Jwt with kid field due key rotation, how to call jwt_verify against /path/cert-by-kid.pem

Dear community,
my use case is that due key rotation on jwt issuer, jwt comprise the kid field, like:

  "typ": "JWT",
  "alg": "RS256",
  "kid": "public:some-uuid-string"

Afaics in the docs (haproxy 2.6) there is some possibility to access cert-list (which is also possible to be updated dynamically via api). But I cant figure out the proper config snippet which would call jwt_verify only once and toward the cert which is described in the kid section.

Suggestions or solution highly appreciated, thank you in advance.

I don’t have the exact solution, only work arounds.

Dynamic keys are mentioned in the jwt_verify docs but it seems to be discouraged:

All the certificates that might be used to verify JWTs must be known during init in order to be added into a dedicated certificate cache so that no disk access is required during runtime. For this reason, any used certificate must be mentioned explicitly at least once in a jwt_verify call. Passing an intermediate variable as second parameter is then not advised.

For now I’ve worked out 2 solutions:

  1. Validate the information in the JWT on the proxy as much as possible, then verify the authenticity of the signature within the service. If you’re doing something fancy with your keys then this will give you the most flexibility.
  2. Launch a new proxy when the key rotates. This allows for both the old and new key to be accepted during the rotation period by directing traffic with old tokens to the old proxy. When all the tokens signed with the old key expire, stop directing traffic to the old proxy and shut it down.