Merge pull request #17962 from roysjosh/add-keyId-for-aad-oidc-certif…

…icate-secret Allow adding a specified keyId during OIDC token exchange
quarkusio · Jun 17, 2021 · 232ceda · 232ceda
2 parents aa7c203 + ef6172d
commit 232ceda
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/...ns/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/...ns/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
@@ -232,6 +232,12 @@ public static class Jwt {
             @ConfigItem(defaultValue = "password")
             public String keyPassword;
 
+            /**
+             * Key identifier of the signing key added as a JWT 'kid' header
+             */
+            @ConfigItem
+            public Optional<String> tokenKeyId = Optional.empty();
+
             /**
              * JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.
              */

diff --git a/...ons/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/...ons/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
@@ -20,7 +20,7 @@
 import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.smallrye.jwt.build.Jwt;
-import io.smallrye.jwt.build.JwtClaimsBuilder;
+import io.smallrye.jwt.build.JwtSignatureBuilder;
 import io.smallrye.jwt.util.KeyUtils;
 import io.smallrye.jwt.util.ResourceUtils;
 import io.vertx.core.http.HttpClientOptions;
@@ -220,11 +220,15 @@ public static String signJwt(OidcCommonConfig oidcConfig) {
 
     public static String signJwtWithKey(OidcCommonConfig oidcConfig, Key key) {
         // 'jti' and 'iat' claim is created by default, iat - is set to the current time
-        JwtClaimsBuilder builder = Jwt
+        JwtSignatureBuilder builder = Jwt
                 .issuer(oidcConfig.clientId.get())
                 .subject(oidcConfig.clientId.get())
                 .audience(getAuthServerUrl(oidcConfig))
-                .expiresIn(oidcConfig.credentials.jwt.lifespan);
+                .expiresIn(oidcConfig.credentials.jwt.lifespan)
+                .jws();
+        if (oidcConfig.credentials.jwt.tokenKeyId.isPresent()) {
+            builder.keyId(oidcConfig.credentials.jwt.tokenKeyId.get());
+        }
         if (key instanceof SecretKey) {
             return builder.sign((SecretKey) key);
         } else {