Merge pull request #826 from govuk-one-login/OLH-4070-allow-RS512

OLH-4070: allow RS512 for signing

Author: liegeandlief

solutions/api/src/lambda/token/utils/verifyClientAssertion.test.ts

@@ -77,7 +77,7 @@ describe("verifyClientAssertion", () => {
     expect(mockJwtVerify).toHaveBeenCalledWith(
       mockClientAssertion,
       expect.any(Function),
-      { algorithms: ["ES256", "RS256"] },
+      { algorithms: ["ES256", "RS256", "RS512"] },
     );
     expect(mockMetrics.addDimensions).toHaveBeenCalledWith({
       client_id: "test-client-id",
@@ -97,7 +97,7 @@ describe("verifyClientAssertion", () => {
     expect(mockJwtVerify).toHaveBeenCalledWith(
       mockClientAssertion,
       expect.any(Function),
-      { algorithms: ["ES256", "RS256"] },
+      { algorithms: ["ES256", "RS256", "RS512"] },
     );
   });
 
@@ -111,7 +111,7 @@ describe("verifyClientAssertion", () => {
     expect(mockJwtVerify).toHaveBeenCalledWith(
       mockClientAssertion,
       expect.any(Function),
-      { algorithms: ["ES256", "RS256"] },
+      { algorithms: ["ES256", "RS256", "RS512"] },
     );
   });
 

solutions/commons/utils/constants.ts

@@ -10,7 +10,7 @@ export const jarKeyEncryptionAlgorithm = "RSA-OAEP-256";
 export const jarContentEncryptionAlgorithm = "A256GCM";
 
 export const jwtSigningAlgorithm = "ES256";
-export const jwtVerifyAlgorithms = ["ES256", "RS256"];
+export const jwtVerifyAlgorithms = ["ES256", "RS256", "RS512"];
 
 export const checkUserAgentCookieName = "amc";
 

solutions/frontend/src/handlers/authorize/utils/verifyJwt.test.ts

@@ -119,7 +119,7 @@ describe("verifyJwt", () => {
 
     expect(result).toStrictEqual(payload);
     expect(mockJwtVerify).toHaveBeenCalledWith(signedJwt, "mock-jwks", {
-      algorithms: ["ES256", "RS256"],
+      algorithms: ["ES256", "RS256", "RS512"],
     });
   });