"cty" should not be included in jwks query

[jmickeyd]

Describe the bug I am receiving an signed then encrypted id_token. Said token has a protected header of the form:

{
  "kid":<key id>,
  "cty":"JWT",
  "enc":"A128CBC-HS256",
  "alg":"RSA-OAEP-256"
}

In https://github.com/panva/node-openid-client/blob/01cd89a14db20cb3aef3880f914c2d0e988b1533/lib/client.js#L723-L728, the full protected header from the JWE is directly used to query the fields in the jwks, but I don't think the JWE payload content type should affect key use.

To Reproduce Fully internal IdP, can't externally fully repro, but I think the above is clear.

Expected behaviour "cty" is removed from protectedHeader before being used to probe the key set.

Environment:

• openid-client version: v5.6.4
• node version: v18.19.0

Additional context This crosses a ton of specs, OIDC, JWT/JWE, and JWKS. I tried to look for any specification on this, but came up empty handed. I very well could be wrong, but intuitively it feels like the payload content type should have no bearing on the key usage.

As a workaround I just set "cty":"JWT" in the jwk, which works fine.

• [x] the bug is happening on latest openid-client too.
• [x] i have searched the issues tracker on github for similar issues and couldn't find anything related.

[panva]

Hi @jmickeyd,

How does this affect the resulting keystore query? From a very cursory look at the keystore the non-relevant parts of the protected header don't affect the lookup...

I guess what I'm missing here is what the problem you're experiencing might be.

[jmickeyd]

sigh because I'm stupid... This was a red herring. Sorry for the noise.