diff --git a/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs b/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs index b34427e943..8d8510958b 100644 --- a/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs +++ b/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs @@ -37,7 +37,7 @@ public void ValidateResponse() // but some identity providers (f.e. Identity Server and Azure AD) return 'id_token token' ValidateOneOfRequiredValues(ResponseTypesSupported, OidcConstants.RESPONSE_TYPES_SUPPORTED, OidcConstants.REQUIRED_COMBINED_RESPONSE_TYPES); ValidateOneOfRequiredValues(SubjectTypesSupported, OidcConstants.SUBJECT_TYPES_SUPPORTED, OidcConstants.REQUIRED_SUBJECT_TYPES); - ValidateRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS); + ValidateOneOfRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS); } private static void ValidateValue(string value, string metadata) diff --git a/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs b/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs index 8df2c8fdab..cc5dd12f9c 100644 --- a/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs +++ b/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs @@ -20,5 +20,5 @@ internal class OidcConstants internal static string[] REQUIRED_SUBJECT_TYPES => new[] { "pairwise", "public" }; - internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256" }; + internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256", "RS512" }; } diff --git a/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs b/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs index 7752b8b395..59eb01739a 100644 --- a/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs +++ b/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs @@ -129,7 +129,27 @@ public void be_invalid_when_required_id_token_signing_alg_values_supported_is_mi validate .ShouldThrow() - .Message.ShouldBe("Invalid discovery response - 'id_token_signing_alg_values_supported' must contain the following values: RS256!"); + .Message.ShouldBe($"Invalid discovery response - 'id_token_signing_alg_values_supported' must be one of the following values: {string.Join(",", OidcConstants.REQUIRED_ALGORITHMS)}!"); + } + + [Theory] + [InlineData("RS256")] + [InlineData("RS512")] + public void be_valid_when_one_required_id_token_signing_alg_value_is_provided(string supportedSigningAlgorithm) + { + var response = new DiscoveryEndpointResponse + { + Issuer = RandomString, + AuthorizationEndpoint = RandomString, + JwksUri = RandomString, + ResponseTypesSupported = REQUIRED_RESPONSE_TYPES, + SubjectTypesSupported = OidcConstants.REQUIRED_SUBJECT_TYPES, + SigningAlgorithmsSupported = new[] { supportedSigningAlgorithm }, + }; + + Action validate = () => response.ValidateResponse(); + + validate.ShouldNotThrow(); } [Fact]