From 22c86d09f834eb3669034c6fdd6713fc88ccaa89 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 18 Mar 2015 20:09:06 -0400
Subject: [PATCH] put 'kid' into JWS header, closes #784

---
 .../connect/service/impl/DefaultOIDCTokenService.java  | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
index 0e3f47986..f05481629 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@@ -178,10 +178,14 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 					// sign it with the client's secret
 					signer.signJwt((SignedJWT) idToken);
 				} else {
-					idClaims.setCustomClaim("kid", jwtService.getDefaultSignerKeyId());
 					
-					idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
-	
+					idClaims.setCustomClaim("kid", jwtService.getDefaultSignerKeyId());
+
+					JWSHeader header = new JWSHeader(signingAlg);
+					header.setKeyID(jwtService.getDefaultSignerKeyId());
+					
+					idToken = new SignedJWT(header, idClaims);
+
 					// sign it with the server's key
 					jwtService.signJwt((SignedJWT) idToken);
 				}