swedenconnect
Add section about supported algorithms for OpenID Connect
In OpenID Connect Profile for Sweden Connect we rely on the cryptographic requirements stated in The Swedish OpenID Connect Profile.
The required signature algorithms according to this specification is only RS256 and ES256. We may want to extend the requirements for an OP to support a wider range of algorithms.
Also, if a client registers metadata in a federation, and it can freely set, for example, id_token_signed_response_alg, we run into problems. That would mean that an OP would need to use several different signing keys, one for each mandatory type. This needs to be addressed.
I will look into the details, but this feels backwards and deviates how protocols normally handle signature interoperability.
The normal way to handle this, in my experience, is to put requirements on verifiers to support a range of algorithms, not the signer. The signer normally picks ONE signing key that it knows that all verifiers will support. It is non-typical that a signer selects different signing keys in order to meet the specific preferences of the verifier.
