As per the language in the RFC this is only a SHOULD (not a MUST) so the publisher of the JWK Set is free to publish keys with duplicate "kid" values. A robust client library needs to be able to handle this case as it clearly does occur in the wild. Our (ForgeRock's) authorization server has also done this in the past (publishing the same key with different "use" or "alg" values, for example).
-- Neil > On 7 Jan 2020, at 10:46, Ricardo Pereira <[email protected]> wrote: > > Hello, > > I have a question regarding the section 4.5 of the RFC-7517 which states: > > 4.5 <https://tools.ietf.org/html/rfc7517#section-4.5>. "kid" (Key ID) > Parameter > > The "kid" (key ID) parameter is used to match a specific key. This > is used, for instance, to choose among a set of keys within a JWK Set > during key rollover. The structure of the "kid" value is > unspecified. When "kid" values are used within a JWK Set, different > keys within the JWK Set SHOULD use distinct "kid" values. (One > example in which different keys might use the same "kid" value is if > they have different "kty" (key type) values but are considered to be > equivalent alternatives by the application using them.) The "kid" > value is a case-sensitive string. Use of this member is OPTIONAL. > When used with JWS or JWE, the "kid" value is used to match a JWS or > JWE "kid" Header Parameter value. > > The part which is raising concerns is: > > When "kid" values are used within a JWK Set, different keys within the JWK > Set SHOULD use distinct "kid" values. > > Context: > > I am using an openid certified node library which does not allow for multiple > keys with the same ID. > An issue <https://github.com/panva/node-openid-client/issues/166> has been > opened (and closed) where the author/maintainer states that the keys should > have different kids and the problem is with the issuer. > > The issuer (based on identity server 4) which I connect to states the > opposite.. That the offending keys (the repeating ones) are not different > keys but the same and, as such, can use the same kid. > > Question: > > Which party is correct? > > Thank you for your time, > > Ricardo Pereira > > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
