Missing kid in jwt?

[adrianrudnik]

Hi there, trying to get back into a hosted ory.sh project, I was trying to validate the issued JWT that comes through a development proxy.

Basically I have the JWT itself, which works at https://jwt.io/#debugger-io. I also have the extracted key from my ory-cli proxy .../.ory/proxy/jwks.json. As this is a JWK set, I have to extract the single key from the set and paste it into the jwt.io debugger to get a valid signature. So far I can confirm that the manual parts work as expected, if I would not receive a key-set.

Now I use firebase/php-jwt vendor, which seems the most solid and maintained solution to JWT/JWK stuff. Here are the steps that lead to the validation error:

• Fetch the JWK set via URL and parse them.
• I extract the bearer token from the Authorization header attached by the proxy towards my API.
• I try to JWT::decode it and it fails with the error "kid" empty, unable to lookup correct key.

I debugged the issued JWT from the ory-cli proxy and indeed does not have a kid header in it. Is there any reason why the issuing key is not attached to the given JWT?

The CLI used is the one based on docker:

docker run --rm -it oryd/ory version
Version:    v0.2.2
Git Hash:   3ef9cd5f54d31fdc8da9ea3d9bfa1cfefb6f098d
Build Time: 2023-01-26T09:52:48Z

[aeneasr]

Thank you for the question, this is indeed a bug at the moment. A fix is available here but it's currently not passing tests: ory/cli#208

[adrianrudnik]

A very good, thank you for the link! I will watch the issue.