djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Our ID token signing algorithm is ES256, not RS256

Browse Source 
We are currently using EC keys to sign ID tokens, so we should reflect that in
our OIDC discovery metadata.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-12-03 07:46:07 -05:00
parent 1dd7c82af6
commit fe2e2bdff1
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/oidc/discovery/discovery_handler.go
View File

@ -56,7 +56,7 @@ func NewHandler(issuerURL string) http.Handler {
JWKSURI: issuerURL + oidc.JWKSEndpointPath, JWKSURI: issuerURL + oidc.JWKSEndpointPath,
ResponseTypesSupported: []string{"code"}, ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"}, SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValuesSupported: []string{"RS256"}, IDTokenSigningAlgValuesSupported: []string{"ES256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"}, TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
ScopesSupported: []string{"openid", "offline"}, ScopesSupported: []string{"openid", "offline"},

2
internal/oidc/discovery/discovery_handler_test.go
View File

@ -41,7 +41,7 @@ func TestDiscovery(t *testing.T) {
JWKSURI: "https://some-issuer.com/some/path/jwks.json", JWKSURI: "https://some-issuer.com/some/path/jwks.json",
ResponseTypesSupported: []string{"code"}, ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"}, SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValuesSupported: []string{"RS256"}, IDTokenSigningAlgValuesSupported: []string{"ES256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"}, TokenEndpointAuthSigningAlgoValuesSupported: []string{"RS256"},
ScopesSupported: []string{"openid", "offline"}, ScopesSupported: []string{"openid", "offline"},

2
test/integration/supervisor_discovery_test.go
View File

@ -479,7 +479,7 @@ func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, superviso
"response_types_supported": ["code"], "response_types_supported": ["code"],
"claims_supported": ["groups"], "claims_supported": ["groups"],
"subject_types_supported": ["public"], "subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"] "id_token_signing_alg_values_supported": ["ES256"]
}`) }`)
expectedJSON := fmt.Sprintf(expectedResultTemplate, issuerName, issuerName, issuerName, issuerName) expectedJSON := fmt.Sprintf(expectedResultTemplate, issuerName, issuerName, issuerName, issuerName)