Missing algorithm negotiation resulting in signed JWT rejected when using OpenID Connect

This is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].

Liferay 7.3 does not support HS256, only RS256. However, the OIDC module does not handle the list of supported algorithms properly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.

This is the file with the problem:
portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectMetadataFactoryImpl.java

Line 232:

if (ListUtil.isNotEmpty(jwsAlgorithms)) {
_oidcClientMetadata.setIDTokenJWSAlg(jwsAlgorithms.get(1));
}

Reproduction steps:

1. In a browser, request the Auth0 Discovery Endpoint URL: https://dev-ticv2ops.us.auth0.com/.well-known/openid-configuration
2. Assert that the JSON contents that is returned includes "id_token_signing_alg_values_supported":["HS256","RS256"]
3. Create an Auth0 "application" and make note of its Client ID and Client Secret.
4. Assert that the Auth0 application is using the RS256 signing algorithm (You may find this under its "Advanced" > "OAuth" section)
5. Enable OIDC on portal
6. Add a new OIDC Provider with the aforementioned Client ID, Client Secret and Discovery Endpoint URL
7. Initiate a OIDC SSO using that provider

 Expected result: The SSO completes successfully
 Actual result: The SSO fails and the logs include a statement like "Signed JWT rejected"