fixed backported 'kid' injection

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

@@ -27,6 +27,7 @@ import java.security.SecureRandom;
 import java.text.ParseException;
 import java.util.Date;
 import java.util.Map;
+import java.util.UUID;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -375,6 +376,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 				claimsSet.setIssuer(clientConfig.getClientId());
 				claimsSet.setSubject(clientConfig.getClientId());
 				claimsSet.setAudience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));
+				claimsSet.setJWTID(UUID.randomUUID().toString());
 
 				// TODO: make this configurable
 				Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
@@ -384,9 +386,8 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 				claimsSet.setIssueTime(now);
 				claimsSet.setNotBeforeTime(now);
 
-				JWSHeader header = new JWSHeader(alg, null, null, null, null, null, null, null, null, null,
+				JWSHeader header = new JWSHeader(alg);
-						signer.getDefaultSignerKeyId(),
+				header.setKeyID(signer.getDefaultSignerKeyId());
-						null, null);
 				SignedJWT jwt = new SignedJWT(header, claimsSet);
 
 				signer.signJwt(jwt, alg);

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java

@@ -172,9 +172,8 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 						|| signingAlg.equals(JWSAlgorithm.HS384)
 						|| signingAlg.equals(JWSAlgorithm.HS512)) {
 
-					JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+					JWSHeader header = new JWSHeader(signingAlg);
-							jwtService.getDefaultSignerKeyId(),
+					header.setKeyID(jwtService.getDefaultSignerKeyId());
-							null, null);
 					idToken = new SignedJWT(header, idClaims);
 
 					JwtSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
@@ -282,9 +281,8 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
-		JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+		JWSHeader header = new JWSHeader(signingAlg);
-				jwtService.getDefaultSignerKeyId(),
+		header.setKeyID(jwtService.getDefaultSignerKeyId());
-				null, null);
 		SignedJWT signed = new SignedJWT(header, claims);
 
 		jwtService.signJwt(signed);

openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

@@ -97,9 +97,8 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
-		JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+		JWSHeader header = new JWSHeader(signingAlg);
-				jwtService.getDefaultSignerKeyId(),
+		header.setKeyID(jwtService.getDefaultSignerKeyId());
-				null, null);
 		SignedJWT signed = new SignedJWT(header, claims);
 
 		jwtService.signJwt(signed);

openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoJwtView.java

@@ -126,9 +126,8 @@ public class UserInfoJwtView extends UserInfoView {
 				if (client.getUserInfoSignedResponseAlg() != null) {
 					signingAlg = client.getUserInfoSignedResponseAlg(); // override with the client's preference if available
 				}
-				JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+				JWSHeader header = new JWSHeader(signingAlg);
-						jwtService.getDefaultSignerKeyId(),
+				header.setKeyID(jwtService.getDefaultSignerKeyId());
-						null, null);
 				SignedJWT signed = new SignedJWT(header, claims);
 
 				if (signingAlg.equals(JWSAlgorithm.HS256)