Add support for RS256/RS384/RS512 to sign ID Tokens (#184)

lemonldap-ng-portal/example/openid-configuration.pl

@@ -42,7 +42,7 @@ $configuration->{grant_types_supported} =
 # $configuration->{acr_values_supported}
 $configuration->{subject_types_supported} = ["public"];
 $configuration->{id_token_signing_alg_values_supported} =
-  [qw/none RS256 RS384 RS512/];
+  [qw/none HS256 HS384 HS512 RS256 RS384 RS512/];
 
 # $configuration->{id_token_encryption_alg_values_supported}
 # $configuration->{id_token_encryption_enc_values_supported}

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm

@@ -1135,6 +1135,30 @@ sub createIDToken {
         return $id_token_header . "." . $id_token_payload . "." . $digest;
     }
 
+    if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
+
+        # Get signing private key
+        my $priv_key = $self->{oidcServicePrivateKeySig};
+        my $rsa_priv = Crypt::OpenSSL::RSA->new_private_key($priv_key);
+
+        if ( $alg eq "RS256" ) {
+            $rsa_priv->use_sha256_hash;
+        }
+
+        if ( $alg eq "RS384" ) {
+            $rsa_priv->use_sha384_hash;
+        }
+
+        if ( $alg eq "RS512" ) {
+            $rsa_priv->use_sha512_hash;
+        }
+
+        my $digest = encode_base64url(
+            $rsa_priv->sign( $id_token_header . "." . $id_token_payload ) );
+
+        return $id_token_header . "." . $id_token_payload . "." . $digest;
+    }
+
     $self->lmLog( "Algorithm $alg not supported to sign ID Token", 'debug' );
 
     return;