feat(auth/oidc): wider key algorithm support

.gitignore

@@ -8,10 +8,10 @@ Homestead.yaml
 .idea
 npm-debug.log
 yarn-error.log
-/public/dist/*.map
+/public/dist
 /public/plugins
-/public/css/*.map
-/public/js/*.map
+/public/css
+/public/js
 /public/bower
 /public/build/
 /public/favicon.ico

app/Access/Oidc/OidcJwtSigningKey.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Access\Oidc;
 
+use Illuminate\Support\Facades\Log;
 use phpseclib3\Crypt\Common\PublicKey;
 use phpseclib3\Crypt\PublicKeyLoader;
 use phpseclib3\Crypt\RSA;
@@ -63,8 +64,9 @@ class OidcJwtSigningKey
         // 'alg' is optional for a JWK, but we will still attempt to validate if
         // it exists otherwise presume it will be compatible.
         $alg = $jwk['alg'] ?? null;
-        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
+        $algorithm = OidcJwtSigningKeyAlgorithm::tryFrom($alg ?? OidcJwtSigningKeyAlgorithm::RS256->value);
+        if ($jwk['kty'] !== 'RSA' || $algorithm === null) {
+            throw new OidcInvalidKeyException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " keys are currently supported. Found key using {$alg}");
         }
 
         // 'use' is optional for a JWK but we assume 'sig' where no value exists since that's what
@@ -97,7 +99,16 @@ class OidcJwtSigningKey
             throw new OidcInvalidKeyException('Key loaded from file path is not an RSA key as expected');
         }
 
-        $this->key = $key->withPadding(RSA::SIGNATURE_PKCS1);
+        // apply key-algorithm depending hash
+        $key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256 => $key->withHash('sha256'),
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withHash('sha512'),
+        };
+        // apply key-algorithm depending padding
+        $this->key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256,
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withPadding(RSA::SIGNATURE_PKCS1),
+        };
     }
 
     /**

app/Access/Oidc/OidcJwtSigningKeyAlgorithm.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace BookStack\Access\Oidc;
+
+use UnitEnum;
+
+enum OidcJwtSigningKeyAlgorithm: string
+{
+    case RS256 = 'RS256';
+    case RS512 = 'RS512';
+
+    public static function getSupportedAlgorithms(): string
+    {
+        return join(',', array_map(static fn (UnitEnum $enum) => $enum->value, self::cases()));
+    }
+}

app/Access/Oidc/OidcJwtWithClaims.php

@@ -119,8 +119,8 @@ class OidcJwtWithClaims implements ProvidesClaims
      */
     protected function validateTokenSignature(): void
     {
-        if ($this->header['alg'] !== 'RS256') {
-            throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
+        if (OidcJwtSigningKeyAlgorithm::tryFrom($this->header['alg']) === null) {
+            throw new OidcInvalidTokenException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " signature validation is supported. Token reports using {$this->header['alg']}");
         }
 
         $parsedKeys = array_map(function ($key) {

app/Access/Oidc/OidcProviderSettings.php

@@ -158,10 +158,10 @@ class OidcProviderSettings
     protected function filterKeys(array $keys): array
     {
         return array_filter($keys, function (array $key) {
-            $alg = $key['alg'] ?? 'RS256';
+            $alg = $key['alg'] ?? OidcJwtSigningKeyAlgorithm::RS256->value;
             $use = $key['use'] ?? 'sig';
 
-            return $key['kty'] === 'RSA' && $use === 'sig' && $alg === 'RS256';
+            return $key['kty'] === 'RSA' && $use === 'sig' && OidcJwtSigningKeyAlgorithm::tryFrom($alg) !== null;
         });
     }
 

dev/checksums/vendor

@@ -1 +1 @@
-549c89b1a426fec378adbcf495a3227307dfaa60affb8ac00cf206afd904bbe9
+22e02ee72d21ff719c1073abbec8302f8e2096ba6d072e133051064ed24b45b1

version

@@ -1 +1 @@
-v25.11
+v25.02-dev