kid allows the issuer to signal a key change to the consumer; for example, if you’re obtaining the public key by making a request to the keys endpoint then you could cache the result until you receive a JWT with a different
kid value. At this time you would try to obtain the keys again in order to check if new keys are available that match the newly received
In conclusion, is fine to extract the
kid from the token and retrieve the key based on that value as long as the request to obtain the keys correctly ensures that is talking to the trusted issuer (the endpoint is served by HTTPS so the client should validate the server certificate).
However, this claim is just an hint so ignoring and always using an hardcoded key it’s also technically possible.