From 6b3f8876840988595807191a058ac7b0c431d066 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 15 Jul 2024 20:48:21 +0200
Subject: [PATCH] feat: Parametrize OIDC ID token signing algorithm

Planka originally supported only RS256, the default value set by
the openid-client library from Panva.

To provide more flexibility for clients in configuring their OIDC interactions
with various providers, we now allow passing a signature algorithm through
an environment variable.

This enhancement enables users to specify a preferred signature algorithm,
accommodating different OIDC provider requirements.
---
 server/api/hooks/oidc/index.js | 10 ++++++++--
 server/config/custom.js        |  1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server/api/hooks/oidc/index.js b/server/api/hooks/oidc/index.js
index 9c449a51..e4a66c4f 100644
--- a/server/api/hooks/oidc/index.js
+++ b/server/api/hooks/oidc/index.js
@@ -25,13 +25,19 @@ module.exports = function defineOidcHook(sails) {
 
       const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
 
-      client = new issuer.Client({
+      const metadata = {
         client_id: sails.config.custom.oidcClientId,
         client_secret: sails.config.custom.oidcClientSecret,
         redirect_uris: [sails.config.custom.oidcRedirectUri],
         response_types: ['code'],
         userinfo_signed_response_alg: sails.config.custom.oidcUserinfoSignedResponseAlg,
-      });
+      }
+
+      if (sails.config.custom.oidcIdTokenSignedResponseAlg) {
+        metadata.id_token_signed_response_alg = sails.config.custom.oidcIdTokenSignedResponseAlg
+      }
+
+      client = new issuer.Client(metadata);
     },
 
     getClient() {
diff --git a/server/config/custom.js b/server/config/custom.js
index 8e6f0e21..8971dc11 100644
--- a/server/config/custom.js
+++ b/server/config/custom.js
@@ -39,6 +39,7 @@ module.exports.custom = {
   oidcIssuer: process.env.OIDC_ISSUER,
   oidcClientId: process.env.OIDC_CLIENT_ID,
   oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
+  oidcIdTokenSignedResponseAlg: process.env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG,
   oidcUserinfoSignedResponseAlg: process.env.OIDC_USERINFO_SIGNED_RESPONSE_ALG,
   oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
   oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment',