Error: kid must be provided in JWT header

[nikkilocke]

Trying to use this app with a home-grown OpenId provider.

I get the error above. But, quoting from the OpenId docs at https://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName :

The "kid" (key ID) header parameter is a hint indicating which specific key owned by the signer should be used to validate the signature. This allows signers to explicitly signal a change of key to recipients. Omitting this parameter is equivalent to setting it to an empty string. The interpretation of the contents of the "kid" parameter is unspecified. This header parameter is OPTIONAL.

So why is it not optional in your implementation?

[nikkilocke]

It also appears as if the app does not accept the HS256 key algorithm (which always uses the client_secret as a key). See https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

That, presumably, explains why you insist on a key id?

[Rob787]

Also working for months with Zitadel https://zitadel.com, this today became suddenly an issue for our Nextcloud instance.

[julien-nc]

This is most likely all due to limitations of the firebase/php-jwt library used in user_oidc. It requires the KID to be set in the token headers so the right key can be used in the JWK array.
Maybe our fix ( https://github.com/nextcloud/user_oidc/blob/main/lib/Service/DiscoveryService.php#L129 ) can be improved and deal with missing KID.
If anyone wants to dive into this, I can help. Otherwise it could take time before I do it.

[solracsf]

@nikkilocke @Rob787 can you test the linked PR? Thanks.

[AR2000AR]

@nikkilocke @Rob787 can you test the linked PR? Thanks.

Tested and found an other problem related the the JWKS in the same file. #1223
TLDR : JWKS cache can break login for 1h

[solracsf]

@AR2000AR despite this "new" (but unrelated) issue, did it fix this specific issue?

[AR2000AR]

The patch from your PR did fix the kid issue.
The kid crash hid the jwks one. That's why I mentioned it here.