The method for selecting in a key from a JWKS using kid under OpenID Connect is not really documented, and different RP libraries appear to take slightly different strategies.
The certification team recently discovered that in some cases the tests were effectively rejecting OPs where the JWKS contained multiple keys that contained the same kid.
When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values.
(One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.)
For interoperability purpose it would seem sane to suggest that all keys should have a unique kid, allowing the RP to very easily identify the correct key to use for verification. (although RFC7517 suggests it is okay to have duplicate kids if the kty field is different between the keys.)
The certification would like to know how the Connect working group view this, in particular, should the certification suite:
- Raise a warning if it finds duplicate kids in the JWKS, but allow certification
- Raise an error if it finds duplicate in the JWKS, preventing such implementations from certifying
(For related background, the certification profiles already require that a kid is provided in the id_token if RS256 is in use, regardless of the number of keys in the JWKS.)