kid verification should be optional

[dehy]

The lib cannot get signing keys from the jwks.json file because it checks for json keys that does not exist in the RFC

Expected Result

It should find signing keys from a compliant jwks.json file

Actual Result

It raise an error.

Reproduction Steps

Here is a sample jwks.json file

{"keys":[{"alg":"RS256","e":"XXXX","kid":null,"kty":"RSA","n":"3PTkzSp2a0cKN5STYqG86.........","use":"sig"}]}

from jwt import PyJWKClient

jwks_client = PyJWKClient(f"https://server.com/oauth/jwks.json")
# jwt.exceptions.PyJWKClientError: The JWKS endpoint did not contain any signing keys

The check for valid keys is done on this line https://github.com/jpadilla/pyjwt/blob/9695f4c1d153ed8bf2b9ba0ef232c3a90889a1be/jwt/jwks_client.py#L77 Per the RFC 7517 or this doc from auth0, the parameters does not include neither public_key_use (but use nor key_id (but kid)

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "39.0.1"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.9"
  },
  "platform": {
    "release": "22.3.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.6.0"
  }
}

[dehy]

I've just found that jwk_set_key is an abstraction of the json file. Working as expected after setting a kid

[dehy]

The RFC specifies that kid is optional (https://www.rfc-editor.org/rfc/rfc7517#section-4.5) Use of this member is OPTIONAL.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[rlopzc]

@dehy how did you manage to use it without "kid"?

[rlopzc]

I figured out by doing this:

jwk = PyJWK(jwks_key)
jwt.decode(token, jwk.key, algorithms=["EdDSA"])

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days