The JWKS URL currently contains a duplicate entry for the "kid". When trying to check a JWT using the "Decode Json Web Token" assertion (using "Recipient Key Context Variable" with the content of the JWKS URL, "Key Type" = "JSON Web Key Set" and "Key ID" as parameters), the assertion fails logging the following error:
“JOSE Error: Could not find key from JWKS.
Possible reasons: 1) could not find a key based kid, kty, and use or
2) the combination of kid, kty and use fields produce more than one key.”
Can a later version of the assertion handle this scenario? Most libraries seem to iterate the JWKS "keys" array and just return the first match.
Release : 9.2
Component : API GTW ENTERPRISE MANAGER
We have checked the code responsible for this behavior.
It is intentionally designed like this.
As per the following spec RFC7517, a JW key set should not contain duplicate entries. At least one part of the combination key(kid, kty, use) should be different between any two entries.
So if the parser returns multiple entries for the same key, then in order to make our code complaint with the spec, gateway does not allow selecting any key and logs the message that states : the combination of kid, kty and use fields produce more than one key.
You need to remove the duplicates from the JWKS before feeding it to the assertion