add key ID to the ID token, used for non-dpop applications

ylebre · ylebre · commit bb634834d006 · 2023-11-16T13:13:10.000+01:00
diff --git a/src/TokenGenerator.php b/src/TokenGenerator.php
@@ -4,6 +4,7 @@
 
 use Pdsinterop\Solid\Auth\Exception\InvalidTokenException;
 use Pdsinterop\Solid\Auth\Utils\DPop;
+use Pdsinterop\Solid\Auth\Utils\Jwks;
 use Pdsinterop\Solid\Auth\Enum\OpenId\OpenIdConnectMetadata as OidcMeta;
 use Laminas\Diactoros\Response\JsonResponse;
 use League\OAuth2\Server\CryptTrait;
@@ -88,6 +89,10 @@ public function generateIdToken($accessToken, $clientId, $subject, $nonce, $priv
 			$token = $token->withClaim("cnf", [
 				"jkt" => $jkt,
 			]);
+		} else {
+			// legacy mode
+			$jwks = $this->getJwks();
+			$token = $token->withHeader('kid', $jwks['keys'][0]['kid']);
 		}
 
 		return $token->getToken($jwtConfig->signer(), $jwtConfig->signingKey())->toString();
@@ -201,4 +206,10 @@ private function makeJwkThumbprint($dpop): string
 
 		return $this->dpopUtil->makeJwkThumbprint($jwk);
 	}
+
+	private function getJwks() {
+		$key = $this->config->getKeys()->getPublicKey();
+		$jwks = new Jwks($key);
+		return json_decode($jwks->__toString(), true);
+	}
 }
