If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header.
Personally, I would like all signed request objects, ID tokens, signed userinfo etc. to ALWAYS have a "kid" value present in the JOSE header. JWK sets may change over time.
Could we at least RECOMMEND in this spec to always include "kid" in JOSE headers for signed JWTs? Furthermore, https://datatracker.ietf.org/doc/html/rfc7517 has the "kid" attribute for keys i JWK sets set as OPTIONAL. I think that recommending or requiring "kid" to be present in JOSE headers also implies that using the "kid" attribute i JWK Sets should also be RECOMMENDED or perhaps required.
OpenID Connect Core 1.0 section 10.1 specifies that:
If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header.Personally, I would like all signed request objects, ID tokens, signed userinfo etc. to ALWAYS have a "kid" value present in the JOSE header. JWK sets may change over time.
Could we at least RECOMMEND in this spec to always include "kid" in JOSE headers for signed JWTs? Furthermore, https://datatracker.ietf.org/doc/html/rfc7517 has the "kid" attribute for keys i JWK sets set as OPTIONAL. I think that recommending or requiring "kid" to be present in JOSE headers also implies that using the "kid" attribute i JWK Sets should also be RECOMMENDED or perhaps required.