Affects Version/s: 5.5.1, 188.8.131.52, 6.5.2
The spec says:
OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
This means that if during the dynamic registration, you haven't specify the request_object_signing_alg, then the OIDC client is allowed to use any algorithm supported by AM.
Details steps outlining how to recreate the issue (remove this text)
- step 1
Create an OIDC client without request_object_signing_alg specified (via dynamic reg or via the UI)
- step 2
Start an authorisation code grant flow with a request parameter signed with a supported algorithm, like RS256
The request should be accepted
AM is returning:
Unable to validate the request parameter signing algorithm
We already kind of checking the algorithm, but not as per spec.
I attached a patch that works for me for Open Banking Ref Impl