UserInfo does not check for declared key usage when selecting encryption key

[matteo-s]

While building the userInfo response the provider fetches the client keys and then merely picks the first with a non-empty kid, without checking it's intended usage.
If the client exposes 2 keys, one for signing and one for encryption, the provider by picking the first will either:

• pick the right one (by luck) just because it is the first in the list
• pick the wrong one and use the sig key against it's intended usage

spid-cie-oidc-django/spid_cie_oidc/provider/views/userinfo_endpoint.py

Line 95 in 2b0c2ef

for k in client_jwks:

        for k in client_jwks:
            if k.get('kid') and len(k["kid"]) >= 1:
                client_jwk = k
                break

[peppelinux]

Ok, we just have to create a utility function, like this

spid-cie-oidc-django/spid_cie_oidc/entity/utils.py

Line 57 in b7b28a8

def get_jwk_from_jwt(jwt: str, provider_jwks: dict) -> dict:

where an jwks is passed and an argument set(enc, sig) to get the first key according to the scope

in the current specs we don't have defined this detail about the key but it is a good practice having different keys for different scopes

[rglauco]

Fixed in #311