client_assertion token error

[manasirg]

While using oidc for private_key_jwt, The login flow works great but the client assertion fails because the "kid" in the client_assertion token does not match what is associated with the public cert configured in the provider. Where does the oidc obtain the kid for signing client assertion? I am using the following config.

OIDCPublicKeyFiles /usr/local/apache2/conf/server.crt
OIDCPrivateKeyFiles /usr/local/apache2/conf/server.key 
OIDCProviderTokenEndpointAuth private_key_jwt

Is there more configuration required?

[zandbelt]

I'm not sure I follow: so the IDP rejects the client assertion with a kid mismatch error? The logs would help.

FWIW: by default the kid is calculated from the cert fingerprint but you can specify it manually using the syntax:

OIDCPublicKeyFiles <kid>#<filename>