xoapit
commented
6 months ago When integrating with ID.me, I found that the key.jwk from IdP does not include kid. We should only check kid if it is defined in IdP, if not, we should skip it.
Closed xoapit closed 6 months ago
xoapit
commented
6 months ago When integrating with ID.me, I found that the key.jwk from IdP does not include kid. We should only check kid if it is defined in IdP, if not, we should skip it.
panva
commented
6 months ago I'm going to go ahead and close this because it doesn't actually change any behaviour. If there is a kid in an assertion there must be a matching kid in the JWK Set. A missing JWK Set kid does not preclude an assertion being verified given there's no kid in its protected header.
Hi @xoapit
can you explain your fix? What is it fixing, what conditions to reproduce, add a regression test.