Verifying signatures when kid is not unique

[mike-jm]

Hello everyone!

In our setting a JWKS can contain multiple keys with the same kid. The standard does not completely rule out this case: https://datatracker.ietf.org/doc/html/rfc7517#section-4.5
In such a case jws.keySetProvider selects only one key and verification of the signature can fail. However, the verification would succeed if jws.keySetProvider selected all the keys matching the kid.

Would you accept a pull request with tests for jws.keySetProvider that changes the behavior to select all keys matching the kid?
IMHO jws.keySetProvider would be the place to put such behavior. But maybe there is a better place.

Regards,

Michael

[gbolo]

@mike-jm are you referring to multiple keys with the same kid but all of them of unique types? If they are of the same type then they should have unique kid. According to the section of the RFC you posted:

When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values.  (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.)

[mike-jm]

They should have unique kid, but they do not. Anyways, this is not under my control and closed source software. I am hesitating to say that the system does something wrong, because as I understand this RFC using SHOULD wording is not as strong as using MUST.
I do not want to do any finger pointing but this system is from one of the major IAM vendors. So I think selecting multiple keys for signature verification may benefit the users of jwx.

[lestrrat]

@mike-jm sorry, I was busy with life and didn't check back into this repository for a few days.

Yes, as long as you provide me with testcases and what not I can definitely take a look and try to see how I can solve your issue.

[mike-jm]

@lestrrat OK, I will start working on a PR. Do I need to create an issue first, or do you accept PRs without an issue?

[lestrrat]

I don't really have a strong opinion.
However, I do care that the reporter does his best to try to explain what it is they are trying to do with ample tests, pseudocode, documentation, etc.