In an environment where multiple varieties of a key type are supported (e.g. RS256 and RS384), the library doesn't enforce that the algorithm specified in the keyset for the kid specified in the JWT matches the algorithm specified in the JWT.

The go-jose library does ensure that the JWT is verified using the same algorithm family (e.g. using an rsaEncrypterVerifier), but uses the algorithm defined on the JWT.

Example:

1. jwks defines two keys:
   { "kty": "RSA", "use": "sig", "kid": "kid256", "alg": "RS256", "n": "...", "e": "...", }
   { "kty": "RSA", "use": "sig", "kid": "kid384", "alg": "RS384", "n": "...", "e": "...", }

2. Client generates an RS256 JWT using the private key associated with kid384, with header:
   { "kid": "kid384", "typ": "JWT", "alg": "RS256" }

3. This is successfully validated:

• kid384 is matched here
• RSA verifier is used based on the jwk key type, but uses the JWT's algorithm

I'm unclear on the risk (if any) associated with this type of substitution, but it would be useful to have an option to enforce JWT and key algorithm matching when that's the intended usage.