Skip to content

feat(oidc): support configurable token signing algorithms#5362

Merged
markphelps merged 1 commit intoflipt-io:v2from
gzxu:oidc-algo
Feb 6, 2026
Merged

feat(oidc): support configurable token signing algorithms#5362
markphelps merged 1 commit intoflipt-io:v2from
gzxu:oidc-algo

Conversation

@gzxu
Copy link
Contributor

@gzxu gzxu commented Feb 6, 2026
edited by erka
Loading

Summary

Add an algorithms field to the OIDC provider configuration so Flipt can verify ID tokens signed with algorithms other than RS256.

closes #5361.

Changes

  • Update config schema to allow authentication.methods.oidc.providers.<provider>.algorithms (default ["RS256"])
  • Plumb configured algorithms into OIDC provider setup
  • Update OIDC server tests to include algorithms config

Test plan

  • Run existing unit tests for OIDC auth method (updated tests included)

@gzxu gzxu requested a review from a team as a code owner February 6, 2026 07:10
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Feb 6, 2026
@dosubot
Copy link

dosubot bot commented Feb 6, 2026

Related Documentation

Checked 4 published document(s) in 1 knowledge base(s). No updates required.

How did I do? Any feedback?  Join Discord

@gzxu gzxu mentioned this pull request Feb 6, 2026
Closed
@codecov
Copy link

codecov bot commented Feb 6, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 57.14286% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.54%. Comparing base (8ac6346) to head (4076ee4).
⚠️ Report is 1 commits behind head on v2.

Files with missing lines Patch % Lines
internal/server/authn/method/oidc/server.go 66.66% 1 Missing and 1 partial ⚠️
internal/config/authentication.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##               v2    #5362      +/-   ##
==========================================
+ Coverage   59.97%   60.54%   +0.56%     
==========================================
  Files         138      138              
  Lines       13578    13584       +6     
==========================================
+ Hits         8144     8225      +81     
+ Misses       4735     4662      -73     
+ Partials      699      697       -2
Flag Coverage Δ
integrationtests 34.64% <0.00%> (+1.51%) ⬆️
unittests 51.95% <57.14%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

erka
erka reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

@erka erka left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update config/flipt.schema.json with a new option to improve in editor support. And another PR with oidc also missing it.

@erka
Copy link
Contributor

erka commented Feb 6, 2026

@gzxu thank you for the PR.

@gzxu
Copy link
Contributor Author

gzxu commented Feb 6, 2026

Thanks @erka for reviewing! Quick question: Which command can I use to auto-generate config/flipt.schema.json from config/flipt.schema.cue?

@erka
Copy link
Contributor

erka commented Feb 6, 2026

You have to do it manually. Cue didn't support it in the past. You could ask llm to do it as alternative. They usually do a good job in this case.

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Feb 6, 2026
@gzxu
Copy link
Contributor Author

gzxu commented Feb 6, 2026

Ah you're right, LLM did a good job. Thanks!

erka
erka reviewed Feb 6, 2026
View reviewed changes
@erka erka added needs docs Requires documentation updates v2 Flipt v2 labels Feb 6, 2026
@gzxu
feat(oidc): support configurable token signing algorithms
4076ee4 
Some OIDC providers sign ID tokens with non-RS256 algorithms. Add an `algorithms`
setting to the OIDC provider config and plumb it through to the OIDC client
configuration. Default remains ["RS256"] for backward compatibility.

Signed-off-by: Edward Xu <[email protected]>
markphelps
markphelps approved these changes Feb 6, 2026
View reviewed changes
Copy link
Collaborator

@markphelps markphelps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great! ty for your contribution @gzxu !!

@markphelps markphelps enabled auto-merge (squash) February 6, 2026 14:45
@markphelps markphelps merged commit c4446a8 into flipt-io:v2 Feb 6, 2026
36 of 38 checks passed
@github-project-automation github-project-automation bot moved this to Done in Flipt V2 Feb 6, 2026
@gzxu gzxu deleted the oidc-algo branch February 6, 2026 15:07
@markphelps markphelps mentioned this pull request Feb 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erka erka erka left review comments

@markphelps markphelps markphelps approved these changes

Assignees

No one assigned

Labels

needs docs Requires documentation updates size:M This PR changes 30-99 lines, ignoring generated files. v2 Flipt v2

Projects

Flipt V2
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(oidc): allow configuring accepted ID token signing algorithms

3 participants

@gzxu @erka @markphelps