Allow the OIDC client to use different algorithms

[liamor]

Description

Could the OIDC client have an option to use different algorithms for OidcClient Authentication? I am attempting to authenticate with an NHS service that uses an idiosyncratic Microsoft OAuth implementation that requires the use of RS512 only. My OIDC client configuration is

quarkus.oidc-client.client-enabled=true
quarkus.oidc-client.grant.type=client
quarkus.oidc-client.auth-server-url=https://dev.api.service.nhs.uk/oauth2
quarkus.oidc-client.client-id=<my-cid>
quarkus.oidc-client.discovery-enabled=false
quarkus.oidc-client.token-path=/token
quarkus.oidc-client.credentials.jwt.key-file=pk.pem
quarkus.oidc-client.credentials.jwt.token-key-id=<my-kid

which yields the response

DEBUG [io.qua.oid.cli.run.OidcClientImpl] (vert.x-eventloop-thread-0) Default OidcClient has failed to complete the client_credentials grant request:  status: 400, error message:
--
{
"error": "invalid_request",
"error_description": "Invalid 'alg' header in JWT - unsupported JWT algorithm - must be 'RS512'",
"message_id": "rrt-2366435234212063743-b-geu2-6513-5794388-1"
}

I can find no option in the documentation to allow this to be altered.
This is using Quarkus 2.4.1

Implementation ideas

No response

[quarkus-bot]

/cc @pedroigor, @sberyozkin

[sberyozkin]

Hi @liamor I was preparing a smallrye-jwt update PR, see #21192 and noticed this issue - #21192 will resolve it, you'd add a
smallrye.jwt.new-token.signature-algorithm=RS512 property and it will work

[sberyozkin]

@liamor I thought I'd do a bit more work here. As I said you can use smallrye.jwt.new-token.signature-algorithm once #21192 is merged but I'd also like to have it all working in the oidc-client namespace:

quarkus.oidc-client.credentials.jwt.key-file=pk.pem
quarkus.oidc-client.credentials.jwt.token-key-id=<my-kid
quarkus.oidc-client.credentials.jwt.signature-algorithm=RS512

Note the jwt configuration group is shared between quarkus-oidc and quarkus-oidc-client so the same would work for quarkus-oidc:

quarkus.oidc.credentials.jwt.key-file=pk.pem
quarkus.oidc.credentials.jwt.token-key-id=<my-kid
quarkus.oidc.credentials.jwt.signature-algorithm=RS512

It is worth making it possible to make it different between oidc-client and oidc as the algorithm requirements may be different and hence the global smallrye.jwt.new-token.signature-algorithm property won't work

[liamor]

Thanks, that sounds good as it will save people some guesswork.

[sberyozkin]

@liamor #21201 has resolved it, thanks

[liamor]

That's awesome, thanks. I'll try to get some time today to test this.