The most significant changes involve the validation of signing algori…

…thms in the `DiscoveryEndpointResponse` class and the addition of "RS512" as a required algorithm in the `OidcConstants` class. A new test method has also been added to the `discovery_endpoint_response_should` class to test the validation of the `DiscoveryEndpointResponse` when one of the required signing algorithms is provided.

1. The `DiscoveryEndpointResponse` class in `DiscoveryEndpointResponse.cs` now uses the `ValidateOneOfRequiredValues` method instead of `ValidateRequiredValues` for `SigningAlgorithmsSupported`. This allows for the validation of multiple signing algorithms rather than just one.

2. The `OidcConstants` class in `OidcConstants.cs` has been updated to include "RS512" as a required algorithm, in addition to "RS256". This expands the list of required signing algorithms.

3. The `discovery_endpoint_response_should` class in `DiscoveryEndpointResponseTests.cs` has been updated with a new test method `be_valid_when_one_required_id_token_signing_alg_value_is_provided`. This method tests the validation of the `DiscoveryEndpointResponse` when one of the required signing algorithms is provided. It uses the `InlineData` attribute to test with both "RS256" and "RS512". The error message in the `validate` action has also been updated to reflect these changes.

src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs

@@ -37,7 +37,7 @@ public void ValidateResponse()
         // but some identity providers (f.e. Identity Server and Azure AD) return 'id_token token'
         ValidateOneOfRequiredValues(ResponseTypesSupported, OidcConstants.RESPONSE_TYPES_SUPPORTED, OidcConstants.REQUIRED_COMBINED_RESPONSE_TYPES);
         ValidateOneOfRequiredValues(SubjectTypesSupported, OidcConstants.SUBJECT_TYPES_SUPPORTED, OidcConstants.REQUIRED_SUBJECT_TYPES);
-        ValidateRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS);
+        ValidateOneOfRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS);
     }
 
     private static void ValidateValue(string value, string metadata)

src/HealthChecks.OpenIdConnectServer/OidcConstants.cs

@@ -20,5 +20,5 @@ internal class OidcConstants
 
     internal static string[] REQUIRED_SUBJECT_TYPES => new[] { "pairwise", "public" };
 
-    internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256" };
+    internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256", "RS512" };
 }

test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs

@@ -129,7 +129,27 @@ public void be_invalid_when_required_id_token_signing_alg_values_supported_is_mi
 
         validate
             .ShouldThrow<ArgumentException>()
-            .Message.ShouldBe("Invalid discovery response - 'id_token_signing_alg_values_supported' must contain the following values: RS256!");
+            .Message.ShouldBe($"Invalid discovery response - 'id_token_signing_alg_values_supported' must be one of the following values: {string.Join(",", OidcConstants.REQUIRED_ALGORITHMS)}!");
+    }
+
+    [Theory]
+    [InlineData("RS256")]
+    [InlineData("RS512")]
+    public void be_valid_when_one_required_id_token_signing_alg_value_is_provided(string supportedSigningAlgorithm)
+    {
+        var response = new DiscoveryEndpointResponse
+        {
+            Issuer = RandomString,
+            AuthorizationEndpoint = RandomString,
+            JwksUri = RandomString,
+            ResponseTypesSupported = REQUIRED_RESPONSE_TYPES,
+            SubjectTypesSupported = OidcConstants.REQUIRED_SUBJECT_TYPES,
+            SigningAlgorithmsSupported = new[] { supportedSigningAlgorithm },
+        };
+
+        Action validate = () => response.ValidateResponse();
+
+        validate.ShouldNotThrow();
     }
 
     [Fact]