From e8bcc39ca92ac94b8bd43ac179883f4aad6ac878 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 01:37:22 +0200
Subject: [PATCH] fix: add ES384 to OidcTokenExchanger JWT algorithm list

Logto signs id_tokens with ES384 by default. SecurityConfig already
included it but OidcTokenExchanger only had RS256 and ES256.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../com/cameleer3/server/app/security/OidcTokenExchanger.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 4110cdeb..c4e1c835 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -231,7 +231,7 @@ public class OidcTokenExchanger {
                         jwkSource = JWKSourceBuilder.create(jwksUrl).build();
                     }
 
-                    Set<JWSAlgorithm> expectedAlgs = Set.of(JWSAlgorithm.RS256, JWSAlgorithm.ES256);
+                    Set<JWSAlgorithm> expectedAlgs = Set.of(JWSAlgorithm.ES384, JWSAlgorithm.ES256, JWSAlgorithm.RS256);
                     JWSKeySelector<SecurityContext> keySelector =
                             new JWSVerificationKeySelector<>(expectedAlgs, jwkSource);