Merge branch '222-kid' into 'main'

fix: dynamic kid parameter for JWKs

Closes #222

See merge request yaal/canaille!227

CHANGES.rst

@@ -4,6 +4,7 @@
 Fixed
 ^^^^^
 - Canaille executable did not support i18n. :issue:`227`
+- Dynamic `kid` parameter for JWKs. :issue:`222`
 
 [0.0.61] - 2025-02-04
 ---------------------

canaille/oidc/oauth.py

@@ -2,7 +2,6 @@
 
 from authlib.integrations.flask_oauth2 import AuthorizationServer
 from authlib.integrations.flask_oauth2 import ResourceProtector
-from authlib.jose import JsonWebKey
 from authlib.oauth2.rfc6749.grants import (
     AuthorizationCodeGrant as _AuthorizationCodeGrant,
 )
@@ -31,6 +30,7 @@
 from flask import g
 from flask import request
 from flask import url_for
+from joserfc.jwk import JWKRegistry
 from werkzeug.security import gen_salt
 
 from canaille.app import DOCUMENTATION_URL
@@ -150,12 +150,14 @@ def get_jwt_config(grant=None):
 def get_jwks():
     kty = current_app.config["CANAILLE_OIDC"]["JWT"]["KTY"]
     alg = current_app.config["CANAILLE_OIDC"]["JWT"]["ALG"]
-    jwk = JsonWebKey.import_key(
-        current_app.config["CANAILLE_OIDC"]["JWT"]["PUBLIC_KEY"], {"kty": kty}
+    jwk = JWKRegistry.import_key(
+        current_app.config["CANAILLE_OIDC"]["JWT"]["PUBLIC_KEY"], kty
     )
+    jwk.ensure_kid()
     return {
         "keys": [
             {
+                "kid": jwk.kid,
                 "use": "sig",
                 "alg": alg,
                 **jwk,

pyproject.toml

@@ -50,6 +50,7 @@ front = [
 
 oidc = [
     "authlib >= 1.3.0",
+    "joserfc>=1.0.2",
 ]
 
 scim = [

tests/oidc/test_jwks.py

@@ -1,3 +1,5 @@
+from unittest import mock
+
 from authlib.jose import JsonWebKey
 
 
@@ -9,6 +11,7 @@ def test_jwks(testclient, keypair):
     assert res.json == {
         "keys": [
             {
+                "kid": mock.ANY,
                 "use": "sig",
                 "alg": "RS256",
                 **jwk,