omniauth · stanhu · Sep 10, 2024
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -317,7 +317,10 @@ def decode_id_token(id_token)
         # done. However, if there is no kid, then we try each key
         # individually to see if one works:
         # https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
-        raise if decoded&.header&.key?('kid')
+        if decoded&.header&.key?('kid')
+          kid = decoded.header['kid']
+          raise JSON::JWK::Set::KidNotFound, "kid '#{kid}' not found"
+        end
 
         decoded = decode_with_each_key!(id_token, keyset)
 

diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -338,9 +338,11 @@ def test_callback_phase_with_id_token_with_kid_and_no_matching_kid
         strategy.unstub(:user_info)
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
-        assert_raises JSON::JWK::Set::KidNotFound do
+        error = assert_raises JSON::JWK::Set::KidNotFound do
           strategy.callback_phase
         end
+
+        assert_match %r{kid '.*' not found}, error.message
       end
 
       def test_callback_phase_with_id_token_with_hs256