Support per-client signing algorithm

### Preflight checklist

- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's [Code of Conduct](https://github.com/ory/fosite/blob/master/CODE_OF_CONDUCT.md).
- [X] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/fosite/blob/master/CONTRIBUTING.md).
- [ ] I have joined the [Ory Community Slack](https://slack.ory.sh).
- [ ] I am signed up to the [Ory Security Patch Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).

### Ory Network Project

_No response_

### Describe your problem

Current implementation of `Signer` interface and `DefaultSigner` code assumes that there is only one private key used by Fosite and based on that private key an RS256 or ES256 signature is made for all tokens. This is problematic because it is hard to support anything besides RS256. RS256 is mandated by the spec that it should always be supported so if you want to support also ES256 you have a problem - clients cannot opt-in into ES256.

Self-registration supports `id_token_signed_response_alg` for clients to select the signing algorithm.

This has been discussed by @vivshankar and @james-d-elliott in [this issue as well](https://github.com/ory/fosite/issues/630#issuecomment-1025504286). You can also see pains implementing this currently (one has to pass client data through `ctx`).

### Describe your ideal solution

I think another interface should be implemented, `ClientSigner` maybe, which extends `Signer` with the following method:

```go
GenerateForClient(ctx context.Context, client ClientSigner, claims MapClaims, header Mapper) (string, string, error)
```

`ClientSigner` is another interface which extends `Client` to add:

```go
GetIdTokenSignedResponseAlg() string
GetUserInfoSignedResponseAlg() string
```

`GetUserInfoSignedResponseAlg` I added for future when #581 is made.

Then `DefaultSigner` should implement `GenerateForClient` and `GenerateForClient` should be used instead of `Generate` when available.

I am open to different approach to addressing this. The important thing is that fosite would have to accept RSA and ECDSA keys which would then use them to sign tokens as picked by the client.

### Workarounds or alternatives

You can try to implement `Signer` interface yourself and pass client data through `ctx`.

### Version

latest master

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support per-client signing algorithm #788

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Workarounds or alternatives

Version

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Support per-client signing algorithm #788

Description

Preflight checklist

Ory Network Project

Describe your problem

Describe your ideal solution

Workarounds or alternatives

Version

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions