Use a distinct kid value for individual keys / certificates

[oxisto]

omejdn-server/lib/oauth_helper.rb

Line 87 in 7136c52

kid: 'default'

While our approach is technically compliant, it would be easier for the user if the kid is distinct. We could use a similar model as auth0, where kid is equal to x5t. See https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-set-properties

[schanzen]

Before thinking about the JWKS, the component first needs to support key rotations in the first place. Not even multiple keys as supported atm.

[bellebaum]

#26 redoes the entire JWKS, adding support for key rollover and initial support for certificate chains to be distributed this way. If anyone would like to, it is ready to be reviewed.

• old certificate/-chains and public/secret keys can be specified in omejdn.yml and the corresponding JWKs are advertised.
• Where possible, x5t and x5c are specified in the JWKs