UserInfo does not check for declared key usage when selecting encryption key

[matteo-s]

While building the userInfo response the provider fetches the client keys and then merely picks the first with a non-empty kid, without checking it's intended usage. If the client exposes 2 keys, one for signing and one for encryption, the provider by picking the first will either:

• pick the right one (by luck) just because it is the first in the list
• pick the wrong one and use the sig key against it's intended usage

https://github.com/italia/spid-cie-oidc-django/blob/2b0c2eff271ef290f90f62ba8b7a3d508b887543/spid_cie_oidc/provider/views/userinfo_endpoint.py#L95

        for k in client_jwks:
            if k.get('kid') and len(k["kid"]) >= 1:
                client_jwk = k
                break

[peppelinux]

Ok, we just have to create a utility function, like this https://github.com/italia/spid-cie-oidc-django/blob/b7b28a8fbb59076dc8d7ba389383379282547315/spid_cie_oidc/entity/utils.py#L57 where an jwks is passed and an argument set(enc, sig) to get the first key according to the scope

in the current specs we don't have defined this detail about the key but it is a good practice having different keys for different scopes

[rglauco]

Fixed in https://github.com/italia/spid-cie-oidc-django/pull/311