I am testing OIDC with ES256 to sign JWT. But I found that if I configured OidcRegisteredService.idTokenSigningAlg to use ES256, the access token is signed with HS512 using cas.authn.oauth.accessToken.crypto.signing.key instead. (The ID token is signed with ES256 as expected.) This causes access key introspection to fail.
If I removed OidcRegisteredService.idTokenSigningAlg, access token is signed with RS512 and ID token is signed with RS256. In this case access key introspection works as intended. I am not sure how to fix this bug, so I am posting here for suggestion. -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/c6385698-9be3-4594-83f5-bee3648af2a8%40apereo.org.
