Affects Version/s: 13.5.0, 14.0.0
When encrypting the id token, the kid returned comes from the OpenAM keystore JWKS and not the client JWKS
Note: The client offers a JWKS and OpenAM too. There are designed for different purpose.
The JWKS from the client is designed to be used for checking JWT signed by the client and encrypt JWT for the client.
In the contrary, the JWKS from AM is designed for signing JWT to the client and encrypting JWT for AM.
So when we sign and encrypt the id token, we should:
- Sign using one of the JWK from the AM JWKS
- Encrypt using of the JWK from the client JWKS
Generate an id token with encryption enable
The KID should be one of the key of the client JWKS
The KID of the AM JWKS
Which the client doesn't have the private key btw, so it can't decrypt the token