feature(rp): add support for HS256/HS384/HS512 signatures

[mdnight]

A minor pull request proposed by #412, which introduces support for HS256/HS384/HS512 signatures.

Definition of Ready

• I am happy with the code
• Short description of the feature/issue is added in the pr description
• PR is linked to the corresponding user story
• Acceptance criteria are met
• All open todos and follow ups are defined in a new ticket and justified
• Deviations from the acceptance criteria and design are agreed with the PO and documented.
• No debug or dead code
• My code has no repetitions
• Critical parts are tested automatically
• Where possible E2E tests are implemented
• Documentation/examples are up-to-date
• All non-functional requirements are met
• Functionality of the acceptance criteria is checked manually on the dev system.

[muhlemmer]

I don;t have anything against support for HS256. However I don't think this implementation is a complete solution.

1. The linked issue requests functionality for the op package, this PR implements the rp package
2. Currently the RelyingParty is hard-coded to use a RemoteKeySet from a public jwk_uri endpoint. HS256 being symetrice keys, they cannot be exposed on such a public endpoint. They need to be shared over some other secure channel and stored locally. In order to properly support HS256 in the rp package, loading of local keys must also be made configurable in NewRelyingPartyOIDC. This can be done by implementing a rp.Option

oidc/pkg/client/rp/relying_party.go

Lines 158 to 163 in eb2f912

	func (rp *relyingParty) IDTokenVerifier() *IDTokenVerifier {
	if rp.idTokenVerifier == nil {
	rp.idTokenVerifier = NewIDTokenVerifier(rp.issuer, rp.oauthConfig.ClientID, NewRemoteKeySet(rp.httpClient, rp.endpoints.JKWsURL), rp.verifierOpts...)
	}
	return rp.idTokenVerifier
	}

oidc/pkg/client/rp/relying_party.go

Lines 215 to 258 in eb2f912

	// NewRelyingPartyOIDC creates an (OIDC) RelyingParty with the given
	// issuer, clientID, clientSecret, redirectURI, scopes and possible configOptions
	// it will run discovery on the provided issuer and use the found endpoints
	func NewRelyingPartyOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURI string, scopes []string, options ...Option) (RelyingParty, error) {
	rp := &relyingParty{
	issuer: issuer,
	oauthConfig: &oauth2.Config{
	ClientID: clientID,
	ClientSecret: clientSecret,
	RedirectURL: redirectURI,
	Scopes: scopes,
	},
	httpClient: httphelper.DefaultHTTPClient,
	oauth2Only: false,
	oauthAuthStyle: oauth2.AuthStyleAutoDetect,
	}
	for _, optFunc := range options {
	if err := optFunc(rp); err != nil {
	return nil, err
	}
	}
	ctx = logCtxWithRPData(ctx, rp, "function", "NewRelyingPartyOIDC")
	discoveryConfiguration, err := client.Discover(ctx, rp.issuer, rp.httpClient, rp.DiscoveryEndpoint)
	if err != nil {
	return nil, err
	}
	if rp.useSigningAlgsFromDiscovery {
	rp.verifierOpts = append(rp.verifierOpts, WithSupportedSigningAlgorithms(discoveryConfiguration.IDTokenSigningAlgValuesSupported...))
	}
	endpoints := GetEndpoints(discoveryConfiguration)
	rp.oauthConfig.Endpoint = endpoints.Endpoint
	rp.endpoints = endpoints
	rp.oauthConfig.Endpoint.AuthStyle = rp.oauthAuthStyle
	rp.endpoints.Endpoint.AuthStyle = rp.oauthAuthStyle
	// avoid races by calling these early
	_ = rp.IDTokenVerifier() // sets idTokenVerifier
	_ = rp.ErrorHandler() // sets errorHandler
	_ = rp.UnauthorizedHandler() // sets unauthorizedHandler
	return rp, nil
	}

[muhlemmer]

Suppose you meant to add HS256 here?

However, let's not add HS256 as a default, as it also influences the op package. Your PR only implemented the rp part. HSxxx can still be configured when creating the the Verifier in the RP.

[muhlemmer]

@mdnight any feedback on the made comments?

[mdnight]

Hey, sorry for the late response. I am in the process of implementing the missing stuff that you mentioned in the comments. It may take some time because I am working on it in my spare time, but I will try to get it done anyway. Hopefully, this is a low-priority feature and there are no strict deadlines on this 😄