BerkeleyLibrary · davezuckerman · Apr 21, 2026 · Apr 21, 2026
diff --git a/app/controllers/concerns/alma_jwt_validator.rb b/app/controllers/concerns/alma_jwt_validator.rb
@@ -18,7 +18,7 @@ def jwk_set
 
   def decode_and_verify_jwt(token)
     options = {
-      algorithm: 'RS256',
+      algorithm: 'ES256',
       verify_expiration: true,
       verify_aud: false,
       verify_iss: true,

diff --git a/spec/controllers/concerns/alma_jwt_validator_spec.rb b/spec/controllers/concerns/alma_jwt_validator_spec.rb
@@ -8,25 +8,25 @@
   let(:jwks_url) { "https://api-na.hosted.exlibrisgroup.com/auth/#{alma_institution_code}/jwks.json" }
   let(:expected_iss) { 'Prima' }
 
-  # Generate an RSA key pair for testing
-  let(:rsa_key) { OpenSSL::PKey::RSA.new(2048) }
+  # Generate an EC key pair for testing
+  let(:ec_key) { OpenSSL::PKey::EC.generate('prime256v1') }
   let(:kid) { 'test-key-id' }
   let(:test_payload) { { 'userName' => '10335026', 'iss' => expected_iss } }
 
-  # Helper to create JWK hash from RSA key using JWT::JWK
+  # Helper to create JWK hash from EC key using JWT::JWK
   def create_jwk_hash(key, kid)
     jwk = JWT::JWK.new(key, kid: kid)
     jwk.export
   end
 
   # Helper to generate a valid JWT
-  def generate_jwt(payload, key, kid, algorithm = 'RS256')
+  def generate_jwt(payload, key, kid, algorithm = 'ES256')
     header = { 'kid' => kid, 'alg' => algorithm }
     JWT.encode(payload, key, algorithm, header)
   end
 
   before do
-    jwk = create_jwk_hash(rsa_key, kid)
+    jwk = create_jwk_hash(ec_key, kid)
 
     stub_request(:get, jwks_url)
       .to_return(
@@ -39,7 +39,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
   describe '.decode_and_verify_jwt' do
     context 'with a valid JWT' do
       it 'returns the decoded payload' do
-        token = generate_jwt(test_payload, rsa_key, kid)
+        token = generate_jwt(test_payload, ec_key, kid)
         result = AlmaJwtValidator.decode_and_verify_jwt(token)
 
         expect(result).to be_an(Array)
@@ -51,7 +51,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
     context 'with an invalid signature' do
       it 'raises JWT::DecodeError' do
         # Generate a token with a different key
-        different_key = OpenSSL::PKey::RSA.new(2048)
+        different_key = OpenSSL::PKey::EC.generate('prime256v1')
         token = generate_jwt(test_payload, different_key, kid)
 
         expect do
@@ -62,7 +62,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
 
     context 'with an unknown key id' do
       it 'raises JWT::DecodeError' do
-        token = generate_jwt(test_payload, rsa_key, 'unknown-kid')
+        token = generate_jwt(test_payload, ec_key, 'unknown-kid')
 
         expect do
           AlmaJwtValidator.decode_and_verify_jwt(token)
@@ -81,7 +81,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
     context 'when JWKS endpoint is unreachable' do
       it 'raises an error' do
         stub_request(:get, jwks_url).to_return(status: 500)
-        token = generate_jwt(test_payload, rsa_key, kid)
+        token = generate_jwt(test_payload, ec_key, kid)
 
         expect do
           AlmaJwtValidator.decode_and_verify_jwt(token)