starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: Per-Integration Algorithm Configuration #28

New Issue
Closed
opened 2025-10-06 23:58:48 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2025-10-06 23:58:48 +03:00
Owner
Copy Link

Originally created by @lordraiden on GitHub.

Feature description

This feature would allow administrators to specify the signing algorithm for each OIDC client (integration) individually. Currently, it appears a global algorithm configuration is used. The proposal is to extend the OIDC client configuration to include an option for selecting the desired signing algorithm (e.g., EdDSA, RSA).

When a new OIDC client is created or an existing one is edited, a new field, such as "Token Signing Algorithm," would be available. This field would provide a dropdown list of supported algorithms. If no algorithm is specified for a client, it would default to a globally configured algorithm.

Pitch

  • Broader Application Compatibility: As noted, different applications and services have varying levels of support for cryptographic algorithms. While one application might support modern algorithms like EdDSA, another legacy application may only support RSA. This feature would allow Pocket-ID to seamlessly integrate with a wider range of services, without being limited by the least common denominator.

  • Enhanced Flexibility: Administrators could tailor the security of each integration to the specific requirements of the application. This allows for stronger algorithms to be used where supported, without breaking compatibility with older systems.

  • Future-Proofing: As new algorithms become standard, they can be introduced and adopted on a per-integration basis, allowing for a gradual and controlled rollout across a user's services.

By implementing per-integration algorithm selection, Pocket-ID would become an even more versatile and powerful solution for self-hosted authentication, catering to a broader set of use cases without sacrificing its core value of simplicity.

Originally created by @lordraiden on GitHub. ### Feature description This feature would allow administrators to specify the signing algorithm for each OIDC client (integration) individually. Currently, it appears a global algorithm configuration is used. The proposal is to extend the OIDC client configuration to include an option for selecting the desired signing algorithm (e.g., EdDSA, RSA). When a new OIDC client is created or an existing one is edited, a new field, such as "Token Signing Algorithm," would be available. This field would provide a dropdown list of supported algorithms. If no algorithm is specified for a client, it would default to a globally configured algorithm. ### Pitch - Broader Application Compatibility: As noted, different applications and services have varying levels of support for cryptographic algorithms. While one application might support modern algorithms like EdDSA, another legacy application may only support RSA. This feature would allow Pocket-ID to seamlessly integrate with a wider range of services, without being limited by the least common denominator. - Enhanced Flexibility: Administrators could tailor the security of each integration to the specific requirements of the application. This allows for stronger algorithms to be used where supported, without breaking compatibility with older systems. - Future-Proofing: As new algorithms become standard, they can be introduced and adopted on a per-integration basis, allowing for a gradual and controlled rollout across a user's services. By implementing per-integration algorithm selection, Pocket-ID would become an even more versatile and powerful solution for self-hosted authentication, catering to a broader set of use cases without sacrificing its core value of simplicity.
OVERLORD commented 2025-10-06 23:58:50 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for your feature request, but I think adding such an option would just make OIDC client configuration unnecessarily complicated. RSA should be supported by every client, and I wouldn’t really call it a legacy algorithm.

Yes, EdDSA has smaller keys and signatures, and signing is a bit faster, but honestly, outside of enterprise environments you won’t notice any difference at all.

Because of that, I’d just recommend sticking with RSA, it’s well supported everywhere and works perfectly fine.

@stonith404 commented on GitHub: Thanks for your feature request, but I think adding such an option would just make OIDC client configuration unnecessarily complicated. RSA should be supported by every client, and I wouldn’t really call it a legacy algorithm. Yes, EdDSA has smaller keys and signatures, and signing is a bit faster, but honestly, outside of enterprise environments you won’t notice any difference at all. Because of that, I’d just recommend sticking with RSA, it’s well supported everywhere and works perfectly fine.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#28
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?