Does this package support ES256?

Question

Does this package support ES256?

sjoerdvandenbos-prodrive opened this issue 8 months ago · 2 comments

sjoerdvandenbos-prodrive commented 8 months ago

I work at a big company with an OIDC IDP that only supports the ES256 ID token signing algorithm, so no RS256. I found that in the docs it says that the server "should" support RS256. What is the consequence for me? Can I still use this library?

Answer 1 · 2024-04-18T06:47:21.000Z

The docs seems to be outdated. "Servers SHOULD support RS256" should be removed. Since this library removed the implicit flow and only supports code/PKCE, the tokens are only decoded and no longer checked against the signature. I therefor to not see why you can not use it. So give it a try. Which IdP do you intent to use?

Answer 2 · 2024-04-18T07:25:31.000Z

"Servers SHOULD support RS256" should be removed

This text is the official one from https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata