Replies: 1 comment 1 reply
-
https://github.com/panva/node-openid-client/releases/tag/v4.9.1 fixes this issue. Unless a |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
There is seemingly no way to exclude the kid from the client assertion JWT header. It either has the value of the kid in the initial JWK provided in the JWKS to the client, or it is automatically constructed (in the 'jose' library?) if it is missing. This might be a problem in cases where the OP does not indicate how to derive the kid, because if we provide the wrong kid, the authentication will fail.
Based on what I understand from the specs, there should be no problem with making it optional, so could we add an option to exclude it from the JWT?
Beta Was this translation helpful? Give feedback.
All reactions