From c600787f1ccde511461a0d580e2c9224b7d7392b Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 12 Nov 2014 16:21:47 -1000
Subject: [PATCH] added key id to id token, closes #725

---
 .../jwt/signer/service/JwtSigningAndValidationService.java | 2 ++
 .../impl/DefaultJwtSigningAndValidationService.java        | 1 +
 .../connect/service/impl/DefaultOIDCTokenService.java      | 7 ++++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
index 61d807b1c..fa35844d4 100644
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@@ -74,6 +74,8 @@ public interface JwtSigningAndValidationService {
 	 */
 	public void signJwt(SignedJWT jwt, JWSAlgorithm alg);
 
+	public String getDefaultSignerKeyId();
+
 	/**
 	 * TODO: method to sign a jwt using a specified algorithm and a key id
 	 */
diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
index 32a27bfcb..980ac3f2a 100644
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@@ -113,6 +113,7 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 	/**
 	 * @return the defaultSignerKeyId
 	 */
+	@Override
 	public String getDefaultSignerKeyId() {
 			return defaultSignerKeyId;
 	}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
index 5ea04a722..0e3f47986 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@@ -166,16 +166,21 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 			} else {
 
 				// signed ID token
-				idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
 	
 				if (signingAlg.equals(JWSAlgorithm.HS256)
 						|| signingAlg.equals(JWSAlgorithm.HS384)
 						|| signingAlg.equals(JWSAlgorithm.HS512)) {
+
+					idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
+
 					JwtSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
 	
 					// sign it with the client's secret
 					signer.signJwt((SignedJWT) idToken);
 				} else {
+					idClaims.setCustomClaim("kid", jwtService.getDefaultSignerKeyId());
+					
+					idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
 	
 					// sign it with the server's key
 					jwtService.signJwt((SignedJWT) idToken);