-init oidc RSA256 feature

6 files changed, 403 insertions, 71 deletions

diff --git a/configure.ac b/configure.ac
index 733eea06e..3553d93b9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -719,6 +719,11 @@ CHECK_WITH_LIB([jansson], [json_loads], [jansson.h], [HAVE_JANSSON])
 AS_IF([test "x$jansson" = "x0"],
   [AC_MSG_ERROR([GNUnet requires jansson])])
 
+# check for jose
+CHECK_WITH_LIB([jose], [jose_jwk_gen], [jose/jose.h], [HAVE_JOSE])
+AS_IF([test "x$jose" = "x0"],
+  [AC_MSG_ERROR([GNUnet requires jose])])
+
 # check for libpulse (pulseaudio)
 CHECK_WITH_LIB([pulse], [pa_stream_peek], [pulse/simple.h], [HAVE_PULSE])
 
diff --git a/src/reclaim/Makefile.am b/src/reclaim/Makefile.am
index a8300d6af..710207d8b 100644
--- a/src/reclaim/Makefile.am
+++ b/src/reclaim/Makefile.am
@@ -79,7 +79,7 @@ libgnunet_plugin_rest_openid_connect_la_LIBADD = \
   $(top_builddir)/src/gns/libgnunetgns.la \
   $(top_builddir)/src/gnsrecord/libgnunetgnsrecord.la \
   $(top_builddir)/src/util/libgnunetutil.la $(XLIBS) \
-  $(LTLIBINTL) -ljansson $(MHD_LIBS) \
+  $(LTLIBINTL) -ljansson -ljose $(MHD_LIBS) \
         $(LIBGCRYPT_LIBS)
 libgnunet_plugin_rest_openid_connect_la_LDFLAGS = \
   $(GN_PLUGIN_LDFLAGS)
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index 9237902ce..cfa71b26c 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -22,10 +22,12 @@
  * @file reclaim/oidc_helper.c
  * @brief helper library for OIDC related functions
  * @author Martin Schanzenbach
+ * @author Tristan Schwieren
  */
 #include "platform.h"
 #include <inttypes.h>
 #include <jansson.h>
+#include <jose/jose.h>
 #include "gnunet_util_lib.h"
 #include "gnunet_reclaim_lib.h"
 #include "gnunet_reclaim_service.h"
@@ -115,13 +117,13 @@ is_claim_in_address_scope (const char *claim)
 
 
 static char *
-create_jwt_header (void)
+create_jwt_hmac_header (void)
 {
   json_t *root;
   char *json_str;
 
   root = json_object ();
-  json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE));
+  json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE_HMAC));
   json_object_set_new (root, JWT_TYP, json_string (JWT_TYP_VALUE));
 
   json_str = json_dumps (root, JSON_INDENT (0) | JSON_COMPACT);
@@ -356,40 +358,22 @@ OIDC_generate_userinfo (const struct GNUNET_IDENTITY_PublicKey *sub_key,
 }
 
 
-/**
- * Create a JWT from attributes
- *
- * @param aud_key the public of the audience
- * @param sub_key the public key of the subject
- * @param attrs the attribute list
- * @param presentations credential presentation list (may be empty)
- * @param expiration_time the validity of the token
- * @param secret_key the key used to sign the JWT
- * @return a new base64-encoded JWT string.
- */
 char *
-OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
+generate_id_token_body (const struct GNUNET_IDENTITY_PublicKey *aud_key,
                         const struct GNUNET_IDENTITY_PublicKey *sub_key,
                         const struct GNUNET_RECLAIM_AttributeList *attrs,
                         const struct
                         GNUNET_RECLAIM_PresentationList *presentations,
                         const struct GNUNET_TIME_Relative *expiration_time,
-                        const char *nonce,
-                        const char *secret_key)
+                        const char *nonce)
 {
   struct GNUNET_HashCode signature;
   struct GNUNET_TIME_Absolute exp_time;
   struct GNUNET_TIME_Absolute time_now;
+  json_t *body;
   char *audience;
   char *subject;
-  char *header;
   char *body_str;
-  char *result;
-  char *header_base64;
-  char *body_base64;
-  char *signature_target;
-  char *signature_base64;
-  json_t *body;
 
   body = generate_userinfo_json (sub_key,
                                  attrs,
@@ -409,7 +393,6 @@ OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
     GNUNET_STRINGS_data_to_string_alloc (aud_key,
                                          sizeof(struct
                                                 GNUNET_IDENTITY_PublicKey));
-  header = create_jwt_header ();
 
   // aud REQUIRED public key client_id must be there
   json_object_set_new (body, "aud", json_string (audience));
@@ -429,19 +412,132 @@ OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
   if (NULL != nonce)
     json_object_set_new (body, "nonce", json_string (nonce));
 
-  body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
-  json_decref (body);
+  // Error checking
+  body_str = json_dumps (body, JSON_INDENT (2) | JSON_COMPACT);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,"ID-Token: %s\n", body_str);
 
+  json_decref (body);
+  GNUNET_free (subject);
+  GNUNET_free (audience);
+
+  return body_str;
+}
+
+
+/**
+ * Create a JWT using RSA256 algorithm from attributes
+ *
+ * @param aud_key the public of the audience
+ * @param sub_key the public key of the subject
+ * @param attrs the attribute list
+ * @param presentations credential presentation list (may be empty)
+ * @param expiration_time the validity of the token
+ * @param secret_rsa_key the key used to sign the JWT
+ * @return a new base64-encoded JWT string.
+ */
+char *
+OIDC_generate_id_token_rsa (const struct GNUNET_IDENTITY_PublicKey *aud_key,
+                            const struct GNUNET_IDENTITY_PublicKey *sub_key,
+                            const struct GNUNET_RECLAIM_AttributeList *attrs,
+                            const struct
+                            GNUNET_RECLAIM_PresentationList *presentations,
+                            const struct GNUNET_TIME_Relative *expiration_time,
+                            const char *nonce,
+                            const json_t *secret_rsa_key)
+{
+  json_t *jws;
+  char *body_str;
+  char *result;
+
+  // Generate the body of the JSON Web Signature
+  body_str = generate_id_token_body (aud_key,
+                                     sub_key,
+                                     attrs,
+                                     presentations,
+                                     expiration_time,
+                                     nonce);
+
+  if (! body_str)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Body for the JWS could not be generated\n");
+  }
+
+  // Creating the JSON Web Signature.
+  jws = json_pack ("{s:o}", "payload",
+                           jose_b64_enc (body_str, strlen (body_str)));
+
+  if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Signature generation failed\n");
+  }
+
+  // Encoding JSON as compact JSON Web Signature 
+  GNUNET_asprintf (&result, "%s.%s.%s",
+                   json_string_value (json_object_get (jws, "protected")),
+                   json_string_value (json_object_get (jws, "payload")),
+                   json_string_value (json_object_get (jws, "signature")) );
+
+  json_decref(jws);
+  GNUNET_free(body_str);
+  return result;
+}
+
+/**
+ * Create a JWT using HMAC (HS256) from attributes
+ *
+ * @param aud_key the public of the audience
+ * @param sub_key the public key of the subject
+ * @param attrs the attribute list
+ * @param presentations credential presentation list (may be empty)
+ * @param expiration_time the validity of the token
+ * @param secret_key the key used to sign the JWT
+ * @return a new base64-encoded JWT string.
+ */
+char *
+OIDC_generate_id_token_hmac (const struct GNUNET_IDENTITY_PublicKey *aud_key,
+                             const struct GNUNET_IDENTITY_PublicKey *sub_key,
+                             const struct GNUNET_RECLAIM_AttributeList *attrs,
+                             const struct
+                             GNUNET_RECLAIM_PresentationList *presentations,
+                             const struct GNUNET_TIME_Relative *expiration_time,
+                             const char *nonce,
+                             const char *secret_key)
+{
+  struct GNUNET_HashCode signature;
+  struct GNUNET_TIME_Absolute exp_time;
+  struct GNUNET_TIME_Absolute time_now;
+  char *header;
+  char *header_base64;
+  char *body_str;
+  char *body_base64;
+  char *signature_target;
+  char *signature_base64;
+  char *result;
+
+  // Generate and encode Header
+  header = create_jwt_hmac_header ();
   GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
   fix_base64 (header_base64);
 
+  // Generate and encode the body of the JSON Web Signature
+  body_str = generate_id_token_body (aud_key,
+                                     sub_key,
+                                     attrs,
+                                     presentations,
+                                     expiration_time,
+                                     nonce);
+
+  if (! body_str)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Body for the JWS could not be generated\n");
+  }
+
   GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
   fix_base64 (body_base64);
 
-  GNUNET_free (subject);
-  GNUNET_free (audience);
-
   /**
    * Creating the JWT signature. This might not be
    * standards compliant, check.
@@ -463,12 +559,12 @@ OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
                    body_base64,
                    signature_base64);
 
-  GNUNET_free (signature_target);
   GNUNET_free (header);
+  GNUNET_free (header_base64);
   GNUNET_free (body_str);
-  GNUNET_free (signature_base64);
   GNUNET_free (body_base64);
-  GNUNET_free (header_base64);
+  GNUNET_free (signature_target);
+  GNUNET_free (signature_base64);
   return result;
 }
 
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h
index 2a8b7bbae..ea106b4f2 100644
--- a/src/reclaim/oidc_helper.h
+++ b/src/reclaim/oidc_helper.h
@@ -28,14 +28,12 @@
 #define JWT_H
 
 #define JWT_ALG "alg"
-
-/* Use 512bit HMAC */
-#define JWT_ALG_VALUE "HS512"
-
 #define JWT_TYP "typ"
-
 #define JWT_TYP_VALUE "jwt"
 
+#define JWT_ALG_VALUE_HMAC "HS512"
+#define JWT_ALG_VALUE_RSA "RS256"
+
 #define SERVER_ADDRESS "https://api.reclaim"
 
 enum OIDC_VerificationOptions
@@ -52,7 +50,28 @@ enum OIDC_VerificationOptions
 };
 
 /**
- * Create a JWT from attributes
+ * Create a JWT using RSA256 from attributes
+ *
+ * @param aud_key the public of the audience
+ * @param sub_key the public key of the subject
+ * @param attrs the attribute list
+ * @param presentations credential presentation list (may be empty)
+ * @param expiration_time the validity of the token
+ * @param secret_key the key used to sign the JWT
+ * @return a new base64-encoded JWT string.
+ */
+char *
+OIDC_generate_id_token_rsa (const struct GNUNET_IDENTITY_PublicKey *aud_key,
+                            const struct GNUNET_IDENTITY_PublicKey *sub_key,
+                            const struct GNUNET_RECLAIM_AttributeList *attrs,
+                            const struct
+                            GNUNET_RECLAIM_PresentationList *presentations,
+                            const struct GNUNET_TIME_Relative *expiration_time,
+                            const char *nonce,
+                            const json_t *secret_rsa_key);
+
+/**
+ * Create a JWT using HMAC (HS256) from attributes
  *
  * @param aud_key the public of the audience
  * @param sub_key the public key of the subject
@@ -63,14 +82,14 @@ enum OIDC_VerificationOptions
  * @return a new base64-encoded JWT string.
  */
 char*
-OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
-                        const struct GNUNET_IDENTITY_PublicKey *sub_key,
-                        const struct GNUNET_RECLAIM_AttributeList *attrs,
-                        const struct
-                        GNUNET_RECLAIM_PresentationList *presentations,
-                        const struct GNUNET_TIME_Relative *expiration_time,
-                        const char *nonce,
-                        const char *secret_key);
+OIDC_generate_id_token_hmac (const struct GNUNET_IDENTITY_PublicKey *aud_key,
+                             const struct GNUNET_IDENTITY_PublicKey *sub_key,
+                             const struct GNUNET_RECLAIM_AttributeList *attrs,
+                             const struct
+                             GNUNET_RECLAIM_PresentationList *presentations,
+                             const struct GNUNET_TIME_Relative *expiration_time,
+                             const char *nonce,
+                             const char *secret_key);
 
 /**
  * Builds an OIDC authorization code including
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 1c00abcbd..bb8e1cd1e 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -20,6 +20,7 @@
 /**
  * @author Martin Schanzenbach
  * @author Philippe Buschmann
+ * @author Tristan Schwieren
  * @file identity/plugin_rest_openid_connect.c
  * @brief GNUnet Namestore REST plugin
  *
@@ -27,6 +28,7 @@
 #include "platform.h"
 #include <inttypes.h>
 #include <jansson.h>
+#include <jose/jose.h>
 
 #include "gnunet_buffer_lib.h"
 #include "gnunet_strings_lib.h"
@@ -63,6 +65,11 @@
 #define GNUNET_REST_API_NS_TOKEN "/openid/token"
 
 /**
+ * JSON Web Keys endpoint
+ */
+#define GNUNET_REST_API_JWKS "/jwks.json"
+
+/**
  * UserInfo endpoint
  */
 #define GNUNET_REST_API_NS_USERINFO "/openid/userinfo"
@@ -228,6 +235,11 @@
 #define OIDC_ERROR_KEY_ACCESS_DENIED "access_denied"
 
 /**
+ * OIDC key store file name
+ */
+#define OIDC_JWK_RSA_FILENAME "jwk_rsa.json"
+
+/**
  * How long to wait for a consume in userinfo endpoint
  */
 #define CONSUME_TIMEOUT GNUNET_TIME_relative_multiply ( \
@@ -303,6 +315,11 @@ struct Plugin
 };
 
 /**
+ * @brief The RSA key used by the oidc enpoint
+ */
+json_t *oidc_jwk;
+
+/**
  * OIDC needed variables
  */
 struct OIDC_Variables
@@ -859,6 +876,103 @@ cookie_identity_interpretation (struct RequestHandle *handle)
 
 
 /**
+ * @brief Read the the JSON Web Key in the given file and return it.
+ * Return NULL and emit warning if JSON can not be decoded or the key is
+ * invalid
+ *
+ * @param filename the file to read the JWK from
+ * @return json_t* the reed JWK
+ */
+json_t *
+read_jwk_from_file (const char *filename)
+{
+  json_t *jwk;
+  json_error_t error;
+
+  jwk = json_load_file (filename, JSON_DECODE_ANY, &error);
+
+  if (! jwk)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                ("Could not read OIDC RSA key from config file; %s\n"),
+                error.text);
+  }
+
+  return jwk;
+}
+
+/**
+ * @brief Write the JWK to file. If unsuccessful emit warning
+ *
+ * @param filename the name of the file the JWK is writen to
+ * @param jwk the JWK that is going to be written
+ * @return int Return GNUNET_OK if write is sucessfull
+ */
+static int
+write_jwk_to_file (const char *filename,
+                   json_t *jwk)
+{
+  if (json_dump_file (jwk, filename, JSON_INDENT (2)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                ("Could not write OIDC RSA key to file %s\n"),
+                filename);
+    return GNUNET_ERROR_TYPE_WARNING;
+  }
+  else
+    return GNUNET_OK;
+}
+
+/**
+ * @brief Generate a new RSA JSON Web Key
+ *
+ * @return json_t* the generated JWK
+ */
+json_t *
+generate_jwk ()
+{
+  json_t *jwk;
+  jwk = json_pack ("{s:s,s:i}", "kty", "RSA", "bits", 2048);
+  jose_jwk_gen (NULL, jwk);
+  json_incref (jwk);
+  return jwk;
+}
+
+/**
+ * Return the path to the RSA JWK key file
+ *
+ * @param cls the RequestHandle
+ */
+char *
+get_oidc_jwk_path (void *cls)
+{
+  char *oidc_directory;
+  char *oidc_jwk_path;
+  struct RequestHandle *handle = cls;
+
+  // Read OIDC directory from config
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                            "reclaim-rest-plugin",
+                                                            "oidc_dir",
+                                                            &oidc_directory))
+  {
+    // Could not read Config file
+    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_SERVER_ERROR);
+    handle->edesc = GNUNET_strdup ("gnunet configuration failed");
+    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    return NULL;
+  }
+
+  // Create path to file
+  GNUNET_asprintf (&oidc_jwk_path, "%s/%s", oidc_directory,
+                   OIDC_JWK_RSA_FILENAME);
+
+  return oidc_jwk_path;
+}
+
+
+/**
  * Redirects to login page stored in configuration file
  */
 static void
@@ -1954,7 +2068,7 @@ check_authorization (struct RequestHandle *handle,
   // check client password
   if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
                                                           "reclaim-rest-plugin",
-                                                          "OIDC_CLIENT_SECRET",
+                                                          "OIDC_CLIENT_HMAC_SECRET",
                                                           &expected_pass))
   {
     if (0 != strcmp (expected_pass, received_cpw))
@@ -2047,9 +2161,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   char *json_response;
   char *id_token;
   char *access_token;
+  char *jwa;
   char *jwt_secret;
   char *nonce = NULL;
   char *code_verifier;
+  json_t *oidc_jwk;
+  char *oidc_jwk_path;
 
   /*
    * Check Authorization
@@ -2156,32 +2273,66 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
     return;
   }
 
-
-  // TODO OPTIONAL acr,amr,azp
+  // Check if HMAC or RSA should be used
   if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
                                                           "reclaim-rest-plugin",
-                                                          "jwt_secret",
-                                                          &jwt_secret))
+                                                          "oidc_json_web_algorithm",
+                                                          &jwa))
   {
-    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
-    handle->edesc = GNUNET_strdup ("No signing secret configured!");
-    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-    GNUNET_free (code);
-    GNUNET_RECLAIM_attribute_list_destroy (cl);
-    GNUNET_RECLAIM_presentation_list_destroy (pl);
-    if (NULL != nonce)
-      GNUNET_free (nonce);
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
-    return;
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Could not read OIDC JSON Web Algorithm config attribute."
+                "Defaulting to RS256.");
+    jwa = JWT_ALG_VALUE_RSA;
+  }
+
+  if (strcmp(jwa, JWT_ALG_VALUE_RSA))
+  {
+    // Replace for now
+    oidc_jwk_path = get_oidc_jwk_path (cls);
+    oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+    id_token = OIDC_generate_id_token_rsa (&ticket.audience,
+                                           &ticket.identity,
+                                           cl,
+                                           pl,
+                                           &expiration_time,
+                                           (NULL != nonce) ? nonce : NULL,
+                                           oidc_jwk);
+  }
+  else if (strcmp(jwa, JWT_ALG_VALUE_HMAC))
+  {
+    // TODO OPTIONAL acr,amr,azp
+    if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                            "reclaim-rest-plugin",
+                                                            "jwt_secret",
+                                                            &jwt_secret))
+    {
+      handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
+      handle->edesc = GNUNET_strdup ("No signing secret configured!");
+      handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+      GNUNET_free (code);
+      GNUNET_RECLAIM_attribute_list_destroy (cl);
+      GNUNET_RECLAIM_presentation_list_destroy (pl);
+      if (NULL != nonce)
+        GNUNET_free (nonce);
+      GNUNET_SCHEDULER_add_now (&do_error, handle);
+      return;
+    }
+
+    id_token = OIDC_generate_id_token_hmac (&ticket.audience,
+                                            &ticket.identity,
+                                            cl,
+                                            pl,
+                                            &expiration_time,
+                                            (NULL != nonce) ? nonce : NULL,
+                                            jwt_secret);
+
+    GNUNET_free (jwt_secret);
+  }
+  else 
+  {
+    // TODO: OPTION NOT FOUND ERROR
   }
-  id_token = OIDC_generate_id_token (&ticket.audience,
-                                     &ticket.identity,
-                                     cl,
-                                     pl,
-                                     &expiration_time,
-                                     (NULL != nonce) ? nonce : NULL,
-                                     jwt_secret);
-  GNUNET_free (jwt_secret);
+
   if (NULL != nonce)
     GNUNET_free (nonce);
   access_token = OIDC_access_token_new (&ticket);
@@ -2474,6 +2625,59 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   GNUNET_free (authorization);
 }
 
+/**
+ * Responds to /jwks.json
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
+static void
+jwks_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
+               const char *url,
+               void *cls)
+{
+  char *oidc_directory;
+  char *oidc_jwk_path;
+  char *oidc_jwk_pub_str;
+  json_t *oidc_jwk;
+  struct MHD_Response *resp;
+  struct RequestHandle *handle = cls;
+
+  oidc_jwk_path = get_oidc_jwk_path (cls);
+  oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+
+  // Check if secret JWK exists
+  if (! oidc_jwk)
+  {
+    // Generate and save a new key
+    oidc_jwk = generate_jwk ();
+
+    // Create new oidc directory
+    if (GNUNET_OK != GNUNET_DISK_directory_create (oidc_directory))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  ("Failed to create directory `%s' for storing oidc data\n"),
+                  oidc_directory);
+    }
+    else
+    {
+      write_jwk_to_file (oidc_jwk_path, oidc_jwk);
+    }
+  }
+
+  // Convert secret JWK to public JWK
+  jose_jwk_pub (NULL, oidc_jwk);
+
+  // Encode JWK as string and return to API endpoint
+  oidc_jwk_pub_str = json_dumps (oidc_jwk, JSON_INDENT (1));
+  resp = GNUNET_REST_create_response (oidc_jwk_pub_str);
+  handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+  json_decref (oidc_jwk);
+  GNUNET_free (oidc_jwk_pub_str);
+  free (oidc_jwk_pub_str);
+  cleanup_handle (handle);
+}
 
 /**
  * If listing is enabled, prints information about the egos.
@@ -2621,10 +2825,15 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   sig_algs = json_array ();
   json_array_append_new (sig_algs,
                          json_string ("HS512"));
+  json_array_append_new (sig_algs,
+                         json_string ("RS256"));
   json_object_set_new (oidc_config,
                        "id_token_signing_alg_values_supported",
                        sig_algs);
   json_object_set_new (oidc_config,
+                       "jwks_uri",
+                       json_string ("http://localhost:7776/jwks.json"));
+  json_object_set_new (oidc_config,
                        "userinfo_endpoint",
                        json_string ("http://localhost:7776/openid/userinfo"));
   scopes = json_array ();
@@ -2719,6 +2928,7 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
     { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint },
     { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
     { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
+    { MHD_HTTP_METHOD_GET, GNUNET_REST_API_JWKS, &jwks_endpoint },
     { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG,
       &oidc_config_endpoint },
     { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC_CONFIG,
diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf
index 8655f2e0b..c685042db 100644
--- a/src/reclaim/reclaim.conf
+++ b/src/reclaim/reclaim.conf
@@ -14,6 +14,8 @@ TICKET_REFRESH_INTERVAL = 6h
 [reclaim-rest-plugin]
 #ADDRESS = https://identity.gnu:8000#/login
 ADDRESS = https://ui.reclaim/#/login
-OIDC_CLIENT_SECRET = secret
+OIDC_JSON_WEB_ALGORITHM = RS256
+OIDC_CLIENT_HMAC_SECRET = secret
+OIDC_DIR = $GNUNET_DATA_HOME/oidc
 JWT_SECRET = secret
 EXPIRATION_TIME = 1d