Support filtering JWKS by x5t claim?

[liamoneill]

Good day,

I'm trying to verify JWTs GitHub Action's JWTs tokens, however their tokens don't use the kid claim and instead seem to rely on x5t.

Example header:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "eBZ_cn3sXYAd0ch4THBKHIgOwOE"
}

JWKS server: JWKS server (has both kid & x5t)

I found a similar header in #73 (ADFS), which is starting to make me think this is a Microsoft/AD quirk (GHA's tokens have "IdentityTypeClaim": "System:ServiceIdentity", etc. in their payload).

Is this something that would be appropriate for this library to support, or is it best to do a workaround for these situations (i.e. custom getKey function)?

p.s. Thanks for your library!

[panva]

Hi @liamoneill

It would seem Github documents there being kid header parameter so the first course of action would be to open a bug report with GitHub? :)

In fact their own documentation only shows the x5t header in an example but then doesn't document it On the other hand it does exactly state that kid is also included.

And yeah, until either fixed by github or not, I would recommend passing your own getkey function.