Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for support of rotating ID Token algorithm #616

Open
5 tasks done
dutta-arnab1 opened this issue Apr 25, 2024 · 2 comments
Open
5 tasks done

Request for support of rotating ID Token algorithm #616

dutta-arnab1 opened this issue Apr 25, 2024 · 2 comments

Comments

@dutta-arnab1
Copy link

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

We use express-openid-connect library for performing Authorization Code flow login from a Node.js Express server. The purpose of this server is to enforce the user to be authenticated before we serve the actual web application.

A recent change in the private hosted organization level IDP had changed the default ID Token algorithm from RS256 to PS256. We could resolve the problem just by loading the discovery document and set the first value in the id_token_signing_alg_values_supported array from discovery document into the config of express-openid-connect -> auth middleware -> idTokenSigningAlg.

However, the IDP team has announced that they would be supporting multiple ID Token algorithm and would rotate between them. So, the ID Token that would get generated could be signed with one of few defined algorithms.

I could not find a way to make it work with this library.

  • idTokenSigningAlg receives only one algorithm.
  • There is no option within the library to get the kid and algorithm out of JWT header and validate it against JWKS endpoint.
  • Any option to pass on custom token verification and not perform the default JWT verification.

Describe the ideal solution

Either of the three options mentioned would be nice to have.

  • idTokenSigningAlg supporting an array of algorithms to be configured.
  • Option within the library to get the kid and algorithm out of JWT header and validate it against JWKS endpoint.
  • Any option to pass on custom token verification and not perform the default JWT verification.

Alternatives and current workarounds

No response

Additional context

No response
@madaster97
Copy link
Contributor

For your first option (supporting config of multiple algorithms), the library (openid-client) we provide the config to also doesn't support multiple values. It may be worth creating an issue with that library as well.

The alternative to that would be complicated: supporting multiple instances of the library (clients) in this SDK. That sounds like a worse solution than having openid-client implement it.

@dutta-arnab1
Copy link
Author

I agree, the alternative is not an option at all. So unless openid-client provides that option, there's nothing much we can do here.

Thanks @madaster97 for looking into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@madaster97 @dutta-arnab1