The WAA->WLS communication protocol states that WAAs (of which omniauth-ucam-raven is one) must support the use of multiple RSA public keys when verifying responses. As this is a hard requirement in the protocol which we don't yet support, this is a bug.

The relevant section of the protocol reads:

WLSs MAY publicise more than one key as 'in use' at any time. Amongst
other things, doing so supports key rollover by allowing a new key to
be distributed and installed in WAAs before a WLS starts to use
it. WAAs MUST support having multiple keys for any one WLS. WAAs
SHOULD make the process of authorised addition and removal of
particular keys convenient for a WAA manager.