feat(rp): add WithSupportedSigningAlgorithms using DiscoveryConfigura…

…tion (zitadel#574)
otakakot · Apr 4, 2024 · 2961bfc · 2961bfc
1 parent 5cdb65c
commit 2961bfc
Showing 1 changed file with 24 additions and 11 deletions.
diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go
@@ -90,12 +90,13 @@ var DefaultUnauthorizedHandler UnauthorizedHandler = func(w http.ResponseWriter,
 }
 
 type relyingParty struct {
-	issuer            string
-	DiscoveryEndpoint string
-	endpoints         Endpoints
-	oauthConfig       *oauth2.Config
-	oauth2Only        bool
-	pkce              bool
+	issuer                 string
+	DiscoveryEndpoint      string
+	discoveryConfiguration *oidc.DiscoveryConfiguration
+	endpoints              Endpoints
+	oauthConfig            *oauth2.Config
+	oauth2Only             bool
+	pkce                   bool
 
 	httpClient    *http.Client
 	cookieHandler *httphelper.CookieHandler
@@ -228,17 +229,20 @@ func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, re
 		oauthAuthStyle: oauth2.AuthStyleAutoDetect,
 	}
 
-	for _, optFunc := range options {
-		if err := optFunc(rp); err != nil {
-			return nil, err
-		}
-	}
 	ctx = logCtxWithRPData(ctx, rp, "function", "NewRelyingPartyOIDC")
 	discoveryConfiguration, err := client.Discover(ctx, rp.issuer, rp.httpClient, rp.DiscoveryEndpoint)
 	if err != nil {
 		return nil, err
 	}
+	rp.discoveryConfiguration = discoveryConfiguration
 	endpoints := GetEndpoints(discoveryConfiguration)
+
+	for _, optFunc := range options {
+		if err := optFunc(rp); err != nil {
+			return nil, err
+		}
+	}
+
 	rp.oauthConfig.Endpoint = endpoints.Endpoint
 	rp.endpoints = endpoints
 
@@ -348,6 +352,15 @@ func WithLogger(logger *slog.Logger) Option {
 	}
 }
 
+// WithSigningAlgsFromDiscovery appends the [WithSupportedSigningAlgorithms] option to the Verifier Options.
+// The algorithms returned in the `id_token_signing_alg_values_supported` from the discovery response will be set.
+func WithSigningAlgsFromDiscovery() Option {
+	return func(rp *relyingParty) error {
+		rp.verifierOpts = append(rp.verifierOpts, WithSupportedSigningAlgorithms(rp.discoveryConfiguration.IDTokenSigningAlgValuesSupported...))
+		return nil
+	}
+}
+
 type SignerFromKey func() (jose.Signer, error)
 
 func SignerFromKeyPath(path string) SignerFromKey {