[token_introspection] Remove algorithm enum from the schema

jsonschema validation fails randomly when enum contains only a single value. For now, remove the algorithm and use the hardcoded value until we can upgrade lua-resty-jwt and support additional signing algorithms.
3scale · Jun 17, 2024 · 3a7aee4 · 3a7aee4
1 parent 78c63f8
commit 3a7aee4
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 12 deletions.
diff --git a/gateway/src/apicast/policy/token_introspection/apicast-policy.json b/gateway/src/apicast/policy/token_introspection/apicast-policy.json
@@ -84,11 +84,6 @@
                 "description": "Audience. The aud claim of the singed JWT. The audience SHOULD be the URL of the Authorization Server’s Token Endpoint.",
                 "type": "string"
               },
-              "client_jwt_assertion_algorithm": {
-                "type": "string",
-                "enum": ["HS256"],
-                "default": "HS256"
-              },
               "introspection_url": {
                 "description": "Introspection Endpoint URL",
                 "type": "string"
@@ -120,11 +115,6 @@
               "description": "Audience. The aud claim of the singed JWT. The audience SHOULD be the URL of the Authorization Server’s Token Endpoint.",
               "type": "string"
             },
-            "client_jwt_assertion_algorithm": {
-              "type": "string",
-              "enum": ["RS256"],
-              "default": "RS256"
-            },
             "certificate_type": {
               "title": "Certificate type",
               "type": "string",

diff --git a/gateway/src/apicast/policy/token_introspection/token_introspection.lua b/gateway/src/apicast/policy/token_introspection/token_introspection.lua
@@ -68,7 +68,6 @@ function _M.new(config)
     if self.auth_type == "client_secret_jwt" or self.auth_type == "private_key_jwt" then
       self.client_jwt_assertion_expires_in = self.config.client_jwt_assertion_expires_in or 60
       self.client_aud = config.client_jwt_assertion_audience or ''
-      self.client_algorithm = config.client_jwt_assertion_algorithm
     end
 
     if self.auth_type == "private_key_jwt" then
@@ -129,7 +128,7 @@ local function introspect_token(self, token)
     local assertion = {
       header = {
         typ = "JWT",
-        alg = self.client_algorithm,
+        alg = self.auth_type == "client_secret_jwt" and "HS256" or "RS256",
       },
       payload = {
         iss = self.client_id,