Does not work with Microsoft's JWKS, which has no "alg" field

[maghoff]

Consider the issuer URL https://login.microsoftonline.com/common/v2.0/ (Tenants running in Azure get variants of this URL) and its openid-configuration URL https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration (attached). The latter gives us a document which in its jwks_uri field points to the JWKS at https://login.microsoftonline.com/common/discovery/v2.0/keys (attached).

In this JWKS, the "alg" field is absent from all keys. For each key, "alg" is read out as None in decode_jwk, which then returns Err(FetchError::InvalidJWK), in turn causing every key to be silently filtered out in JwkSetStore::update_jwks.

I see in RFC 7517 that the "alg" field is optional, but I'm not sure what that's supposed to mean. In the OpenID Configuration document, there is a "id_token_signing_alg_values_supported" field which, in this case, is a list containing the single relevant algorithm. Should that be the fallback value when "alg" is missing?

Would you be interested in me implementing this or another solution in a PR?

[cjh1]

I am running into the same issue with JWKs from a Connect2id server, would interest in a fix/solution.