Description
As can be seen here,
we require a JWT key with a use=sig property. Test case
This is probably correct, but perhaps we could add a flag to ignore this validation, since, if the signature is valid..
However, according to JWS Appendix D:
Filter the set of collected keys. For instance, some
applications will use only keys referenced by "kid" (key ID) or
"x5t" (X.509 certificate SHA-1 thumbprint) parameters. If the
application uses the "alg" (algorithm), "use" (public key use),
or "key_ops" (key operations) parameters, keys with keys with
inappropriate values of those parameters would be excluded.
Additionally, keys might be filtered to include or exclude keys
with certain other member values in an application specific
manner. For some applications, no filtering will be applied.
Emphasis mine, I guess the code is correct but wanted to keep record of this.