Sign OIDC id_token according to id_token_signed_response_alg client metadata by azmeuk · Pull Request #802

Sign OIDC id_token according to id_token_signed_response_alg client metadata by azmeuk · Pull Request #802 · authlib/authlib

What kind of change does this PR introduce?

The behavior to find the alg with which the id_token is signed is:

use alg is set in get_jwt_config if defined
else use client.id_token_signed_response_alg if defined
else use the default RS256

I think client.id_token_signed_response_alg should take precedence over get_jwt_config, but that would be a breaking change. I will open another ticket for that, this could target v1.8.

Working on this part of the code made me realize that he get_jwt_config might be a little outdated. We would probably want use get_server_jwks instead here, instead of manually passing a key. What do you think?

fixes #755

Checklist

You ran the linters with pre-commit.
You wrote unit test to demonstrate the bug you are fixing, or to stress the feature you are bringing.

You consent that the copyright of your pull request source code belongs to Authlib's author.