Fix Google id_token to sign with RS256 and expose JWKS public key

[ikad]

Summary

• Replace HS256 (symmetric HMAC) with RS256 (asymmetric RSA) for signing Google OIDC id_tokens
• Implement the /oauth2/v3/certs JWKS endpoint (previously returned an empty keys: [])
• Update the discovery document's id_token_signing_alg_values_supported from ["HS256"] to ["RS256"]

Problem

The Google emulator issued id_tokens signed with HS256 using a hardcoded secret, while OIDC client libraries universally expect RS256 verified against the JWKS endpoint. This caused id_token verification to fail for any library that:

• Fetched the JWKS from /.well-known/openid-configuration → jwks_uri
• Attempted to verify the token signature (e.g. jose, openid-client, Auth.js)

The JWKS endpoint also returned { keys: [] }, making signature verification impossible even if libraries attempted it.

Changes

packages/@emulators/google/src/routes/oauth.ts

• Generate an RSA key pair at module load (generateKeyPair("RS256")) — same pattern as the Microsoft and Okta emulators
• Sign id_tokens with the RSA private key using RS256, with a kid header
• Expose the RSA public key via /oauth2/v3/certs

packages/@emulators/google/src/__tests__/google.test.ts

• Add id_token presence and claims assertions (iss, aud, sub, email, email_verified, name) to the existing token exchange test
• Add a test verifying the JWKS endpoint returns a valid RSA public key
• Add a test verifying the id_token signature using jwtVerify against the JWKS endpoint

[vercel]

@ikad is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.