diff --git a/client/pages/config/authentication.vue b/client/pages/config/authentication.vue
index a85433c5..260093b5 100644
--- a/client/pages/config/authentication.vue
+++ b/client/pages/config/authentication.vue
@@ -58,6 +58,8 @@
+
+
@@ -187,6 +189,7 @@ export default {
if (data.userinfo_endpoint) this.newAuthSettings.authOpenIDUserInfoURL = data.userinfo_endpoint
if (data.end_session_endpoint) this.newAuthSettings.authOpenIDLogoutURL = data.end_session_endpoint
if (data.jwks_uri) this.newAuthSettings.authOpenIDJwksURL = data.jwks_uri
+ if (data.id_token_signing_algorithm) this.newAuthSettings.authOpenIDTokenSigningAlgorithm = data.id_token_signing_algorithm
})
.catch((error) => {
console.error('Failed to receive data', error)
@@ -225,6 +228,11 @@ export default {
isValid = false
}
+ if (!this.newAuthSettings.authOpenIDTokenSigningAlgorithm) {
+ this.$toast.error('Signing Algorithm required')
+ isValid = false
+ }
+
function isValidRedirectURI(uri) {
// Check for somestring://someother/string
const pattern = new RegExp('^\\w+://[\\w\\.-]+(/[\\w\\./-]*)*$', 'i')
diff --git a/server/Auth.js b/server/Auth.js
index 8ba87509..f9fe6e5c 100644
--- a/server/Auth.js
+++ b/server/Auth.js
@@ -85,7 +85,8 @@ class Auth {
token_endpoint: global.ServerSettings.authOpenIDTokenURL,
userinfo_endpoint: global.ServerSettings.authOpenIDUserInfoURL,
jwks_uri: global.ServerSettings.authOpenIDJwksURL,
- end_session_endpoint: global.ServerSettings.authOpenIDLogoutURL
+ end_session_endpoint: global.ServerSettings.authOpenIDLogoutURL,
+ id_token_signed_response_alg: global.ServerSettings.authOpenIDTokenSigningAlgorithm
}).Client
const openIdClient = new openIdIssuerClient({
client_id: global.ServerSettings.authOpenIDClientID,
@@ -650,7 +651,8 @@ class Auth {
token_endpoint: data.token_endpoint,
userinfo_endpoint: data.userinfo_endpoint,
end_session_endpoint: data.end_session_endpoint,
- jwks_uri: data.jwks_uri
+ jwks_uri: data.jwks_uri,
+ id_token_signing_algorithm: data.id_token_signing_alg_values_supported?.[0]
})
}).catch((error) => {
Logger.error(`[Auth] Failed to get openid configuration at "${configUrl}"`, error)
diff --git a/server/objects/settings/ServerSettings.js b/server/objects/settings/ServerSettings.js
index 5c2da381..f107d707 100644
--- a/server/objects/settings/ServerSettings.js
+++ b/server/objects/settings/ServerSettings.js
@@ -68,13 +68,14 @@ class ServerSettings {
this.authOpenIDLogoutURL = null
this.authOpenIDClientID = null
this.authOpenIDClientSecret = null
+ this.authOpenIDTokenSigningAlgorithm = 'RS256'
this.authOpenIDButtonText = 'Login with OpenId'
this.authOpenIDAutoLaunch = false
this.authOpenIDAutoRegister = false
this.authOpenIDMatchExistingBy = null
this.authOpenIDMobileRedirectURIs = ['audiobookshelf://oauth']
this.authOpenIDGroupClaim = ''
- this.authOpenIDAdvancedPermsClaim = ''
+ this.authOpenIDAdvancedPermsClaim = ''
if (settings) {
this.construct(settings)
@@ -127,6 +128,7 @@ class ServerSettings {
this.authOpenIDLogoutURL = settings.authOpenIDLogoutURL || null
this.authOpenIDClientID = settings.authOpenIDClientID || null
this.authOpenIDClientSecret = settings.authOpenIDClientSecret || null
+ this.authOpenIDTokenSigningAlgorithm = settings.authOpenIDTokenSigningAlgorithm || 'RS256'
this.authOpenIDButtonText = settings.authOpenIDButtonText || 'Login with OpenId'
this.authOpenIDAutoLaunch = !!settings.authOpenIDAutoLaunch
this.authOpenIDAutoRegister = !!settings.authOpenIDAutoRegister
@@ -217,6 +219,7 @@ class ServerSettings {
authOpenIDLogoutURL: this.authOpenIDLogoutURL,
authOpenIDClientID: this.authOpenIDClientID, // Do not return to client
authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client
+ authOpenIDTokenSigningAlgorithm: this.authOpenIDTokenSigningAlgorithm,
authOpenIDButtonText: this.authOpenIDButtonText,
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
authOpenIDAutoRegister: this.authOpenIDAutoRegister,
@@ -252,7 +255,8 @@ class ServerSettings {
this.authOpenIDUserInfoURL &&
this.authOpenIDJwksURL &&
this.authOpenIDClientID &&
- this.authOpenIDClientSecret
+ this.authOpenIDClientSecret &&
+ this.authOpenIDTokenSigningAlgorithm
}
get authenticationSettings() {
@@ -267,6 +271,7 @@ class ServerSettings {
authOpenIDLogoutURL: this.authOpenIDLogoutURL,
authOpenIDClientID: this.authOpenIDClientID, // Do not return to client
authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client
+ authOpenIDTokenSigningAlgorithm: this.authOpenIDTokenSigningAlgorithm,
authOpenIDButtonText: this.authOpenIDButtonText,
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
authOpenIDAutoRegister: this.authOpenIDAutoRegister,