Define an ID for public key (#184)

10 years ago · b81aea14b4
parent f4119999d0
commit b81aea14b4
4 changed files with 11 additions and 2 deletions
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1972,8 +1972,12 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            },
            documentation => 'OpenID Connect Authentication Context Class Ref',
        },
-        oidcServicePrivateKeySig            => { type => 'RSAPrivateKey', },
-        oidcServicePublicKeySig             => { type => 'RSAPublicKey', },
+        oidcServicePrivateKeySig => { type => 'RSAPrivateKey', },
+        oidcServicePublicKeySig  => { type => 'RSAPublicKey', },
+        oidcServiceKeyIdSig      => {
+            type          => 'text',
+            documentation => 'OpenID Connect Signature Key ID',
+        },
        oidcServiceAllowDynamicRegistration => {
            type          => 'bool',
            default       => '0',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
@ -827,6 +827,7 @@ sub tree {
                    group => [
                        'oidcServicePrivateKeySig',
                        'oidcServicePublicKeySig',
+                        'oidcServiceKeyIdSig',
                        'oidcServiceAllowDynamicRegistration',
                        'oidcServiceAllowAuthorizationCodeFlow',
                        'oidcServiceAllowImplicitFlow',
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@ -386,10 +386,12 @@ sub issuerForUnAuthUser {
        my $jwks = { keys => [] };

        my $public_key_sig = $self->{oidcServicePublicKeySig};
+        my $key_id_sig     = $self->{oidcServiceKeyIdSig};
        if ($public_key_sig) {
            my $key = $self->key2jwks($public_key_sig);
            $key->{kty} = "RSA";
            $key->{use} = "sig";
+            $key->{kid} = $key_id_sig if $key_id_sig;
            push @{ $jwks->{keys} }, $key;
        }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
@ -1224,6 +1224,8 @@ sub createJWT {

    # JWT header
    my $jwt_header_hash = { typ => "JWT", alg => $alg };
+    $jwt_header_hash->{kid} = $self->{oidcServiceKeyIdSig}
+      if $self->{oidcServiceKeyIdSig};
    my $jwt_header = encode_base64( encode_json($jwt_header_hash), "" );

    if ( $alg eq "none" ) {