Using token_endpoint_auth_method as private_key_jwt with multiple jwks


I was able to execute a client credential flow using a token_endpoint_auth_method of private_key_jwt when I registered just a single key in the jwks property of the client. That is, I was able to sign a JWT and send it to the /token endpoint via a client_assertion and get back a token.

However, if I register a set of more than one key in the jwks for the client, using unique kids, I only get an error from the /token endpoint:

  "error": "invalid_client",
  "error_description": "The client_assertion JWT kid is invalid."

I am in fact including a kid claim in the signed client_assertion JWT that matches the corresponding kid in the client’s jwks, so I don’t understand why I’m getting this error.

Are there any special rules around how to assign kids to the JWKs? In this particular example I am simply using the string "1" for the kid.

Has anyone else successfully used clients with multiple keys in jwks?


Oops, amateur hour over here, heh; I was putting the kid in the JWT body instead of its header. Once I put the kid in the header all worked as expected.