From b81aea14b4d964ebf68e14f4d6b85a558484bb6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Fri, 5 Jun 2015 12:55:06 +0000
Subject: [PATCH] Define an ID for public key (#184)

---
 .../lib/Lemonldap/NG/Manager/Attributes.pm                | 8 ++++++--
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm     | 1 +
 .../lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm      | 2 ++
 .../lib/Lemonldap/NG/Portal/_OpenIDConnect.pm             | 2 ++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
index 1b3df46fe..da91962f0 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@@ -1972,8 +1972,12 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             },
             documentation => 'OpenID Connect Authentication Context Class Ref',
         },
-        oidcServicePrivateKeySig            => { type => 'RSAPrivateKey', },
-        oidcServicePublicKeySig             => { type => 'RSAPublicKey', },
+        oidcServicePrivateKeySig => { type => 'RSAPrivateKey', },
+        oidcServicePublicKeySig  => { type => 'RSAPublicKey', },
+        oidcServiceKeyIdSig      => {
+            type          => 'text',
+            documentation => 'OpenID Connect Signature Key ID',
+        },
         oidcServiceAllowDynamicRegistration => {
             type          => 'bool',
             default       => '0',
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
index 0f2d66a7b..17a8ea915 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
@@ -827,6 +827,7 @@ sub tree {
                     group => [
                         'oidcServicePrivateKeySig',
                         'oidcServicePublicKeySig',
+                        'oidcServiceKeyIdSig',
                         'oidcServiceAllowDynamicRegistration',
                         'oidcServiceAllowAuthorizationCodeFlow',
                         'oidcServiceAllowImplicitFlow',
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
index 6adcd3772..cc23807e1 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@@ -386,10 +386,12 @@ sub issuerForUnAuthUser {
         my $jwks = { keys => [] };
 
         my $public_key_sig = $self->{oidcServicePublicKeySig};
+        my $key_id_sig     = $self->{oidcServiceKeyIdSig};
         if ($public_key_sig) {
             my $key = $self->key2jwks($public_key_sig);
             $key->{kty} = "RSA";
             $key->{use} = "sig";
+            $key->{kid} = $key_id_sig if $key_id_sig;
             push @{ $jwks->{keys} }, $key;
         }
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
index c8e3e1f0a..22d323a49 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
@@ -1224,6 +1224,8 @@ sub createJWT {
 
     # JWT header
     my $jwt_header_hash = { typ => "JWT", alg => $alg };
+    $jwt_header_hash->{kid} = $self->{oidcServiceKeyIdSig}
+      if $self->{oidcServiceKeyIdSig};
     my $jwt_header = encode_base64( encode_json($jwt_header_hash), "" );
 
     if ( $alg eq "none" ) {