Google OAuth 2.0 uses two certs. Would be awesome if we could supply a concatenated string of all of them, and node-jsonwebtoken checked each in turn.
EDIT: I need to check them all because the PEM doesn't include the kid. If you guys supported JWK, the problem wouldn't exist.
EDIT2: I realized google supplies kids even for their PEM certs. But I guess the issue might be helpful to others.
^ Maybe this should be added as a remark in docs ?
Here is how I solved this back then:
https://github.com/auth0/connect-google-jwt/blob/master/index.js
I haven't use this code in a while, it might be outdated.
So, for the case of google, you should first get the kid by using jwt.decode and then use the correct PEM to validate the token.
Most helpful comment
So, for the case of google, you should first get the kid by using
jwt.decodeand then use the correct PEM to validate the token.