We never have use=enc keys and so our parsing throws when it encounters them.
We don't distinguish between unparsable keys vs. keys that we don't want to use for signing (e.g. use=enc, but also other constraints we impose like having a suitable kty, kid etc.)
In an ideal world I think we would push more of that logic out a bit and parse more keys, ignoring ones that aren't relevant to us anyway and emitting errors in a more sensible location.
This PR makes the minimal change possible to allow us to parse a JWKS response that includes a use=enc key that we will otherwise not need. This is needed for interoperability with LTI vendors that have a JWKS URL serving multiple purposes.
We never have use=enc keys and so our parsing throws when it encounters them.
We don't distinguish between unparsable keys vs. keys that we don't want to use for signing (e.g. use=enc, but also other constraints we impose like having a suitable kty, kid etc.)
In an ideal world I think we would push more of that logic out a bit and parse more keys, ignoring ones that aren't relevant to us anyway and emitting errors in a more sensible location.
This PR makes the minimal change possible to allow us to parse a JWKS response that includes a use=enc key that we will otherwise not need. This is needed for interoperability with LTI vendors that have a JWKS URL serving multiple purposes.