fix(jwk): expose correct metadata algorithms

ory · Sep 7, 2022 · 0a786b7 · 0a786b7
1 parent 7bea2e8
commit 0a786b7
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 5 deletions.
diff --git a/jwk/helper.go b/jwk/helper.go
@@ -27,9 +27,10 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"github.com/ory/x/josex"
 	"sync"
 
+	"github.com/ory/x/josex"
+
 	"github.com/ory/x/errorsx"
 
 	"github.com/ory/hydra/x"

diff --git a/jwk/jwt_strategy.go b/jwk/jwt_strategy.go
@@ -22,9 +22,10 @@ package jwk
 
 import (
 	"context"
-	"github.com/ory/x/josex"
 	"net"
 
+	"github.com/ory/x/josex"
+
 	"github.com/gofrs/uuid"
 	"gopkg.in/square/go-jose.v2"
 
@@ -38,6 +39,7 @@ import (
 
 type JWTSigner interface {
 	GetPublicKeyID(ctx context.Context) (string, error)
+	GetPublicKey(ctx context.Context) (jose.JSONWebKey, error)
 	jwt.Signer
 }
 
@@ -79,6 +81,14 @@ func (j *DefaultJWTSigner) GetPublicKeyID(ctx context.Context) (string, error) {
 	return josex.ToPublicKey(private).KeyID, nil
 }
 
+func (j *DefaultJWTSigner) GetPublicKey(ctx context.Context) (jose.JSONWebKey, error) {
+	private, err := j.getKeys(ctx)
+	if err != nil {
+		return jose.JSONWebKey{}, errors.WithStack(err)
+	}
+	return josex.ToPublicKey(private), nil
+}
+
 func (j *DefaultJWTSigner) getPrivateKey(ctx context.Context) (interface{}, error) {
 	private, err := j.getKeys(ctx)
 	if err != nil {

diff --git a/oauth2/doc.go b/oauth2/doc.go
@@ -110,6 +110,16 @@ type WellKnown struct {
 	// required: true
 	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
 
+	// Algorithm used to sign OpenID Connect ID Tokens.
+	//
+	// required: true
+	IDTokenSignedResponseAlg []string `json:"id_token_signed_response_alg"`
+
+	// Algorithm used to sign OpenID Connect Userinfo Responses.
+	//
+	// required: true
+	UserinfoSignedResponseAlg []string `json:"userinfo_signed_response_alg"`
+
 	// 	Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
 	RequestParameterSupported bool `json:"request_parameter_supported"`
 

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -29,6 +29,8 @@ import (
 	"strings"
 	"time"
 
+	"gopkg.in/square/go-jose.v2"
+
 	"github.com/pborman/uuid"
 
 	"github.com/ory/x/errorsx"
@@ -229,6 +231,11 @@ func (h *Handler) LogoutHandler(w http.ResponseWriter, r *http.Request, ps httpr
 //       401: jsonError
 //       500: jsonError
 func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
+	key, err := h.r.OpenIDJWTStrategy().GetPublicKey(r.Context())
+	if err != nil {
+		h.r.Writer().WriteError(w, r, err)
+		return
+	}
 	h.r.Writer().Write(w, r, &WellKnown{
 		Issuer:                                 strings.TrimRight(h.c.IssuerURL(r.Context()).String(), "/") + "/",
 		AuthURL:                                h.c.OAuth2AuthURL(r.Context()).String(),
@@ -242,10 +249,12 @@ func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
 		ScopesSupported:                        h.c.OIDCDiscoverySupportedScope(r.Context()),
 		UserinfoEndpoint:                       h.c.OIDCDiscoveryUserinfoEndpoint(r.Context()).String(),
 		TokenEndpointAuthMethodsSupported:      []string{"client_secret_post", "client_secret_basic", "private_key_jwt", "none"},
-		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
+		IDTokenSigningAlgValuesSupported:       []string{key.Algorithm},
+		IDTokenSignedResponseAlg:               []string{key.Algorithm},
+		UserinfoSignedResponseAlg:              []string{key.Algorithm},
 		GrantTypesSupported:                    []string{"authorization_code", "implicit", "client_credentials", "refresh_token"},
 		ResponseModesSupported:                 []string{"query", "fragment"},
-		UserinfoSigningAlgValuesSupported:      []string{"none", "RS256"},
+		UserinfoSigningAlgValuesSupported:      []string{"none", key.Algorithm},
 		RequestParameterSupported:              true,
 		RequestURIParameterSupported:           true,
 		RequireRequestURIRegistration:          true,
@@ -254,7 +263,7 @@ func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
 		FrontChannelLogoutSupported:            true,
 		FrontChannelLogoutSessionSupported:     true,
 		EndSessionEndpoint:                     urlx.AppendPaths(h.c.IssuerURL(r.Context()), LogoutPath).String(),
-		RequestObjectSigningAlgValuesSupported: []string{"RS256", "none"},
+		RequestObjectSigningAlgValuesSupported: []string{"none", string(jose.RS256), string(jose.ES256)},
 		CodeChallengeMethodsSupported:          []string{"plain", "S256"},
 	})
 }