What is kid?

The kid stands for Key ID. It is an optional parameter used within JSON Web Keys (JWK) and JSON Web Tokens (JWT), including ID Tokens in OpenID Connect. The kid serves as a hint indicating which key was used to secure the JWT.

Requirements

1. Key Identification in JWT Set

OpenID Connect relies on cryptographic keys to sign and verify tokens (like ID Tokens and Access Tokens). These keys are published by the OpenID Provider in a JWK Set. Unity shall expose the kid in the JWT Set.

Example of a JWK with kid:

2. Include kid in ID Token header

When the Unity issues an ID Token, it signs the token using one of its private keys. The corresponding public key is published in the JWK Set. The ID Token header shall include the kid to indicate which key was used to sign the token.

Example of a JWT Header with kid:

3. kid

The kid is a unique identifier for each key in your JSON Web Key Set (JWKS). It allows clients (Relying Parties) to identify which key was used to sign a token, facilitating efficient token verification. The primary requirements for a kid are:

1. Uniqueness: Each kid must uniquely identify a key within the JWKS.

2. Stability: The kid should remain consistent for a given key over its lifecycle.

3. Non-Predictability (Optional): While not strictly required, avoiding predictable kid values can enhance security by preventing key enumeration attacks.