From 77e2e67a8dc8088caa05f27e36ad031cc8dfe37f Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Tue, 10 Sep 2024 10:38:37 -0700
Subject: [PATCH] Log missing kid when ID token verification fails

This will help debug issues when the JWT is signed with an
unknown `kid`.
---
 lib/omniauth/strategies/openid_connect.rb           | 5 ++++-
 test/lib/omniauth/strategies/openid_connect_test.rb | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index e6143a93..399358f7 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -317,7 +317,10 @@ def decode_id_token(id_token)
         # done. However, if there is no kid, then we try each key
         # individually to see if one works:
         # https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
-        raise if decoded&.header&.key?('kid')
+        if decoded&.header&.key?('kid')
+          kid = decoded.header['kid']
+          raise JSON::JWK::Set::KidNotFound, "kid '#{kid}' not found"
+        end
 
         decoded = decode_with_each_key!(id_token, keyset)
 
diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
index 6059df27..55122743 100644
--- a/test/lib/omniauth/strategies/openid_connect_test.rb
+++ b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -338,9 +338,11 @@ def test_callback_phase_with_id_token_with_kid_and_no_matching_kid
         strategy.unstub(:user_info)
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
-        assert_raises JSON::JWK::Set::KidNotFound do
+        error = assert_raises JSON::JWK::Set::KidNotFound do
           strategy.callback_phase
         end
+
+        assert_match %r{kid '.*' not found}, error.message
       end
 
       def test_callback_phase_with_id_token_with_hs256