Merge pull request #383 from smalihaider-daasi/add-kid-in-oidc-jwks-endpoint

Make "kid" configurable for the openid_connect frontend

Author: c00kiemon5ter

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -2,6 +2,7 @@ module: satosa.frontends.openid_connect.OpenIDConnectFrontend
 name: OIDC
 config:
   signing_key_path: frontend.key
+  signing_key_id: frontend.key1
   db_uri: mongodb://db.example.com # optional: only support MongoDB, will default to in-memory storage if not specified
   client_db_path: /path/to/your/cdb.json
   sub_hash_salt: randomSALTvalue # if not specified, it is randomly generated on every startup

src/satosa/frontends/openid_connect.py

@@ -44,7 +44,8 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
         super().__init__(auth_req_callback_func, internal_attributes, base_url, name)
 
         self.config = conf
-        self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]), use="sig", alg="RS256")
+        self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]), use="sig", alg="RS256",
+                                  kid=conf.get("signing_key_id", ""))
 
     def _create_provider(self, endpoint_baseurl):
         response_types_supported = self.config["provider"].get("response_types_supported", ["id_token"])
@@ -240,6 +241,10 @@ def _validate_config(self, config):
             if k not in config:
                 raise ValueError("Missing configuration parameter '{}' for OpenID Connect frontend.".format(k))
 
+        if "signing_key_id" in config and type(config["signing_key_id"]) is not str:
+            raise ValueError(
+                "The configuration parameter 'signing_key_id' is not defined as a string for OpenID Connect frontend.")
+
     def _get_authn_request_from_state(self, state):
         """
         Extract the clietns request stoed in the SATOSA state.