Skip to content

fix: support ES256K OIDC token verification#2542

Open
Xavrir wants to merge 2 commits into
supabase:masterfrom
Xavrir:fix-es256k-oidc
Open

fix: support ES256K OIDC token verification#2542
Xavrir wants to merge 2 commits into
supabase:masterfrom
Xavrir:fix-es256k-oidc

Conversation

@Xavrir
Copy link
Copy Markdown

@Xavrir Xavrir commented May 27, 2026

What changed

  • Add a narrow ES256K/secp256k1 verifier path for OIDC ID tokens.
  • Keep the existing go-oidc/go-jose verification path unchanged for non-ES256K providers.
  • Verify ES256K access token hashes with the SHA-256 at_hash calculation.
  • Require provider metadata to advertise ES256K unless it is explicitly allowed through SupportedSigningAlgs.
  • Add focused tests for valid ES256K tokens, bad signatures, unknown kid values, invalid curve points, missing algorithm metadata, and invalid at_hash values.

Fixes #2534

Testing

  • go test ./internal/api/provider -count=1
  • go test ./internal/api/... -run 'Test(ParseIDTokenES256K|ES256KRemoteKeySet)' -count=1
  • git diff --check

I also attempted the broader local make test path against a temporary Postgres test database. It ran most packages but failed in internal/mailer/validateclient TestValidateEmailExtended because a DNS-dependent invalid-host assertion returned nil locally; that failure is unrelated to this OIDC provider change.

@Xavrir Xavrir requested a review from a team as a code owner May 27, 2026 08:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for Telegram OIDC: Unsupported elliptic curve secp256k1 in JWKS

1 participant

@Xavrir