From fa215009cdf6921b68ebf5eaab250f767cc672fe Mon Sep 17 00:00:00 2001
From: Daniel Rosel <daniel@alves.world>
Date: Fri, 3 Apr 2026 19:31:23 +0200
Subject: [PATCH] allow jwt alg from token header

---
 dlib/auth/oidc.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dlib/auth/oidc.py b/dlib/auth/oidc.py
index 55d236c..590f954 100644
--- a/dlib/auth/oidc.py
+++ b/dlib/auth/oidc.py
@@ -74,11 +74,12 @@ class OidcTokenValidator:
         key = await self._get_key(header.get("kid"))
         if not key:
             raise TokenValidationError("Unable to resolve signing key")
+        alg = header.get("alg") or key.get("alg") or "RS256"
         try:
             claims = jwt.decode(
                 token,
                 key,
-                algorithms=[key.get("alg", "RS256")],
+                algorithms=[alg],
                 audience=self.audience,
                 issuer=self.issuer,
             )