Can "kid" in JWKS be just string of numbers, and what is the maximum number of characters kid can hold?

Question

I am trying to validate the JWKS stored in the resource server. One of the checks I have implemented is to check for the kid that I decode from the JWT and check for it in the configured resource server.

I went through the JWK RFC for "kid". In the rfc its mentioned that kid is a case sensitive string. But it is not clear from the doc, what values can the kid, hold. Is it valid for kid to just to have all numeric characters in the string. Also what is the maximum limit for the number of characters in the string, that kid can hold.

Answer 1

It can really be just any kind of string, as long as it is unique for each key in the JWKS. According to the RFC7517:

The structure of the "kid" value is unspecified.

I've seen uuids, numbers, timestamps and thumbprints (hash of the key) used as kid.

A JWK thumbprint can also be used as a key identifier which is practically guaranteed to be unique.
from (https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-thumbprints)

Regarding the length of the kid, there is no limit mentioned in the RFC, but a JWK is a JSON object and the kid is usually also part of a JWT header, which is also a JSON object. JSON has also no inherent limitation of the size, but, according to RFC7159, Section 9:

An implementation may set limits on the length and character contents of strings.

So theoretically it is limited by the implementation but practically you won't experience any severe limitations when you use any reasonable size suitable for an unique identifier.