[Hydra] OIDC id_token signing

bala-striva · April 24, 2020, 9:16am

Hello,

I’m using hydra v1.4.6 and I want to specify what signing method to use for the id_token.
I don’t see any option to specify this in the admin REST api.
Can I specify if I wan’t to use a method other than the default RS256?
If it possible can I change this OIDC clients specific or just a globally?

Thank you,
Balazs

hackerman · April 24, 2020, 12:01pm

But instead of RS256 try another algorithm e.g. PS256.

This is a global setting.

bala-striva · April 24, 2020, 12:13pm

Trying to create a PS256 key in admin API I get the following

➜ http  :4445/keys/hydra.openid.id-token X-Forwarded-Proto:https alg=PS256 kid=id_hss use=sig         
HTTP/1.1 400 Bad Request
Content-Length: 143
Content-Type: application/json
Date: Fri, 24 Apr 2020 12:10:59 GMT

{
    "error": "error",
    "error_debug": "Generator PS256 unknown",
    "error_description": "The error is unrecognizable.",
    "request_id": "",
    "status_code": 500
}

hackerman · April 24, 2020, 12:55pm

Right, it appears Hydra doesn’t support that key type for generation. But you could use https://github.com/square/go-jose/tree/master/jose-util to generate it and import it using

hydra keys import hydra.openid.id-token ./path/to/jwk.json ./path/to/jwk-2.json

hackerman · April 24, 2020, 1:34pm

I’ve tracked this as an issue so that hydra supports this in the future.