diff --git a/app/models/api/openid_connect/id_token.rb b/app/models/api/openid_connect/id_token.rb
index 92a0244c8..4b8e83137 100644
--- a/app/models/api/openid_connect/id_token.rb
+++ b/app/models/api/openid_connect/id_token.rb
@@ -14,7 +14,9 @@ module Api
       end
 
       def to_jwt(options={})
-        to_response_object(options).to_jwt OpenidConnect::IdTokenConfig::PRIVATE_KEY
+        to_response_object(options).to_jwt(OpenidConnect::IdTokenConfig::PRIVATE_KEY) do |jwt|
+          jwt.kid = :default
+        end
       end
 
       def to_response_object(options={})
diff --git a/spec/lib/api/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
index 6d944626f..37eba5380 100644
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -36,6 +36,13 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
       end
 
+      it "should return an id token with a kid" do
+        json = JSON.parse(response.body)
+        encoded_id_token = json["id_token"]
+        kid = JSON::JWT.decode(encoded_id_token, :skip_verification).header[:kid]
+        expect(kid).to eq("default")
+      end
+
       it "should return a valid access token" do
         json = JSON.parse(response.body)
         encoded_id_token = json["id_token"]