fix: ensure non-whitelisted JWA algs cannot be used by _jwt client auth

lib/shared/token_auth.js

@@ -147,16 +147,15 @@ module.exports = function tokenAuth(provider, endpoint) {
         case 'client_secret_jwt':
           await tokenJwtAuth(
             ctx, ctx.oidc.client.keystore,
-            signingAlg ? [signingAlg] : ['HS256', 'HS384', 'HS512'],
+            signingAlg ? [signingAlg] : instance(provider).configuration(`${endpoint}EndpointAuthSigningAlgValues`).filter(alg => alg.startsWith('HS')),
           );
 
           break;
 
         case 'private_key_jwt':
           await tokenJwtAuth(
             ctx, ctx.oidc.client.keystore,
-            signingAlg
-              ? [signingAlg] : ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'],
+            signingAlg ? [signingAlg] : instance(provider).configuration(`${endpoint}EndpointAuthSigningAlgValues`).filter(alg => !alg.startsWith('HS')),
           );
 
           break;