`PyJWKClient.get_signing_key_from_jwt(token)` does not discriminate on algorithm

[remi-dupre]

My identity provider exposes multiple values with the same key ID but different algorithm (is this unexpected?)

Running PyJWKClient.get_signing_key_from_jwt(token) will return the first value regardless of its algorithm (in my case my token uses RS256 but the returned key would be RS384).

EDIT: RFC 7517 hints that multiple keys can indeed have the same ID in the set :

[...] different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.)

Expected Result

I'd expect PyJWKClient.get_signing_key_from_jwt(token) to ensure that the returned signing key uses the same algorithm as the token. This behavior could be opt-in through a boolean parameter to ensure backward compatibility.

Actual Result

It returns the first signing key listed by the endpoint with a matching ID, regardless of algorithm.