Add kid in jwks & jwts

auth/config.go

@@ -2,9 +2,11 @@ package main
 
 import (
 	"context"
+	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -15,6 +17,7 @@ import (
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/zoriya/kyoo/keibi/dbc"
 )
 
@@ -22,6 +25,7 @@ type Configuration struct {
 	Prefix          string
 	JwtPrivateKey   *rsa.PrivateKey
 	JwtPublicKey    *rsa.PublicKey
+	JwtKid          string
 	PublicUrl       string
 	DefaultClaims   jwt.MapClaims
 	FirstUserClaims jwt.MapClaims
@@ -100,8 +104,17 @@ func LoadConfiguration(db *dbc.Queries) (*Configuration, error) {
 		if err != nil {
 			return nil, err
 		}
-		ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
 	}
+	ret.JwtPublicKey = &ret.JwtPrivateKey.PublicKey
+	key, err := jwk.Import(ret.JwtPublicKey)
+	if err != nil {
+		return nil, err
+	}
+	thumbprint, err := key.Thumbprint(crypto.SHA256)
+	if err != nil {
+		return nil, err
+	}
+	ret.JwtKid = base64.RawStdEncoding.EncodeToString(thumbprint)
 
 	for _, env := range os.Environ() {
 		if !strings.HasPrefix(env, "KEIBI_APIKEY_") {

auth/jwt.go

@@ -79,6 +79,7 @@ func (h *Handler) createGuestJwt() *string {
 		Time: time.Now().UTC().Add(time.Hour),
 	}
 	jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	jwt.Header["kid"] = h.config.JwtKid
 	t, err := jwt.SignedString(h.config.JwtPrivateKey)
 	if err != nil {
 		return nil
@@ -112,6 +113,7 @@ func (h *Handler) createJwt(token string) (string, error) {
 		Time: time.Now().UTC().Add(time.Hour),
 	}
 	jwt := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	jwt.Header["kid"] = h.config.JwtKid
 	t, err := jwt.SignedString(h.config.JwtPrivateKey)
 	if err != nil {
 		return "", err
@@ -144,6 +146,7 @@ func (h *Handler) GetJwks(c echo.Context) error {
 
 	key.Set("use", "sig")
 	key.Set("key_ops", "verify")
+	key.Set("kid", h.config.JwtKid)
 	set := jwk.NewSet()
 	set.AddKey(key)
 	return c.JSON(200, set)