AssertionError [ERR_ASSERTION]: multiple matching keys, kid must be provided

[scholisj]

I saw prior issue https://github.com/panva/node-openid-client/issues/114.

In that issue it was stated,

In cases where there is ambiguity in the OP’s jwks_uri, ie. there are two keys suitable for RS signature validation, the OP is required to push a ‘kid’ header claim.

I logged the header in the client.js file, validateIdToken function, where the code says: const header = JSON.parse(base64url.decode(parts[0]));

This was the result: { alg: 'RS256', kid: 'a27characterKidWasHere' }

Am I misunderstanding what was needed as far as a kid header claim? Because there is a 'kid' in the header, but I still get the 'kid must be provided' message.

[panva]

It is very unlikely but it can happen the issuer is publishing the same key twice. But for the very reason that 99% of the time it's just a kid missing and the resolved jwk is ambiguous the message is what it is.

Problem is in the end issuer jwks_uri and that they publish multiple RS256 keys with the same kid.