cannot use key from `oidc-v2-rp-secret.json` for Corppass

Question

cannot use key from `oidc-v2-rp-secret.json` for Corppass

Closed this issue 5 months ago · 4 comments

the keys provided in oidc-v2-rp-secret.json uses ES512, but Corppass only supports ES256 according to
https://github.com/opengovsg/mockpass/blob/main/lib/express/oidc/v2-ndi.js#L41

const corppass_token_endpoint_auth_signing_alg_values_supported = ['ES256']

I tried ndi_mock_01 from oidc-v2-asp-secret.json but it didn't work either, not sure if there is a missing key? the original keys in oidc-v2-rp-secret.json work with Singpass.

Answer 1 · 2024-04-18T11:55:18.000Z

ok, something was up with getAccessTokenPayload from the helper library, so my app doesn't abort, but this warning still appears, so perhaps something to look at.

Answer 2 · 2024-04-19T14:40:12.000Z

Looks like Corppass does report "token_endpoint_auth_signing_alg_values_supported": [ "ES256" ] on their discovery endpoint.

@randName just to confirm, so it works with the key in oidc-v2-rp-secret.json if you force your client to just sign the client assertion with the P-521/ES512 key anyway? Do things work without the warning if you use the CP_RP_JWKS_ENDPOINT config instead to point to your own P-256/ES256 signing key?

Answer 3 · 2024-04-23T01:31:57.000Z

I'm not sure about forcing the signing, but I think that is what the helper library is doing.

can confirm that CP_RP_JWKS_ENDPOINT pointing at our endpoint with a ES256 key works

Answer 4 · 2024-04-26T15:36:37.000Z

Thanks for confirming that. I guess it would be ideal to provide and load a static ES256 key, while preserving the current key for backward compatibility.