Allow configuring JWT verification algorithms

[pulsejet]

Currently all of the following are allowed, but they may not be secure enough.

OpenID-Connect-PHP/src/OpenIDConnectClient.php

Lines 1226 to 1259 in 6aae75b

	$payload = implode('.', $parts);
	switch ($header->alg) {
	case 'RS256':
	case 'PS256':
	case 'PS512':
	case 'RS384':
	case 'RS512':
	$hashtype = 'sha' . substr($header->alg, 2);
	$signatureType = $header->alg === 'PS256' || $header->alg === 'PS512' ? 'PSS' : '';
	if (isset($header->jwk)) {
	$jwk = $header->jwk;
	$this->verifyJWKHeader($jwk);
	} else {
	$jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
	if ($jwks === NULL) {
	throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
	}
	$jwk = $this->getKeyForHeader($jwks->keys, $header);
	}
	$verified = $this->verifyRSAJWTsignature($hashtype,
	$jwk,
	$payload, $signature, $signatureType);
	break;
	case 'HS256':
	case 'HS512':
	case 'HS384':
	$hashtype = 'SHA' . substr($header->alg, 2);
	$verified = $this->verifyHMACJWTsignature($hashtype, $this->getClientSecret(), $payload, $signature);
	break;
	default:
	throw new OpenIDConnectClientException('No support for signature type: ' . $header->alg);
	}
	return $verified;

From pulsejet/nextcloud-oidc-login#126