- changed status to resolved
What will happen if the JWT does not include 'kid' header
Issue #290
resolved
When using nimbus-jose-jwt library for validating third party JWTs with remote JWKS endpoint, what will happen if the JWT does not include the "kid" header? Does it validate the JWT with the first JWK in the set of JWKs in the list?
Comments (1)
-
- Log in to comment
It tries all keys in the JWK set until success, or the signature is assumed to be invalid.
The idea of the "kid" is to spare all that.