From fe2e2bdff1da00823f634dac5bad0cb366af6f2a Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Thu, 3 Dec 2020 07:46:07 -0500
Subject: [PATCH] Our ID token signing algorithm is ES256, not RS256

We are currently using EC keys to sign ID tokens, so we should reflect that in
our OIDC discovery metadata.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 internal/oidc/discovery/discovery_handler.go      | 2 +-
 internal/oidc/discovery/discovery_handler_test.go | 2 +-
 test/integration/supervisor_discovery_test.go     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/oidc/discovery/discovery_handler.go
index 04039c5b..c6d8f666 100644
--- a/internal/oidc/discovery/discovery_handler.go
+++ b/internal/oidc/discovery/discovery_handler.go
@@ -56,7 +56,7 @@ func NewHandler(issuerURL string) http.Handler {
 			JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
 			ResponseTypesSupported:            []string{"code"},
 			SubjectTypesSupported:             []string{"public"},
-			IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+			IDTokenSigningAlgValuesSupported:  []string{"ES256"},
 			TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
 			TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
 			ScopesSupported: []string{"openid", "offline"},
diff --git a/internal/oidc/discovery/discovery_handler_test.go b/internal/oidc/discovery/discovery_handler_test.go
index c8fef948..b7d5f84a 100644
--- a/internal/oidc/discovery/discovery_handler_test.go
+++ b/internal/oidc/discovery/discovery_handler_test.go
@@ -41,7 +41,7 @@ func TestDiscovery(t *testing.T) {
 				JWKSURI:                           "https://some-issuer.com/some/path/jwks.json",
 				ResponseTypesSupported:            []string{"code"},
 				SubjectTypesSupported:             []string{"public"},
-				IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+				IDTokenSigningAlgValuesSupported:  []string{"ES256"},
 				TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
 				TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
 				ScopesSupported: []string{"openid", "offline"},
diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go
index 7df52509..396c0f48 100644
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@@ -479,7 +479,7 @@ func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, superviso
       "response_types_supported": ["code"],
       "claims_supported": ["groups"],
       "subject_types_supported": ["public"],
-      "id_token_signing_alg_values_supported": ["RS256"]
+      "id_token_signing_alg_values_supported": ["ES256"]
     }`)
 	expectedJSON := fmt.Sprintf(expectedResultTemplate, issuerName, issuerName, issuerName, issuerName)