feat: explicit config of id token alg (#1567) (#1568)

* feat: explicit config of id token alg (#1567)

- support to configure `id_token_signed_response_alg` field in the
  configuration object passed to `issuer.Client` in
  `src/lib/server/auth.ts`.

- allow `id_token_signed_response_alg` to be set from environment
  variable `OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG` or obtained via
  OP metadata during issuer discovery when `RS256` is not included.

* fix: refacto a bit, narrow types and add zod validation

---------

Co-authored-by: Drew Toto <drew_toto@alliedtelesis.com>
Co-authored-by: Nathan Sarrazin <sarrazin.nathan@gmail.com>

Author: 3 people

src/lib/server/auth.ts

@@ -42,6 +42,7 @@ export const OIDConfig = z
 		),
 		TOLERANCE: stringWithDefault(env.OPENID_TOLERANCE),
 		RESOURCE: stringWithDefault(env.OPENID_RESOURCE),
+		ID_TOKEN_SIGNED_RESPONSE_ALG: z.string().optional(),
 	})
 	.parse(JSON5.parse(env.OPENID_CONFIG || "{}"));
 
@@ -103,13 +104,21 @@ export async function generateCsrfToken(sessionId: string, redirectUrl: string):
 async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> {
 	const issuer = await Issuer.discover(OIDConfig.PROVIDER_URL);
 
-	return new issuer.Client({
+	const client_config: ConstructorParameters<typeof issuer.Client>[0] = {
 		client_id: OIDConfig.CLIENT_ID,
 		client_secret: OIDConfig.CLIENT_SECRET,
 		redirect_uris: [settings.redirectURI],
 		response_types: ["code"],
 		[custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined,
-	});
+		id_token_signed_response_alg: OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG || undefined,
+	};
+
+	const alg_supported = issuer.metadata["id_token_signing_alg_values_supported"];
+
+	if (Array.isArray(alg_supported) && !alg_supported.includes("RS256")) {
+		client_config.id_token_signed_response_alg ??= alg_supported[0];
+	}
+	return new issuer.Client(client_config);
 }
 
 export async function getOIDCAuthorizationUrl(