Calling the jwks_uri
(https://www.googleapis.com/oauth2/v3/certs
) from Google's OpenID Connect discovery URI returns a JSON object with not one but three different keys. How is one supposed to know which is to be used to verify a JWT signed by Google?
To answer my own question, Google's JWT does indeed include the kid
in the header.