Closed scholisj closed 5 years ago
It is very unlikely but it can happen the issuer is publishing the same key twice. But for the very reason that 99% of the time it's just a kid missing and the resolved jwk is ambiguous the message is what it is.
Problem is in the end issuer jwks_uri and that they publish multiple RS256 keys with the same kid.
I saw prior issue https://github.com/panva/node-openid-client/issues/114.
In that issue it was stated,
I logged the header in the client.js file, validateIdToken function, where the code says:
const header = JSON.parse(base64url.decode(parts[0]));
This was the result:
{ alg: 'RS256', kid: 'a27characterKidWasHere' }
Am I misunderstanding what was needed as far as a kid header claim? Because there is a 'kid' in the header, but I still get the 'kid must be provided' message.