The 'kid' can appear in many different places.

Author: Roland Hedberg

src/jwkest/jws.py

@@ -368,7 +368,10 @@ def _pick_keys(self, keys, use="", alg=""):
         try:
             _kid = self["kid"]
         except KeyError:
-            _kid = None
+            try:
+                _kid = self.jwt.headers["kid"]
+            except (AttributeError, KeyError):
+                _kid = None
 
         logger.debug("Picking key based on alg={0}, kid={1} and use={2}".format(
             alg, _kid, use))
@@ -533,6 +536,9 @@ def verify_compact(self, jws, keys=None, allow_none=False, sigalg=None):
             if "kid" in self:
                 raise NoSuitableSigningKeys(
                     "No key with kid: %s" % (self["kid"]))
+            elif "kid" in self.jwt.headers:
+                raise NoSuitableSigningKeys(
+                    "No key with kid: %s" % (self.jwt.headers["kid"]))
             else:
                 raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg)
 

src/jwkest/jwt.py

@@ -42,8 +42,8 @@ def __init__(self, **headers):
         if not headers.get("alg"):
             headers["alg"] = None
         self.headers = headers
-        self.b64part = [ b64encode_item(headers) ]
-        self.part = [ b64d(self.b64part[0]) ]
+        self.b64part = [b64encode_item(headers)]
+        self.part = [b64d(self.b64part[0])]
 
     def unpack(self, token):
         """
@@ -73,8 +73,8 @@ def pack(self, parts, headers=None):
             else:
                 headers = {'alg': 'none'}
 
-        self.part = [ self.part[0] ] + parts
-        _all = self.b64part = [ self.b64part[0] ]
+        self.part = [self.part[0]] + parts
+        _all = self.b64part = [self.b64part[0]]
         _all.extend([b64encode_item(p) for p in parts])
 
         return ".".join([a.decode() for a in _all])