Support using x5t header as kid if kid is not returned by ADFS

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty

Apache License 2.0

967 stars 247 forks source link

Support using x5t header as kid if kid is not returned by ADFS #246

Open pedroquien opened 5 years ago

pedroquien commented 5 years ago

ADFS does not set the kid so when there are multiple keys openidc does not know which key to use. If we can use x5t to id the key that would be great.

Environment

lua-resty-openidc version (e.g. 1.7.0)
OpenID Connect provider (e.g. Keycloak, Azure AD)

Expected behaviour

Actual behaviour

Minimized example

Minimal, complete configuration that reproduces the behavior.

Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

zandbelt commented 5 years ago

walking the keys that match the signature type would be alternative acceptable behavior IMHO