[OIDC] LINE login use unsupported algorithm HS256 instead of expected ES256

[vacharanon]

Hello,

While I was trying to integrate LINE with Kratos' OIDC, I was presented with error : "oidc: id token signed with unsupported algorithm, expected ["ES256"] got "HS256""

LINE specifically told is in their document with no way to change the algorithm

Is there anywhere I can make Kratos understand HS256? Here is my current configuration.

- id: line
  provider: generic
  client_id: ...
  client_secret: ...
  mapper_url: file:///etc/config/kratos/oidc.line.jsonnet
  scope:
    - email
  issuer_url: https://access.line.me
  auth_url: https://access.line.me/oauth2/v2.1/authorize
  token_url: https://api.line.me/oauth2/v2.1/token

[aeneasr]

HS256 is not supported because it is a symmetric key which does not make any sense in the context of OpenID Connect. Their well-known document states that they issue ES256 ( https://access.line.me/.well-known/openid-configuration ) so it's very strange that a HS256 ends up at Ory Kratos. I would inquire at LINE to see what's going on or post an ID Token payload here for further debugging.

[vacharanon]

I've contact LINE via their support channel. I will keep you posted.

Anyway, please excuse me but how do I get ID Token payload out? I'm using Ory Kratos in Docker, if that's matter.

[aeneasr]

Great, thank you! Unfortunately I don't think it's easily possible to get that at the moment. If you want and know Go you could probably add it to the tracing pipeline. If you want to tackle that let me know and I'll point you in the right direction!

[94Peter]

I found the default signing algorithm used by the go-oidc library (github.com/coreos/go-oidc/v3/oidc) is RS256, and that Ory Kratos, in its usage of this library, doesn't explicitly set the SupportedSigningAlgs field in the go-oidc.Config object.
I suggest to create a GetAlgorithms function for oids.Provider to set the algorithms to verify.Config maybe can fix this issue.