fix: lint

Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>

Author: solracsf

lib/Service/DiscoveryService.php

@@ -121,44 +121,71 @@ public function buildAuthorizationUrl(string $authorizationEndpoint, array $extr
 	/**
 	 * Inspired by https://github.com/snake/moodle/compare/880462a1685...MDL-77077-master
 	 *
-	 * @param array $jwks
-	 * @param string $jwt
-	 * @return array
-	 * @throws \Exception
+	 * @param array $jwks The JSON Web Key Set
+	 * @param string $jwt The JWT token
+	 * @return array The modified JWKS
+	 * @throws \RuntimeException if no matching key is found or algorithm is unsupported
 	 */
 	private function fixJwksAlg(array $jwks, string $jwt): array {
-		$jwtParts = explode('.', $jwt);
-		$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
-		$kid = $jwtHeader['kid'] ?? null;
-		$alg = $jwtHeader['alg'] ?? null;
+		$jwtParts = explode('.', $jwt, 3);
+		$header = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
+		$kid = $header['kid'] ?? null;
+		$alg = $header['alg'] ?? null;
+
+		$expectedKty = self::SUPPORTED_JWK_ALGS[$alg] ?? null;
+		if ($expectedKty === null) {
+			throw new \RuntimeException('Unsupported JWT alg: ' . ($alg ?? 'unknown'));
+		}
 
-		if (!isset(self::SUPPORTED_JWK_ALGS[$alg])) {
-			throw new \Exception('Unsupported JWT alg: ' . ($alg ?? 'unknown'));
+		$keys = $jwks['keys'] ?? null;
+		if (!is_array($keys)) {
+			throw new \RuntimeException('Invalid JWKS: missing "keys" array');
 		}
 
-		$expectedKty = self::SUPPORTED_JWK_ALGS[$alg];
+		$matchingIndex = null;
+
+		foreach ($keys as $index => $key) {
+			$keyKty = $key['kty'] ?? null;
+			$keyUse = $key['use'] ?? null;
 
-		foreach ($jwks['keys'] as $index => $key) {
-			// Skip if alg is already set
-			if (!empty($key['alg'])) {
+			// Skip keys with incompatible type
+			if ($keyKty !== $expectedKty) {
 				continue;
 			}
 
-			// Match by kid if present, or by alg and kty if kid is missing
-			if ($kid !== null && isset($key['kid']) && $key['kid'] !== $kid) {
+			// Skip keys not intended for signature
+			if ($keyUse !== null && $keyUse !== 'sig') {
 				continue;
 			}
 
-			// Validate algorithm compatibility
-			if (($key['kty'] ?? null) !== $expectedKty) {
-				continue;
+			// If JWT has a kid, match strictly
+			if ($kid !== null) {
+				if (($key['kid'] ?? null) !== $kid) {
+					continue;
+				}
+				$matchingIndex = $index;
+				break;
 			}
 
-			// Set alg for the matching key
-			$jwks['keys'][$index]['alg'] = $alg;
-			return $jwks;
+			// If no kid, select the first compatible key
+			if ($matchingIndex === null) {
+				$matchingIndex = $index;
+			}
 		}
-		
-		throw new \Exception('No matching key found in JWKS (alg=' . ($alg ?? 'unknown') . ', kid=' . ($kid ?? 'none') . ')');
+
+		if ($matchingIndex === null) {
+			throw new \RuntimeException(sprintf(
+				'No matching key found in JWKS (alg=%s, kid=%s)',
+				$alg ?? 'unknown',
+				$kid ?? 'none'
+			));
+		}
+
+		// Set 'alg' field if missing
+		if (empty($jwks['keys'][$matchingIndex]['alg'])) {
+			$jwks['keys'][$matchingIndex]['alg'] = $alg;
+		}
+
+		return $jwks;
 	}
 }