Multiple matching kid support

[cfauchard]

Is there some kind of support for multiple keys sharing the same ID on a JWK ?

Despite not an encouraged practice, this is allowed by the standard, see https://openid.net/specs/openid-financial-api-part-2-1_0.html#duplicate-key-identifiers and of course we're facing this issue (keys with same kid but different alg, the first one is selected regardless of alg).

For now we're locally patching Message.get_verify_keys, KeyBundle.get_key_with_kid, KeyBundle.get_decrypt_key and KeyBundle.get_key_by_kid to retrieve key matching with both kid and alg.

This is straighforward (and I can submit a patch if your OK with this aproach) but doesn't handle all cases exposed by the standard (extract of openid.net specs bellow):

However, to increase interoperability when there are multiple keys with the same kid, the verifier shall consider other JWK attributes, such as kty, use, alg, etc., when selecting the verification key for the particular JWS message.

1. Do you see another way to handle this case without modifying pyoidc?
2. Are you interested by supporting this? a. Do you wan't me to submit a patch supporting kid disambiguation by alg b. Or do you wan't to discuss something more generic

Thanks in advance

[tpazderka]

The specs you are pointing to are regarding the FAPI which (strictly speking) are not implemented in pyoidc.

But anyway, I am not opposed to a patch that helps to figure out a correct key.