Jwt-verify and multiple keys/key rotation

Hello,

I’m trying a haproxy / OIDC setup with tokens from Azure AD. Unfortunately they have a very fast key rotation and a static file is not an option. Additionally they have mutliple keys active at the same time (e.g., during key rotation).

Is there a way to put a variable as second parameter of jwt-verify? I tried something like:

http-request set-var(txn.alg) http_auth_bearer,jwt_header_query('$.alg')
http-request set-var(txn.kid) http_auth_bearer,jwt_header_query('$.kid')

...
http-request deny content-type 'text/html' string 'Invalid JWT signature'  unless { http_auth_bearer,jwt_verify(txn.alg,txn.kid) -m int 1 }

I put a file with the name of kid in the correct directory. If I write the id directly as second parameter it works, but not as parameter. While the txn.alg is working, the second part is always taking as filename directly and var(…) produces an error at startup.

An even better alternative would be, if the jwks url could be used directly, but there was nothing in the documentation about that…