(doc) openid connect must use RSxxx to sign id token

CHANGELOG.md

@@ -4,6 +4,7 @@
 - Accounting data is now built each night and saved in database
 - OpenAPI endpoint to fetch accounting data
 - Updated OpenAPI documentation
+- Updated OpenID Connect documentation
 - OpenAPI users endpoint offer ability to filter by created_after
 - OpenAPI users endpoint return first name, last name, gender, organization and address
 - Fix a bug: providing an array of attributes to filter OpenApi data, results in error

doc/sso_open_id_connect.md

@@ -30,3 +30,10 @@ Not found. Authentication passthru.
 This issue may occur if you have misconfigured the environment variable `DEFAULT_HOST` and/or `DEFAULT_PROTOCOL`.
 Especially, if you have an automatic redirection (e.g. from example.org to example.com), `DEFAULT_HOST` *MUST* be configured with the redirection target (here example.com).
 Once you have reconfigured these variables, please switch back the active authentication provider to FabManager, restart the application, then delete the OIDC provider you configured and re-create a new one for the new settings to be used.
+
+```
+Unable to decode ID token
+```
+This issue may occur if the ID Token signature algorithm is not set to `RSxxx` on your IDP.
+Especially, this is not the default option when using LemonLDAP::NG, which uses `HSxxx` as the default algorithm, but you can configure it in `OpenID Connect Relaying Parties` > `my-fab-manager` > `Options` > `Security` > `ID Token signature algorithm`.
+Using Keycloak, you can configure it in `Clients` > `my-fab-manager` > `Settings` > `Fine Grain OpenID Connect Configuration` > `ID Token Signature Algorithm`.