OpenID Connect signature keys are not stable
I'm just getting started with openid connect, so maybe I misunderstand something ...
Root issue: I get an exception when trying to use this with asp.net core:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match keys: 'rg5QPE6n_WtpEnKfnLntE3vWFQEiuZk2k3T6uaNwHeI',
token: '{"alg":"RS256","typ":"JWT","kid":"rg5QPE6n_WtpEnKfnLntE3vWFQEiuZk2k3T6uaNwHeI"}.{"iss":"https://gitlab.com","sub":"2453910","aud":"17cb93f396a46927921b6b4e85ad04760966fd6d97ecbfb4425114ccdc7a76e0","exp":1530896872,"iat":1530896752,"nonce":"636664935519119602.YjhkOGJiMGEtMGNiZi00ODJlLTkzODMtMGRmZTdlODAwZGU5MGY0ZmQwNzItNTI0NC00ZDQwLWIxZjMtZmEwYWE2Nzg2MDBi","auth_time":1530866397,"sub_legacy":"bda93cce0e85bbd5ef631d4a239e06fb148c4027c6d8931a77871a6847a69944"}'.'
Investigation:
https://gitlab.com/.well-known/openid-configuration jwks_uri
points to https://gitlab.com/oauth/discovery/keys.
GET https://gitlab.com/oauth/discovery/keys returns any one of a set of different keys each time.
First GET:
Second GET:
Note that the kid
is different each time.
Over a few calls, I got at least six different kids, but only one each time:
rg5QPE6n_WtpEnKfnLntE3vWFQEiuZk2k3T6uaNwHeI
PgtbD5_LZeevBwYnTqWb0rmpHnLH6Xn8FwzfXY5utoE
YALX_cbe3qW5AmiW4QTs58P-ifjfkx7Ih-hPwa-efIQ
QwqiFWlxppaIpsHnLsu8RYjMyeGx3PA4LXyWjyla_VY
DuvCmDqLpZQKsLQ7DIl2mxt-JycuxxHNwI6hF7YR4no
St9fpVxW5D0LfREepPdwyxKG1KfuIQ_vLoohwYwrmZY
If you call it often enough, you get repetions. One guess would be that the API is behind a load balancer with multiple machines, and depending on the machine I get forwarded to, I get a different result.
Expected result:
I would expect either a single, stable result, or an array with all possible values. https://www.googleapis.com/oauth2/v3/certs returns a stable array of two keys, in comparison.