OPENAM-13575 has added validation for signing and encryption algorithms. Values saved using the admin console (OAuth2 Client signing and encryption page) and via REST will return a Bad request and additional message in the following scenarios:
- If an unrecognised (or not supported by AM) signing or encryption is specified for any of the following:
- ID Token encryption algorithm
- Request Parameter encryption algorithm
- User Info encrypted response algorithm
- Token Introspection encrypted response algorithm
- ID Token signing algorithm
- User Info signed response algorithm
- Request Parameter signed algorithm
- Token Introspection signed response algorithm
- If a symmetric signing or encryption algorithm is specified for any of the above when the client type is set to Public.
An example of error messages seen for the first scenario are:
- Unknown encryption algorithm configured for User info encrypted response algorithm
- Unknown/invalid signing algorithm configured for ID Token Signing Algorithm
Examples for the second scenario are:
- Symmetric encryption algorithm configured for ID Token Encryption Algorithm is not allowed for a public client
- Symmetric signing algorithm configured for Token Endpoint Authentication Signing Algorithm is not allowed for a public client
Similar error messages are also logged at ERROR level and include identification of the client id that the error relates to.
Is it possible to add a note or description of the above for OAuth2 Client signing and encryption configuration please?
Please note that for 6.5.x and 6.0.x versions, the list of properties excludes the Token Introspection signing and encryption properties above.