"openid", "offline"}, + ClaimsSupported: []string{"groups"}, } if err := json.NewEncoder(w).Encode(&oidcConfig); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) diff --git a/internal/oidc/discovery/discovery_handler_test.go b/internal/oidc/discovery/discovery_handler_test.go index b7d5f84a..f15c9a0c 100644 --- a/internal/oidc/discovery/discovery_handler_test.go +++ b/internal/oidc/discovery/discovery_handler_test.go @@ -43,9 +43,8 @@ func TestDiscovery(t *testing.T) { SubjectTypesSupported: []string{"public"}, IDTokenSigningAlgValuesSupported: []string{"ES256"}, TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, - TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"}, - ScopesSupported: []string{"openid", "offline"}, - ClaimsSupported: []string{"groups"}, + ScopesSupported: []string{"openid", "offline"}, + ClaimsSupported: []string{"groups"}, }, }, { diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 32945490..5e12fc12 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -472,7 +472,6 @@ func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, superviso "authorization_endpoint": "%s/oauth2/authorize", "token_endpoint": "%s/oauth2/token", "token_endpoint_auth_methods_supported": ["client_secret_basic"], - "token_endpoint_auth_signing_alg_values_supported": ["RS256"], "jwks_uri": "%s/jwks.json", "scopes_supported": ["openid", "offline"], "response_types_supported": ["code"],