Planka originally supported only RS256, the default value set by
the openid-client library from Panva.
To provide more flexibility for clients in configuring their OIDC interactions
with various providers, we now allow passing a signature algorithm through
an environment variable.
This enhancement enables users to specify a preferred signature algorithm,
accommodating different OIDC provider requirements.
Some OIDC providers support signed UserInfo response, to enhance
security. The OIDC client should be free to ask for the user info
sgnature, however in certain situations (e.g egov applications)
where security matters, the OIDC providers might chose to enforce
this sugnature.
Planka was not supported signed UserInfo response, which resulted
in an misleading exception 'invalidCodeOrNonce'.
Introduce the proper configurations to parametrize the OIDC client,
and a dedicated exception to improve the developer experience.
Specifications:
"The UserInfo Claims MUST be returned as the members of a JSON
object unless a signed or encrypted response was requested
during Client Registration."
Planka used a default response_mode 'fragment', which is not supported by all
OIDC providers.
Planka supports only the Authorization Code flow. The default response mode
for the authorization code flow is 'query', meaning the authorization server
appends the authorization code to the redirect URI as a query parameter.
I have added two environment variables: one to use the default response mode
from the OIDC provider, and one to customize the response mode if needed.
Using the default response mode is recommended by the OIDC specification:
"This use of this parameter is NOT RECOMMENDED when the Response Mode that
would be requested is the default mode specified for the Response Type."
To avoid any breaking changes, I kept the default value as 'fragment'. Ideally,
the environment variable should be undefined by default.
