From bea12d5d297c092c8d3b87c5f1411a045ca07d43 Mon Sep 17 00:00:00 2001
From: Sergei Martynov <sergei.martynov@t-systems.com>
Date: Wed, 5 Feb 2025 10:06:50 +0100
Subject: [PATCH] use the right public key

---
 internal/api/auth/keycloak.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/internal/api/auth/keycloak.go b/internal/api/auth/keycloak.go
index be43c98..206e033 100644
--- a/internal/api/auth/keycloak.go
+++ b/internal/api/auth/keycloak.go
@@ -96,7 +96,15 @@ func (kc *Keycloak) fetchPublicKey() (*rsa.PublicKey, error) {
 		return nil, fmt.Errorf("error decoding JWK set: %w", err)
 	}
 
-	rsaPublicKey := jwkSet.Keys[0]
+	var rsaPublicKey JWK
+	for _, key := range jwkSet.Keys {
+		if key.Kty == "RSA" && key.Use == "sig" {
+			rsaPublicKey = key
+		}
+	}
+	if rsaPublicKey.Alg == "" {
+		return nil, fmt.Errorf("no RSA public key found in JWK set")
+	}
 	nBytes, err := base64.RawURLEncoding.DecodeString(rsaPublicKey.N)
 	if err != nil {
 		return nil, fmt.Errorf("error decoding N: %w", err)