From de980815ce8a54bdc5a7db41bce073ccc7f4b57c Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Tue, 3 Mar 2026 22:45:24 +0200
Subject: [PATCH] fix: include kid in jwks response

---
 internal/service/oidc_service.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go
index c2ed5b0..2c9728b 100644
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"database/sql"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -665,10 +666,21 @@ func (service *OIDCService) Cleanup() {
 }
 
 func (service *OIDCService) GetJWK() ([]byte, error) {
+	hasher := sha256.New()
+
+	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+
+	if der == nil {
+		return nil, errors.New("failed to marshal public key")
+	}
+
+	hasher.Write(der)
+
 	jwk := jose.JSONWebKey{
 		Key:       service.privateKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
+		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 
 	return jwk.Public().MarshalJSON()