"No matching key found" using JwksValidationHandler

[julianobaldezfreitas]

Describe the bug In a implicitflow I'm trying to use the JwksValidationHandler to validate JWT signature of id_token but it is returning "No matching key found".

authCnfig.ts

export const authConfig: AuthConfig = {
  issuer: environment.loginCidadaoIssuer,
  redirectUri: environment.loginCidadaoRedirectUri,
  clientId: environment.clientId,
  scope: "openid name cpf email phone_number offline_access",
  responseType: "token id_token",
  oidc: true,
  silentRefreshRedirectUri: environment.silentRefresh,
};

AppComponent.ts

 private configure() {
    this.oauthService.setupAutomaticSilentRefresh();
    this.oauthService.configure(authConfig);
    this.oauthService.tokenValidationHandler = new JwksValidationHandler();
    this.oauthService.loadDiscoveryDocument().then(() => {
      this.oauthService.tryLogin().then(() => {
        if (this.oauthService.hasValidAccessToken()) {
          this.oauthService.loadUserProfile();
        }
        this.router.initialNavigation();
      });
    });
  }

JWT token returned

There is no kid on id_token header.

Doing some debug in Chrome and trying to understand some lines of the code I see that it is trying to get from the header, but is not there. The kid is available in the token payload and in the jwks set too ("kid":"pub").

Is this an issue or configuration problem?

[jeroenheijmans]

Hmm, the spec suggests kid is optional, but the code suggests it is not (to this library)?

I will mention I have not yet seen this issue around yet, so it might still be a configuration issue on your IDS side? Can you check if the IDS can be configured to provide it?

For example, I often use IdentityServer4, and it does provide it. See for example demo.identityserver.io's jwks. And if you grab a token from there it also contains that in the header:

Hope that already helps?