Description
Is there some kind of support for multiple keys sharing the same ID on a JWK ?
Despite not an encouraged practice, this is allowed by the standard, see https://openid.net/specs/openid-financial-api-part-2-1_0.html#duplicate-key-identifiers and of course we're facing this issue (keys with same kid but different alg, the first one is selected regardless of alg).
For now we're locally patching Message.get_verify_keys, KeyBundle.get_key_with_kid, KeyBundle.get_decrypt_key and KeyBundle.get_key_by_kid to retrieve key matching with both kid and alg.
This is straighforward (and I can submit a patch if your OK with this aproach) but doesn't handle all cases exposed by the standard (extract of openid.net specs bellow):
However, to increase interoperability when there are multiple keys with the same kid, the verifier shall consider other JWK attributes, such as kty, use, alg, etc., when selecting the verification key for the particular JWS message.
- Do you see another way to handle this case without modifying pyoidc?
- Are you interested by supporting this?
a. Do you wan't me to submit a patch supportingkiddisambiguation byalg
b. Or do you wan't to discuss something more generic
Thanks in advance