How does the library work for a token that doesn't have kid in header, but only x5t?

[Freundschaft]

I have a token with a header that has only set the x5t field, but not the kid field, as far as I can see this lib is using only the kid value? how would be the correct way to proceed with a JWT that only has X5T in the header?

as far as I can see form my well known jwks file, both values are identical there.

[Freundschaft]

I believe that https://tools.ietf.org/html/rfc7515#section-6 states that all the header parameters jku, jwk, kid x5u, x5c, x5t and x5t#s256 could be used to identify the key used, am I missing something?

[larryboymi]

I agree. I have a case with only an x5t as well. This spec refers to most of these as optional. Is there a way we could specify which header parameter to use as the key when searching via getSigningKey?

[larryboymi]

FWIW... I added this to my promisified version of my case for now...

const getSigningKey = (kID) => // in case k5t is there while kID is not
  getSigningKeys()
  .then((keys) => keys.find(k => k.k5t === kID || k.kid === kID))

[williamdenton]

for reference here is the code block that has the problem:

node-jwks-rsa/src/JwksClient.js

Lines 103 to 109 in b0bce42

	const key = keys.find(k => k.kid === kid);
	if (key) {
	return cb(null, key);
	} else {
	this.logger(`Unable to find a signing key that matches '${kid}'`);
	return cb(new SigningKeyNotFoundError(`Unable to find a signing key that matches '${kid}'`));
	}

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[williamdenton]

@damieng, could this at least be triaged by an Auth0 maintainer?

[philmerrell]

This came up for us when trying to validate access_tokens through ADFS. For whatever reason, id_tokens have a kid, but access_tokens have x5t in the header. Not sure if this is all ADFS instances or only ours. We don't have control over the box, so this would be a great fix.

[dejan9393]

I actually opened up #55 a while ago to allow JWT's without a KID header to pass validation