From 766270f5d66b1c323236b9ad05c0fad80592b085 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Sun, 8 Mar 2026 11:07:15 +0200
Subject: [PATCH] fix: add kid header to id token

---
 internal/service/oidc_service.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go
index 1339010..af72add 100644
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -366,6 +366,16 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 
+	hasher := sha256.New()
+
+	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+
+	if der == nil {
+		return "", errors.New("failed to marshal public key")
+	}
+
+	hasher.Write(der)
+
 	signer, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: jose.RS256,
 		Key:       service.privateKey,
@@ -373,6 +383,7 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
 		ExtraHeaders: map[jose.HeaderKey]any{
 			"typ": "jwt",
 			"jku": fmt.Sprintf("%s/.well-known/jwks.json", service.issuer),
+			"kid": base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 		},
 	})