aaa

crates/oidc-client/src/requests/authorization_code.rs

@@ -528,28 +528,26 @@ pub async fn access_token_with_authorization_code(
     .await?;
 
     let id_token = if let Some(verification_data) = id_token_verification_data {
-        let signing_alg = verification_data.signing_algorithm;
-
         let id_token = token_response
             .id_token
             .as_deref()
             .ok_or(IdTokenError::MissingIdToken)?;
 
-        let id_token = verify_id_token(id_token, verification_data, None, now)?;
+        let (id_token, signing_alg) = verify_id_token(id_token, verification_data, None, now)?;
 
         let mut claims = id_token.payload().clone();
 
         // Access token hash must match.
         claims::AT_HASH
             .extract_optional_with_options(
                 &mut claims,
-                TokenHash::new(signing_alg, &token_response.access_token),
+                TokenHash::new(&signing_alg, &token_response.access_token),
             )
             .map_err(IdTokenError::from)?;
 
         // Code hash must match.
         claims::C_HASH
-            .extract_optional_with_options(&mut claims, TokenHash::new(signing_alg, &code))
+            .extract_optional_with_options(&mut claims, TokenHash::new(&signing_alg, &code))
             .map_err(IdTokenError::from)?;
 
         // Nonce must match.

crates/oidc-client/src/requests/jose.rs

@@ -102,14 +102,14 @@ pub struct JwtVerificationData<'a> {
 pub fn verify_signed_jwt<'a>(
     jwt: &'a str,
     verification_data: JwtVerificationData<'_>,
-) -> Result<Jwt<'a, HashMap<String, Value>>, JwtVerificationError> {
+) -> Result<(Jwt<'a, HashMap<String, Value>>, JsonWebSignatureAlg), JwtVerificationError> {
     tracing::debug!("Validating JWT...");
 
     let JwtVerificationData {
         issuer,
         jwks,
         client_id,
-        signing_algorithm,
+        signing_algorithm: _,
     } = verification_data;
 
     let jwt: Jwt<HashMap<String, Value>> = jwt.try_into()?;
@@ -124,12 +124,7 @@ pub fn verify_signed_jwt<'a>(
     // Must have the proper audience.
     claims::AUD.extract_required_with_options(&mut claims, client_id)?;
 
-    // Must use the proper algorithm.
-    if header.alg() != signing_algorithm {
-        return Err(JwtVerificationError::WrongSignatureAlg);
-    }
-
-    Ok(jwt)
+    Ok((jwt, header.alg().clone()))
 }
 
 /// Decode and verify an ID Token.
@@ -167,8 +162,8 @@ pub fn verify_id_token<'a>(
     verification_data: JwtVerificationData<'_>,
     auth_id_token: Option<&IdToken<'_>>,
     now: DateTime<Utc>,
-) -> Result<IdToken<'a>, IdTokenError> {
-    let id_token = verify_signed_jwt(id_token, verification_data)?;
+) -> Result<(IdToken<'a>, JsonWebSignatureAlg), IdTokenError> {
+    let (id_token, signing_alg) = verify_signed_jwt(id_token, verification_data)?;
 
     let mut claims = id_token.payload().clone();
 
@@ -202,5 +197,5 @@ pub fn verify_id_token<'a>(
         }
     }
 
-    Ok(id_token)
-}
+    Ok((id_token, signing_alg))
+}

crates/oidc-client/src/requests/refresh_token.rs

@@ -97,17 +97,17 @@ pub async fn refresh_access_token(
         id_token_verification_data.zip(token_response.id_token.as_ref())
     {
         let auth_id_token = auth_id_token.ok_or(IdTokenError::MissingAuthIdToken)?;
-        let signing_alg = verification_data.signing_algorithm;
 
-        let id_token = verify_id_token(id_token, verification_data, Some(auth_id_token), now)?;
+        let (id_token, signing_alg) =
+            verify_id_token(id_token, verification_data, Some(auth_id_token), now)?;
 
         let mut claims = id_token.payload().clone();
 
         // Access token hash must match.
         claims::AT_HASH
             .extract_optional_with_options(
                 &mut claims,
-                TokenHash::new(signing_alg, &token_response.access_token),
+                TokenHash::new(&signing_alg, &token_response.access_token),
             )
             .map_err(IdTokenError::from)?;
 

crates/oidc-client/src/requests/userinfo.rs

@@ -108,10 +108,9 @@ pub async fn fetch_userinfo(
     let response_body = std::str::from_utf8(userinfo_response.body())?;
 
     let mut claims = if let Some(verification_data) = jwt_verification_data {
-        verify_signed_jwt(response_body, verification_data)
-            .map_err(IdTokenError::from)?
-            .into_parts()
-            .1
+        let (id_token, _) =
+            verify_signed_jwt(response_body, verification_data).map_err(IdTokenError::from)?;
+        id_token.into_parts().1
     } else {
         serde_json::from_str(response_body)?
     };