Loss of access to "kid" header to determine which key to use.

[JonathanWilbur]

Describe the bug

In version 2 of this library, I was able to access the kid claim of a JWT to determine which key was used to sign it like so: jwt.header["kid"] ?? jwt.payload["kid"], but now I cannot access the payload of a JWT without first verifying it (which involves a key).

Expected behaviour

Either allow un-verified access to the contents of a JWT, and/or implement a feature that allows a JWK set to be supplied as an argument to verifyJWT() and identify the correct key to use for verification.

Environment:

• jose version: 3.1.3
• affected runtime is: NodeJS v14.4.0

Additional context

• the bug is happening on latest jose too.
• i have searched the issues tracker on github for similar issues and couldn't find anything related.

[panva]

First of all, this is not appropriate for a bug issue template, there is no bug, just lack of effort to look for an already existing (see below) solution. So i'm going to close.

Either allow un-verified access to the contents of a JWT

Not going to do that, decoding a JWT is a trivial job that you're free to do on your own.

and/or implement a feature that allows a JWK set to be supplied as an argument to verifyJWT() and identify the correct key to use for verification.

The 'jose/jwt/verify' module already does allow the key argument to be a function resolving the key in which you can do exactly what you ask, please consider reading the docs more thoroughly. One such implementation of this function interface is available when working with a remote jwk set.