kid not included in the JWT's header.

[GianfrancoMS]

Why was the kid removed from the JWT's header in ef51cf4?

Since the kid is not included, it makes the verification (https://github.com/openwallet-foundation-labs/oid4vc-ts/blob/main/packages/oauth2/src/common/jwk/jwks.ts#L21) impossible when there are multiple JWK in the JWK Set.

It works when there is only one JWK in the JWK Set, but that is not always the case.

I found this error when developing this feature at openwallet-foundation/credo-ts#2456.
I tried to host more than one key at /jwks and the verification of the JWT in POST /credential failed becaused the kid was not included in the JWT and there was more than one key in the JWK Set.

[TimoGlastra]

The reason it was removed is that we encountered some issuers that supported both JWK and dids, and it resulted in errors since the kid did not actually point to a JWK in a kid.

I see three possible solutions:

• include the KID in the JWK itself
• include the KId in the header, revert the above commit you linked
• extend the matching logic, based on an actual JWK, since we already have the JWK
• do not include the jwk but only the kid in the header. Theoretically we don't even have to add the jwk to the header of the JWT, since we can fetch it based on the jwks_uri in the authorization server metadata

I think returning the kid makes sense, but it can cause issues again in e.g. oid4vci, but I think they actually made it not allowed to do this.

[GianfrancoMS]

I can send a PR for that.