oidc algs: added EdDSA as a supported algorithm

Support EdDSA alogrithm to OIDC, cannot add functionality to verify access token.
coreos · May 15, 2023 · 9f7f5bd · 9f7f5bd
1 parent 82f6983
commit 9f7f5bd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/oidc/jose.go b/oidc/jose.go
@@ -13,4 +13,5 @@ const (
 	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
 	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
 	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
+	EdDSA = "EdDSA" // Ed25519 using SHA-512
 )
diff --git a/oidc/oidc.go b/oidc/oidc.go
@@ -36,8 +36,9 @@ const (
 )
 
 var (
-	errNoAtHash      = errors.New("id token did not have an access token hash")
-	errInvalidAtHash = errors.New("access token hash does not match value in ID token")
+	errNoAtHash             = errors.New("id token did not have an access token hash")
+	errInvalidAtHash        = errors.New("access token hash does not match value in ID token")
+	errUnsupportedAlgorithm = errors.New("unsupported signing algorithm, cannot verify access token with algorithm")
 )
 
 type contextKey int
@@ -149,6 +150,7 @@ var supportedAlgorithms = map[string]bool{
 	PS256: true,
 	PS384: true,
 	PS512: true,
+	EdDSA: true,
 }
 
 // ProviderConfig allows creating providers when discovery isn't supported. It's
@@ -450,6 +452,8 @@ func (i *IDToken) VerifyAccessToken(accessToken string) error {
 		h = sha512.New384()
 	case RS512, ES512, PS512:
 		h = sha512.New()
+	case EdDSA:
+		return errUnsupportedAlgorithm
 	default:
 		return fmt.Errorf("oidc: unsupported signing algorithm %q", i.sigAlgorithm)
 	}

diff --git a/oidc/oidc_test.go b/oidc/oidc_test.go
@@ -90,6 +90,12 @@ func TestAccessTokenVerification(t *testing.T) {
 			googleAccessToken,
 			assertMsg("id token did not have an access token hash"),
 		},
+		{
+			"EdDSA",
+			newToken("EdDSA", computed512TokenHash),
+			googleAccessToken,
+			assertMsg("unsupported signing algorithm, cannot verify access token with algorithm"),
+		},
 		{
 			"badSignAlgo",
 			newToken("none", "xxx"),
@@ -135,11 +141,11 @@ func TestNewProvider(t *testing.T) {
 				"authorization_endpoint": "https://example.com/auth",
 				"token_endpoint": "https://example.com/token",
 				"jwks_uri": "https://example.com/keys",
-				"id_token_signing_alg_values_supported": ["RS256", "RS384", "ES256"]
+				"id_token_signing_alg_values_supported": ["RS256", "RS384", "ES256", "EdDSA"]
 			}`,
 			wantAuthURL:    "https://example.com/auth",
 			wantTokenURL:   "https://example.com/token",
-			wantAlgorithms: []string{"RS256", "RS384", "ES256"},
+			wantAlgorithms: []string{"RS256", "RS384", "ES256", "EdDSA"},
 		},
 		{
 			name: "unsupported_algorithms",