I have
an external OIDC provider that uses multiple signing keys to
sign the id_tokens it issues.
Now,
there is only a single validating public key shown on the
OIDC external provider configuration page. When importing OIDC
provider configuration using OIDC provider metadata uri,
keycloak picks the first JWK which "use" parameter value is
set to "sig". In my case, all JWKs in the JWK Set have their
"use" member set to "sig". I took a cursory look at the JWKS
spec
(
https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2)
and based on what I've read it seems there could be more than
one key with the same "use" parameter. Shouldn't keycloak
store all signing keys instead of just one, and use the value
of the "kid" parameter from the provider's auth response to
choose a corresponding public key to do the validation?