diff --git a/hiboo/sso/oidc.py b/hiboo/sso/oidc.py
index dadab667cd9a1d7aba6b54cc97ec1fceffb083ff..dcfb81482e48fa64f5da61acd2a4e4e4005b9abc 100644
--- a/hiboo/sso/oidc.py
+++ b/hiboo/sso/oidc.py
@@ -16,6 +16,7 @@ from hiboo import models, utils, profile, security
 import flask
 import time
 import inspect
+import uuid
 
 
 RSA_KEY_LENGTH = 2048
@@ -31,9 +32,10 @@ def fill_service(service):
         )
     if "jwt_public_key" not in service.config:
         key, public, _ = generate_rsa_certificate(service.uuid)
+        kid = {"kid": str(uuid.uuid4())}
         service.config.update(
-            jwt_key=jwk.dumps(key, kty="RSA"),
-            jwt_public_key=jwk.dumps(public, kty="RSA"),
+            jwt_key={**kid, **jwk.dumps(key, kty="RSA")},
+            jwt_public_key={**kid, **jwk.dumps(public, kty="RSA")},
             jwt_alg="RS256"
         )