From effb9161f8b9753289adac2a01717f44b2d8c2ba Mon Sep 17 00:00:00 2001
From: Daniel Rosel <daniel@alves.world>
Date: Fri, 3 Apr 2026 19:33:56 +0200
Subject: [PATCH] use kid-specific jwk for verification

---
 dlib/auth/oidc.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dlib/auth/oidc.py b/dlib/auth/oidc.py
index 590f954..dbf8cf1 100644
--- a/dlib/auth/oidc.py
+++ b/dlib/auth/oidc.py
@@ -71,10 +71,11 @@ class OidcTokenValidator:
                 sub="dev-user", email="dev@example.com", name="Developer"
             )
         header = jwt.get_unverified_header(token)
-        key = await self._get_key(header.get("kid"))
+        kid = header.get("kid")
+        alg = header.get("alg") or "RS256"
+        key = await self._get_key(kid)
         if not key:
             raise TokenValidationError("Unable to resolve signing key")
-        alg = header.get("alg") or key.get("alg") or "RS256"
         try:
             claims = jwt.decode(
                 token,