use kid-specific jwk for verification

2026-05-31 08:43:37 +00:00 · 2026-04-03 19:33:56 +02:00
parent fa215009cd
commit effb9161f8
1 changed files with 3 additions and 2 deletions
--- a/dlib/auth/oidc.py
+++ b/dlib/auth/oidc.py
@@ -71,10 +71,11 @@ class OidcTokenValidator:
                sub="dev-user", email="dev@example.com", name="Developer"
            )
        header = jwt.get_unverified_header(token)
-        key = await self._get_key(header.get("kid"))
+        kid = header.get("kid")
        alg = header.get("alg") or "RS256"
        key = await self._get_key(kid)
        if not key:
            raise TokenValidationError("Unable to resolve signing key")
        alg = header.get("alg") or key.get("alg") or "RS256"
        try:
            claims = jwt.decode(
                token,