Failing to validate it_token with provided jwks_url

[teolag]

Hi!
I'm having a problem validating my received token from an IDP with a key from their provided jwks_url.
The problem is that the tokens header says is signed with RS256 but the only key provided in jwks is RS512.
The provider says this is how it is supposed to be and that a RS512 is perfectly valid for verifying a RS256 signed token.
It felt wrong to me but I was able to verify a token using jwt.io and the provided RS512 key in jwks.
The code throws "no valid key found in issuer's jwks_uri for key parameters {"alg":"RS256”}"

Is there someone out there who can help me with this? What can I do to use the jwks to validate the token?

[panva]

You should go back to your jwks_uri provider and say that if the JWK's alg is set to RS512 it is incorrect to use it to validate RS256 signed tokens. It's technically possible on a crypto level, sure, but it is not supposed to be like so.

The JWK alg member indicates the intended algorithm with which the key is supposed to be used.

The behaviour of this library is correct and cannot be circumvented.

[panva]

https://datatracker.ietf.org/doc/html/rfc7517#section-4.4

The "alg" (algorithm) parameter identifies the algorithm intended for use with the key.

[teolag]

Thank you for a quick response! I will certainly tell them this. Hopefully they will be able to change it without messing up anything for all the other clients who apparently have working authentications somehow.
Would it be possible for them to remove the alg option all together to not define the type. If I'm not mistaken, it is valid to omit the alg field and just rely on the kty field (RSA).
Will this be a valid solution to the problem. Will the code in node-openid-client be able to accept the key if no alg is defined?

[panva]

Yes.

[teolag]

Success!
The provider has now changed the jwks key and removed the alg field, and now I'm able to verify the token.
Thank you and thanks for a great openid-client!