Even though the ServiceProvider creation takes in a crypto.Signer interface, at places it is directly type casted to PrivateKey, which doesn't work when we are using GCP KMS as it doesn't give the private key out of the cloud.
I have raised a PR #654 which could fix this issue, specifically this commit d3c04ad#diff-b57af4b2f370a646566b61e243961a13da838887faf8e18b1c8907b56f8755eb
But made an assumption here that when the passed key is not a concrete key then it will support only RSA as most of the IdP's I see only support RSA. I could update to support for ECDSA as well but it adds some extra complexity and thought of getting your opinion first on this and get this to merged if possible first.
Even though the ServiceProvider creation takes in a crypto.Signer interface, at places it is directly type casted to PrivateKey, which doesn't work when we are using GCP KMS as it doesn't give the private key out of the cloud.
I have raised a PR #654 which could fix this issue, specifically this commit d3c04ad#diff-b57af4b2f370a646566b61e243961a13da838887faf8e18b1c8907b56f8755eb
But made an assumption here that when the passed key is not a concrete key then it will support only RSA as most of the IdP's I see only support RSA. I could update to support for ECDSA as well but it adds some extra complexity and thought of getting your opinion first on this and get this to merged if possible first.