oidcc-client-test-aggregated-claims signs Userinfo aggregated claim with `alg: none` but that is not listed as a supported signing alg

What did you do?

I ran the oidcc-client-test-aggregated-claims test with UeberauthOidcc, based on the Oidcc library.

What did you expect would happen?

The test should pass.

What did happen?

Most of the test is successful: we get the access / ID tokens and the aggregated claims from the userinfo endpoint.

Example output from the userinfo endpoint:

{
  "_claim_names": {
    "address": "src1",
    "phone_number": "src1"
  },
  "_claim_sources": {
    "src1": {
      "JWT": "eyJhbGciOiJub25lIn0.eyJhZGRyZXNzIjogewoic3RyZWV0X2FkZHJlc3MiOiAiMTIzNCBIb2xseXdvb2QgQmx2ZC4iLAoibG9jYWxpdHkiOiAiTG9zIEFuZ2VsZXMiLAoicmVnaW9uIjogIkNBIiwKInBvc3RhbF9jb2RlIjogIjkwMjEwIiwKImNvdW50cnkiOiAiVVMifSwKInBob25lX251bWJlciI6ICIrMSAoMzEwKSAxMjMtNDU2NyIKfQ."
    }
  },
  "sub": "user-subject-1234531"
}

The src1 claim provides a JWT signed with the none algorithm. However, the well-known document does not list this as a supported signature type:

  "userinfo_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "ES256",
    "ES256K",
    "ES384",
    "ES512",
    "EdDSA"
  ]

Given that there's nothing specifying that the none algorithm should be a supported signature type for the claim, the implementation rejects the Userinfo response. If the expectation is that the aggregated claim does not need to be validated, that is not clear from my reading of the specifications.

Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations

If you believe a failure the conformance suite is reporting is not a valid failure, you MUST include a hyperlink for the exact section of the relevant specification that explains how the behaviour of your software is compliant, and you MUST include a quote of the exact clause/phrase you are relying on

Aggregated and Distributed Claims: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

This doesn't appear to say anything about validating the JWT.

UserInfo Response Validation: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponseValidation

Point 3: "If the response was signed, the Client SHOULD validate the signature according to JWS."

I read this as saying the client SHOULD validate the signature of the aggregated claim, and we are correct to reject it.

OpenID Provider Metadata: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

userinfo_signing_alg_values_supported OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the UserInfo Endpoint to encode the Claims in a JWT . The value none MAY be included.

Given that none is allowed here, I don't see why it wouldn't be included with the test if the aggregated claim is signed with that algorithm.

If the problem relates to a test, please provide a link to the log-detail.html page on our server (the test result does NOT need to be 'published')

https://www.certification.openid.net/log-detail.html?log=9VOP9chzdX9CTpu