From 3898db68a7b6bed13fc39d8a89e7581d5298e42e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= <clement@oodo.net>
Date: Sat, 19 May 2018 16:29:05 +0200
Subject: [PATCH] Provide kid in JWT only for RS signatures (#1426)

---
 .../lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm            | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
index 65ac6d683..4abc4e58e 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -1154,8 +1154,10 @@ sub createJWT {
 
     # JWT header
     my $jwt_header_hash = { typ => "JWT", alg => $alg };
-    $jwt_header_hash->{kid} = $self->conf->{oidcServiceKeyIdSig}
-      if $self->conf->{oidcServiceKeyIdSig};
+    if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
+        $jwt_header_hash->{kid} = $self->conf->{oidcServiceKeyIdSig}
+          if $self->conf->{oidcServiceKeyIdSig};
+    }
     my $jwt_header = encode_base64( to_json($jwt_header_hash), "" );
 
     if ( $alg eq "none" ) {