Closed xoapit closed 6 months ago
When integrating with ID.me, I found that the key.jwk from IdP does not include kid. We should only check kid if it is defined in IdP, if not, we should skip it.
I'm going to go ahead and close this because it doesn't actually change any behaviour. If there is a kid
in an assertion there must be a matching kid
in the JWK Set. A missing JWK Set kid
does not preclude an assertion being verified given there's no kid
in its protected header.
Hi @xoapit
can you explain your fix? What is it fixing, what conditions to reproduce, add a regression test.