cannot use key from `oidc-v2-rp-secret.json` for Corppass
Closed this issue · 4 comments
the keys provided in oidc-v2-rp-secret.json
uses ES512
, but Corppass only supports ES256
according to
https://github.com/opengovsg/mockpass/blob/main/lib/express/oidc/v2-ndi.js#L41
const corppass_token_endpoint_auth_signing_alg_values_supported = ['ES256']
I tried ndi_mock_01
from oidc-v2-asp-secret.json
but it didn't work either, not sure if there is a missing key? the original keys in oidc-v2-rp-secret.json
work with Singpass.
ok, something was up with getAccessTokenPayload
from the helper library, so my app doesn't abort, but this warning still appears, so perhaps something to look at.
Looks like Corppass does report "token_endpoint_auth_signing_alg_values_supported": [ "ES256" ]
on their discovery endpoint.
@randName just to confirm, so it works with the key in oidc-v2-rp-secret.json
if you force your client to just sign the client assertion with the P-521/ES512 key anyway? Do things work without the warning if you use the CP_RP_JWKS_ENDPOINT
config instead to point to your own P-256/ES256 signing key?
I'm not sure about forcing the signing, but I think that is what the helper library is doing.
can confirm that CP_RP_JWKS_ENDPOINT
pointing at our endpoint with a ES256 key works
Thanks for confirming that. I guess it would be ideal to provide and load a static ES256 key, while preserving the current key for backward compatibility.