Validation of a foreign token makes the lib get stuck on a never resolved promise

[Xalag]

Describe the Issue

When I try to validate a token which is not signed with any of the key-id's which are available in the jwksUri, then the library gets completly stuck, because the cached promise will never resolve nor reject.

In my case we have support for multiple IDPs and the token to validate was from another IDP as the jwksUri points to.

To solve this, the logic for fetching from the jwksUri and caching public keys by key-id need to be changed.

Expected behavior

The library should return that the token is invalid or should return that for the key-id of the token, there was no PublicKey found. The library should not return an ever-pending promise.

Steps to Reproduce

Try to validate a token which is from another IDP than the jwksUri.

Other Information

In theory, the current implementation of verify.ts should also have the issue, that, if there is a network problem and fetching the jwksUri fails, there will be an ever-pending promise in the cache which then leads to a similar issue that the lib gets completly stuck. But this case I have not explicitly tested.

[hestie-s]

Ran into a similar issue and debugged it

setDefferedItem(kid) on line 22 in verify.ts gives item a value

and then this code won't ever get called as item is not null even if the public key wasn't found in the list of public keys

 if (!item) {
            throw new Error('public key not found');
        }

Fix:

if (!item || !item.done) {

[Jon-Salmon]

This fix didn't work for me, I had to do the following: https://github.com/Jon-Salmon/azure-ad-verify-token/compare/ea1c81365a23285216362320d91bc0de016887cc...combined