From bb634834d0065581e610ed6b3df12ef9eff01e13 Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Thu, 16 Nov 2023 13:13:10 +0100
Subject: [PATCH] add key ID to the ID token, used for non-dpop applications

---
 src/TokenGenerator.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/TokenGenerator.php b/src/TokenGenerator.php
index ee48cff..e34112c 100644
--- a/src/TokenGenerator.php
+++ b/src/TokenGenerator.php
@@ -4,6 +4,7 @@
 
 use Pdsinterop\Solid\Auth\Exception\InvalidTokenException;
 use Pdsinterop\Solid\Auth\Utils\DPop;
+use Pdsinterop\Solid\Auth\Utils\Jwks;
 use Pdsinterop\Solid\Auth\Enum\OpenId\OpenIdConnectMetadata as OidcMeta;
 use Laminas\Diactoros\Response\JsonResponse;
 use League\OAuth2\Server\CryptTrait;
@@ -88,6 +89,10 @@ public function generateIdToken($accessToken, $clientId, $subject, $nonce, $priv
 			$token = $token->withClaim("cnf", [
 				"jkt" => $jkt,
 			]);
+		} else {
+			// legacy mode
+			$jwks = $this->getJwks();
+			$token = $token->withHeader('kid', $jwks['keys'][0]['kid']);
 		}
 
 		return $token->getToken($jwtConfig->signer(), $jwtConfig->signingKey())->toString();
@@ -201,4 +206,10 @@ private function makeJwkThumbprint($dpop): string
 
 		return $this->dpopUtil->makeJwkThumbprint($jwk);
 	}
+
+	private function getJwks() {
+		$key = $this->config->getKeys()->getPublicKey();
+		$jwks = new Jwks($key);
+		return json_decode($jwks->__toString(), true);
+	}
 }