add kid header to JWT

modules/jwtx/jwtsigningkey.go

@@ -40,6 +40,7 @@ type JWTSigningKey interface {
 	SignKey() any
 	VerifyKey() any
 	ToJWK() (map[string]string, error)
+	KID() string
 	PreProcessToken(*jwt.Token)
 }
 
@@ -71,6 +72,10 @@ func (key hmacSigningKey) ToJWK() (map[string]string, error) {
 	}, nil
 }
 
+func (key hmacSigningKey) KID() string {
+	return ""
+}
+
 func (key hmacSigningKey) PreProcessToken(*jwt.Token) {}
 
 type rsaSingingKey struct {
@@ -120,6 +125,10 @@ func (key rsaSingingKey) ToJWK() (map[string]string, error) {
 	}, nil
 }
 
+func (key rsaSingingKey) KID() string {
+	return key.id
+}
+
 func (key rsaSingingKey) PreProcessToken(token *jwt.Token) {
 	token.Header["kid"] = key.id
 }
@@ -171,6 +180,10 @@ func (key eddsaSigningKey) ToJWK() (map[string]string, error) {
 	}, nil
 }
 
+func (key eddsaSigningKey) KID() string {
+	return key.id
+}
+
 func (key eddsaSigningKey) PreProcessToken(token *jwt.Token) {
 	token.Header["kid"] = key.id
 }
@@ -223,6 +236,10 @@ func (key ecdsaSingingKey) ToJWK() (map[string]string, error) {
 	}, nil
 }
 
+func (key ecdsaSingingKey) KID() string {
+	return key.id
+}
+
 func (key ecdsaSingingKey) PreProcessToken(token *jwt.Token) {
 	token.Header["kid"] = key.id
 }

routers/api/actions/oidc.go

@@ -162,7 +162,7 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
 		"nbf":                   jwt.NewNumericDate(iat),
 		"exp":                   jwt.NewNumericDate(iat.Add(time.Minute * 15)),
 		"iat":                   jwt.NewNumericDate(iat),
-	})
+	}, addTokenHeaders(o.signingKey))
 
 	signedJWT, err := token.SignedString(o.signingKey.SignKey())
 	if err != nil {
@@ -212,3 +212,12 @@ func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.R
 		return
 	}
 }
+
+func addTokenHeaders(key jwtx.JWTSigningKey) jwt.TokenOption {
+	return func(t *jwt.Token) {
+		kid := key.KID()
+		if kid != "" {
+			t.Header["kid"] = kid
+		}
+	}
+}