OIDC RP may fail to login if clientSecret is not configured TS005720300

[barbj]

Describe the bug
In the OIDC RP, when no clientSecret is configured, validation of the signature of the JWT may fail with a message similar to:
CWWKS1739E: A signing key required by signature algorithm [none] was not available. null

Steps to Reproduce
Configure the Liberty RP without a clientSecret:

<openidConnectClient id="RP" 
    authFilterRef="myAuthfilter"
    grantType="implicit"
    httpsRequired="false"
    scope="openid profile email photo"
    clientId="rp"
    redirectToRPHostAndPort="http://localhost:1111"
    authorizationEndpointUrl="http://localhost:9999/oidc/endpoint/OP/authorize"
    issuerIdentifier="http://localhost:9999/oidc/endpoint/OP"
    signatureAlgorithm="none"
    trustAliasName="signCert"
    trustStoreRef="trustStore"
    authnSessionDisabled="true" 
    disableLtpaCookie="true"
  >
</openidConnectClient>

Configure a Liberty OP without a clientSecret:

<openidConnectProvider id="OP" 
    signatureAlgorithm="none"
    keyStoreRef="myTrustStore"
    oauthProviderRef="OIDC" >
</openidConnectProvider>

<oauthProvider id="OIDC" 
    httpsRequired="false"
    jwtAccessToken="true" 
    autoAuthorize ="true"
    customLoginURL="http://localhost:9999/customOidc/login.jsp"
    accessTokenLifetime="60">
    <autoAuthorizeClient>rp</autoAuthorizeClient>
    <localStore>   
	<client name="rp"
		displayname="rp"
		grantType="implicit"
		redirect="http://localhost:1111/oidcclient/redirect/RP"
		scope="openid profile scope1 email phone address"
		enabled="true"
		resourceIds="myZcee" 
	/>
    </localStore>
</oauthProvider> 

Expected behavior
A clear and concise description of what you expected to happen.

Diagnostic information:

• Reported OpenLiberty Version: 20.0.0.2
• Java Version:

 java.version = 1.8.0_231
java.runtime = Java(TM) SE Runtime Environment (8.0.6.0 - pwa6480sr6-20191107_01(SR6))

[ayoho]

I suspect the fix might be as straightforward was making some changes in https://github.com/OpenLiberty/open-liberty/blob/integration/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/client/jose4j/util/Jose4jUtil.java#L299:

Exception caughtException = null;
try {
    key = getVerifyKey(clientConfig, kid, x5t);
} catch (Exception e) {
    caughtException = e;
}

if (key == null && !SIGNATURE_ALG_NONE.equals(clientConfig.getSignatureAlgorithm())) {
    Object[] objs = new Object[] { clientConfig.getSignatureAlgorithm(), "" };
    if (caughtException != null) {
        objs = new Object[] { clientConfig.getSignatureAlgorithm(), caughtException.getLocalizedMessage() };
    }
    oidcClientRequest.setRsFailMsg(OidcClientRequest.NO_KEY, Tr.formatMessage(tc, "OIDC_CLIENT_NO_VERIFYING_KEY", objs));
    throw oidcClientRequest.error(true, tc, "OIDC_CLIENT_NO_VERIFYING_KEY", objs);
}

Plus

protected Key getVerifyKey(ConvergedClientConfig clientConfig, String kid, String x5t) throws Exception {
    ...
    } else if (SIGNATURE_ALG_NONE.equals(signatureAlgorithm)) {
        keyValue = null;
    }
    return keyValue;
}