I am trying to verify access tokens from Auth0, using the Java SDK
my question is whether it is fine to extract the Kid from the token itself and then get the public key based on that kid.
Or we should store the kid locally and use it every time for token verification.
The kid allows the issuer to signal a key change to the consumer; for example, if you’re obtaining the public key by making a request to the keys endpoint then you could cache the result until you receive a JWT with a different kid value. At this time you would try to obtain the keys again in order to check if new keys are available that match the newly received kid.
In conclusion, is fine to extract the kid from the token and retrieve the key based on that value as long as the request to obtain the keys correctly ensures that is talking to the trusted issuer (the endpoint is served by HTTPS so the client should validate the server certificate).
However, this claim is just an hint so ignoring and always using an hardcoded key it’s also technically possible.