Skip to content

Sign OIDC id_token according to id_token_signed_response_alg client metadata #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lepture merged 1 commit into from
Aug 26, 2025
Merged

Sign OIDC id_token according to id_token_signed_response_alg client metadata #802

lepture merged 1 commit into from
Aug 26, 2025
+177 −10

Conversation

@azmeuk
Copy link
Member

@azmeuk azmeuk commented Aug 25, 2025
edited
Loading

What kind of change does this PR introduce?

The behavior to find the alg with which the id_token is signed is:

  • use alg is set in get_jwt_config if defined
  • else use client.id_token_signed_response_alg if defined
  • else use the default RS256

I think client.id_token_signed_response_alg should take precedence over get_jwt_config, but that would be a breaking change. I will open another ticket for that, this could target v1.8.

Working on this part of the code made me realize that he get_jwt_config might be a little outdated. We would probably want use get_server_jwks instead here, instead of manually passing a key. What do you think?

fixes #755

Checklist

  • You ran the linters with pre-commit.
  • You wrote unit test to demonstrate the bug you are fixing, or to stress the feature you are bringing.
  • You consent that the copyright of your pull request source code belongs to Authlib's author.

@azmeuk azmeuk requested a review from lepture August 25, 2025 14:49
@azmeuk azmeuk force-pushed the 755-idtoken-metadata branch from 8665d3f to 86b1b78 Compare August 25, 2025 15:02
@lepture lepture merged commit bc71165 into authlib:main Aug 26, 2025
8 checks passed
@azmeuk azmeuk deleted the 755-idtoken-metadata branch August 26, 2025 11:41
@azmeuk azmeuk mentioned this pull request Aug 26, 2025
Open
@sukhbirghotra sukhbirghotra mentioned this pull request Sep 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lepture lepture lepture approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use the client metadata id_token_signed_response_alg to sign the id_token

2 participants

@azmeuk @lepture