Skip to content

Upstream OAuth 2.0 providers: Support signed userinfo and customising the expected id_token signature algorithm #3664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 17, 2024
Merged

Upstream OAuth 2.0 providers: Support signed userinfo and customising the expected id_token signature algorithm #3664

merged 6 commits into from
Dec 17, 2024

Conversation

@MatMaul
Copy link
Contributor

@MatMaul MatMaul commented Dec 12, 2024
edited
Loading

Add options to upstream OAuth config to specify the expected signing algorithm for the endpoint JWT responses.

@MatMaul MatMaul force-pushed the add-response-alg-param branch 3 times, most recently from 9626af1 to 55c54d0 Compare December 12, 2024 14:00
@MatMaul MatMaul force-pushed the add-response-alg-param branch from 55c54d0 to 7c4f1de Compare December 12, 2024 14:04
sandhose
sandhose requested changes Dec 13, 2024
View reviewed changes
Copy link
Member

@sandhose sandhose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!

A few things to fix:

  • id_token_signed_response_alg shouldn't be optional, I haven't seen that specced anywhere
  • userinfo_signed_response_alg should default to None, as it's the most common case

@MatMaul MatMaul force-pushed the add-response-alg-param branch 3 times, most recently from c5ca149 to dbb5d42 Compare December 16, 2024 12:49
@MatMaul MatMaul force-pushed the add-response-alg-param branch from dbb5d42 to 59a5c8f Compare December 16, 2024 12:55
@MatMaul MatMaul requested a review from sandhose December 16, 2024 13:13
sandhose
sandhose requested changes Dec 17, 2024
View reviewed changes
Copy link
Member

@sandhose sandhose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there, just still would like to have the userinfo_signed_response_alg default to Option::None

@MatMaul MatMaul requested a review from sandhose December 17, 2024 10:25
sandhose
sandhose approved these changes Dec 17, 2024
View reviewed changes
Copy link
Member

@sandhose sandhose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks a lot!

@sandhose sandhose merged commit 80903ed into element-hq:main Dec 17, 2024
18 checks passed
@sandhose sandhose changed the title Add id_token_signed_response_alg and userinfo_signed_response_alg Upstream OAuth 2.0 providers: Support signed userinfo and customising the expected id_token signature algorithm Jan 24, 2025
@sandhose sandhose added A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Enhancement New feature of request labels Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sandhose sandhose sandhose approved these changes

Assignees

No one assigned

Labels

A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Enhancement New feature of request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MatMaul @sandhose