connect2id / Nimbus-JOSE-JWT / issues / #290 - What will happen if the JWT does not include 'kid' header — Bitbucket

Issue #290 resolved

Former user created an issue 2018-12-04

When using nimbus-jose-jwt library for validating third party JWTs with remote JWKS endpoint, what will happen if the JWT does not include the "kid" header? Does it validate the JWT with the first JWK in the set of JWKs in the list?

Comments (1)

Connect2id OSS
- changed status to resolved
It tries all keys in the JWK set until success, or the signature is assumed to be invalid.

The idea of the "kid" is to spare all that.
- 2018-12-04T09:08:43+00:00
Log in to comment

Assignee: –

Type: task

Priority: major

Status: resolved

Component: JWT

Milestone: –

Votes: 0

Watchers: None

Jira: the preferred issue tracker for Bitbucket. Join the team!