Closed matteo-s closed 3 months ago
Ok, we just have to create a utility function, like this https://github.com/italia/spid-cie-oidc-django/blob/b7b28a8fbb59076dc8d7ba389383379282547315/spid_cie_oidc/entity/utils.py#L57 where an jwks is passed and an argument set(enc, sig) to get the first key according to the scope
in the current specs we don't have defined this detail about the key but it is a good practice having different keys for different scopes
While building the userInfo response the provider fetches the client keys and then merely picks the first with a non-empty
kid
, without checking it's intended usage. If the client exposes 2 keys, one for signing and one for encryption, the provider by picking the first will either:sig
key against it's intended usagehttps://github.com/italia/spid-cie-oidc-django/blob/2b0c2eff271ef290f90f62ba8b7a3d508b887543/spid_cie_oidc/provider/views/userinfo_endpoint.py#L95