[OPENAM-4784] OpenID Connect support for RS256 in id_token_signing_alg_values_supported Created: 24/Oct/14 Updated: 08/Dec/14 Resolved: 08/Dec/14 Status: Project: Component/s: Affects Version/s: Fix Version/s: Closed OpenAM OpenID Connect 11.0.2 Type: Reporter: Resolution: Labels: Remaining Estimate: Time Spent: Original Estimate: Bug Major Priority: Nathalie Hoet Jaco Jooste Assignee: Fixed 0 Votes: 12.0.0-MUST-FIX, AME, TESLA, release-notes Not Specified Sprint: Sprint 68 - Team Tesla, Sprint 69 - Team Tesla, Sprint 70 - Team Tesla, Sprint 71 - Team Tesla 4965 Cases: 12.0.0 Not Specified Not Specified Description OpenID Connect must support RS256 in id_token_signing_alg_values_supported for OpenID Connect Discovery; see : http://openid.net/specs/openid-connect-discovery-1_0.html id_token_signing_alg_values_supported REQUIRED. ... The algorithm RS256 MUST be included. ... Currently, the .well-known/openid-configuration endpoint reports "id_token_signing_alg_values_supported":["HS256","HS512","HS384"] Comments Comment by Jaco Jooste [ 13/Nov/14 ] The algorithm to use is specified on the OAuth2 Client page in the "ID Token Signed Response Algorithm" field. The Private key for signing is retrieved from the keystore for the alias configured in "Alias of ID Token Signing Key" on the OAuth2 Provider page. The upgrade step for this change will do the following: Save all OAuth2 Provider configurations. They will not be upgraded with the RS256 value and will no longer inherit default values from the global settings. Add the RS256 to the default settings in Configuration | Global | OAuth2 Provider | ID Token Signed Response Algorithm. Comment by raffed [ 14/Nov/14 ] Will this fix show the key being used (as defined in the Alias of the ID Token Signing Key) when you navigate to the /.well-known/openid-configuration and then reference the jwks_uri end point as addressed in https://bugster.forgerock.org/jira/browse/OPENAM-4003 The fix for now shows the jwks_uri value but there is not a key at the /oauth2/connect/jwk_uri end point. Thank you E.R. Comment by Phill Cunnington [ 14/Nov/14 ] This is a good point and the fix for has been updated to expose the public key for the private key that was used to sign the id token. The public key is exposed as a JWK at the /oauth2/connect/jwk_uri endpoint. Comment by GErickson [ 03/Dec/14 ] Verified as fixed in 21 Nov 2014 12.0.0 nightly trunk build #922, SVN r11466. Automated regression test is oauth2.TestOpenIdREST.OAM636(). Comment by Chris Lee [ 08/Dec/14 ] Reopening to add release-notes label. Comment by Chris Lee [ 08/Dec/14 ] Added release-notes label. Generated at Tue Feb 09 21:37:37 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.