summary refs log tree commit diff
path: root/docs/usage
diff options
context:
space:
mode:
authorEric Eastwood <erice@element.io>2025-02-20 17:56:53 -0600
committerGitHub <noreply@github.com>2025-02-20 17:56:53 -0600
commitcaa1f9d806945e056261ec6879da3b1a1cc23b17 (patch)
treef702c0c04ab0c790cff2d266a14969dd48dc4818 /docs/usage
parentDocument suspension Admin API (#18162) (diff)
downloadsynapse-caa1f9d806945e056261ec6879da3b1a1cc23b17.tar.xz
Add support for overriding `id_token_signing_alg_values_supported` for an OpenID identity provider (#18177)
Normally, when `discovery` is enabled,
`id_token_signing_alg_values_supported` comes from the OpenID Discovery
Document (`/.well-known/openid-configuration`). If nothing was
specified, we default to supporting `RS256` in the downstream usage.

This PR just adds support for adding a default/overriding the the
discovered value [just like we do for other things like the
`token_endpoint`](https://github.com/element-hq/synapse/blob/1525a3b4d48a0f5657d61423e1f205bff9a77948/docs/usage/configuration/config_documentation.md#oidc_providers),
etc.
Diffstat (limited to 'docs/usage')
-rw-r--r--docs/usage/configuration/config_documentation.md18
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md

index e3c06d5371..facf60a043 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3579,6 +3579,24 @@ Options for each entry include:
    to `auto`, which uses PKCE if supported during metadata discovery. Set to `always`
    to force enable PKCE or `never` to force disable PKCE.
 
+* `id_token_signing_alg_values_supported`: List of the JWS signing algorithms (`alg`
+  values) that are supported for signing the `id_token`.
+
+  This is *not* required if `discovery` is disabled. We default to supporting `RS256` in
+  the downstream usage if no algorithms are configured here or in the discovery
+  document.
+
+  According to the spec, the algorithm `"RS256"` MUST be included. The absolute rigid
+  approach would be to reject this provider as non-compliant if it's not included but we
+  simply allow whatever and see what happens (you're the one that configured the value
+  and cooperating with the identity provider).
+
+  The `alg` value `"none"` MAY be supported but can only be used if the Authorization
+  Endpoint does not include `id_token` in the `response_type` (ex.
+  `/authorize?response_type=code` where `none` can apply,
+  `/authorize?response_type=code%20id_token` where `none` can't apply) (such as when
+  using the Authorization Code Flow).
+
 * `scopes`: list of scopes to request. This should normally include the "openid"
    scope. Defaults to `["openid"]`.
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-06-30 14:16:01 +0000