From 7fd5a4a2e3a6e9ec5dc95bd7a3667e7f01833253 Mon Sep 17 00:00:00 2001
From: Dmytri Eck <Dmytri.G.Eck@gmail.com>
Date: Tue, 4 Jun 2024 22:44:09 -0400
Subject: [PATCH] Signing JWT based on the default keyId.  Currently, it signs
 based on the first key which has the desired algorithm.

---
 .../openid/connect/client/OIDCAuthenticationFilter.java      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index 841252547..7e513fc0d 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -425,7 +425,10 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 						null, null);
 				SignedJWT jwt = new SignedJWT(header, claimsSet.build());
 
-				signer.signJwt(jwt, alg);
+				if (signer.getDefaultSignerKeyId() != null)
+					signer.signJwt(jwt);
+				else
+					signer.signJwt(jwt, alg);
 
 				form.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
 				form.add("client_assertion", jwt.serialize());