Extend ODIC metadata with information about token endpoint signing algorithms supported

[runegri]

When running the OIDF FAPI 2.0 conforance test suite against our service HelseID, the test results report that we are missing a required property in the OIDC metadata. The missing property is token_endpoint_auth_signing_alg_values_supported, this should indicate which signing algorithms is accepted for client assertions used against the Token endpoint.

The properties request_object_signing_alg_values_supported and dpop_signing_alg_values_supported are already supported so I suppose this should be easy to implement. This is a requirement for IdentityServer to be FAPI 2.0 compliant, so it would be great if it was prioritized.

[josephdecock]

Hi Rune - good to hear from you! We are actually planning to include some new options to make FAPI 2.0 conformance easier to achieve in the next version of IdentityServer (7.3). In my own conformance testing, I've found that I needed to control the signing algorithms and clock skew of all JWTs, including JAR request objects, DPoP proofs, and client authentication jwts for private_key_jwt. We're going to be adding configuration for clock skew and algorithm for all of those (we're still discussing some of the details of what those options will look like internally). I also ran into conformance tests failing because IdentityServer 7.2 sometimes returns an invalid_dpop_proof when the OIDF's conformance test suite expects "invalid_request", so we're changing that. I'd love to know if you've run into anything else that you've needed for FAPI 2.0 conformance. We don't have an announced date that we're going to publish the first preview of 7.3, but it is probably just weeks away. When we do, I would really appreciate your feedback on it.

[maartenba]

Hi @runegri - this should now be available in 7.3+