From 3a7aee41268d97283c726e84ab590e5cef51f87d Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Mon, 17 Jun 2024 14:54:14 +1000
Subject: [PATCH] [token_introspection] Remove algorithm enum from the schema

jsonschema validation fails randomly when enum contains only a single
value. For now, remove the algorithm and use the hardcoded value until
we can upgrade lua-resty-jwt and support additional signing algorithms.
---
 .../policy/token_introspection/apicast-policy.json     | 10 ----------
 .../policy/token_introspection/token_introspection.lua |  3 +--
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/gateway/src/apicast/policy/token_introspection/apicast-policy.json b/gateway/src/apicast/policy/token_introspection/apicast-policy.json
index 4e177e134..2880a24cd 100644
--- a/gateway/src/apicast/policy/token_introspection/apicast-policy.json
+++ b/gateway/src/apicast/policy/token_introspection/apicast-policy.json
@@ -84,11 +84,6 @@
                 "description": "Audience. The aud claim of the singed JWT. The audience SHOULD be the URL of the Authorization Server’s Token Endpoint.",
                 "type": "string"
               },
-              "client_jwt_assertion_algorithm": {
-                "type": "string",
-                "enum": ["HS256"],
-                "default": "HS256"
-              },
               "introspection_url": {
                 "description": "Introspection Endpoint URL",
                 "type": "string"
@@ -120,11 +115,6 @@
               "description": "Audience. The aud claim of the singed JWT. The audience SHOULD be the URL of the Authorization Server’s Token Endpoint.",
               "type": "string"
             },
-            "client_jwt_assertion_algorithm": {
-              "type": "string",
-              "enum": ["RS256"],
-              "default": "RS256"
-            },
             "certificate_type": {
               "title": "Certificate type",
               "type": "string",
diff --git a/gateway/src/apicast/policy/token_introspection/token_introspection.lua b/gateway/src/apicast/policy/token_introspection/token_introspection.lua
index 36b188a1e..d44d46173 100644
--- a/gateway/src/apicast/policy/token_introspection/token_introspection.lua
+++ b/gateway/src/apicast/policy/token_introspection/token_introspection.lua
@@ -68,7 +68,6 @@ function _M.new(config)
     if self.auth_type == "client_secret_jwt" or self.auth_type == "private_key_jwt" then
       self.client_jwt_assertion_expires_in = self.config.client_jwt_assertion_expires_in or 60
       self.client_aud = config.client_jwt_assertion_audience or ''
-      self.client_algorithm = config.client_jwt_assertion_algorithm
     end
 
     if self.auth_type == "private_key_jwt" then
@@ -129,7 +128,7 @@ local function introspect_token(self, token)
     local assertion = {
       header = {
         typ = "JWT",
-        alg = self.client_algorithm,
+        alg = self.auth_type == "client_secret_jwt" and "HS256" or "RS256",
       },
       payload = {
         iss = self.client_id,