diff --git a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
index 9e80a7c..4c4faa6 100644
--- a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
+++ b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
@@ -91,7 +91,7 @@ public JsonWebToken parse(final String jwt) {
 
         final String kid = getAttribute(header, "kid", defaultKid);
 
-        final JsonObject payload = patcher.patch(defaultKid.equals(kid) ? null : kid, loadJson(jwt.substring(firstDot + 1, secondDot)));
+        final JsonObject payload = patcher.patch(kid.equals(defaultKid) ? null : kid, loadJson(jwt.substring(firstDot + 1, secondDot)));
         dateValidator.checkInterval(payload);
 
         final String alg = getAttribute(header, "alg", defaultAlg);
diff --git a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtPatcher.java b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtPatcher.java
index 35f213b..a54c3de 100644
--- a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtPatcher.java
+++ b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtPatcher.java
@@ -46,7 +46,7 @@ public class JwtPatcher {
     @PostConstruct
     private void init() {
         readerFactory = Json.createReaderFactory(emptyMap());
-        defaultPatch = ofNullable(config.read("jwt.header.jwt.payload.patch.default", null))
+        defaultPatch = ofNullable(config.read("jwt.payload.patch.default", null))
                 .map(it -> {
                     try (final JsonReader reader = readerFactory.createReader(new StringReader(it))) {
                         return reader.readArray();
@@ -75,9 +75,7 @@ public JsonObject patch(final String kid, final JsonObject raw) {
     }
 
     protected /*can be overriden to be lazy*/ JsonPatch getPatch(final String kid) {
-        if (kid == null) {
-            return defaultPatch;
-        }
-        return kid == null ? defaultPatch : patches.get(kid);
+        JsonPatch jsonPatch = patches.get(kid);
+        return jsonPatch == null ? defaultPatch : jsonPatch;
     }
 }
diff --git a/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/JsonPatchTest.java b/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/JsonPatchTest.java
new file mode 100644
index 0000000..982e6ac
--- /dev/null
+++ b/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/JsonPatchTest.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.microprofile.impl.jwtauth.tck.jaxrs;
+
+import org.eclipse.microprofile.jwt.tck.container.jaxrs.TCKApplication;
+import org.eclipse.microprofile.jwt.tck.util.TokenUtils;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.arquillian.testng.Arquillian;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.exporter.ZipExporter;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.testng.annotations.Test;
+
+import javax.json.Json;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.core.Cookie;
+import java.io.File;
+import java.net.URL;
+
+import static javax.ws.rs.core.MediaType.TEXT_PLAIN_TYPE;
+import static org.testng.Assert.assertEquals;
+
+// NOTE: reuses tck resources and token generation
+public class JsonPatchTest extends Arquillian {
+    @Deployment(testable = false)
+    public static Archive<?> war() {
+        System.setProperty("geronimo.jwt-auth.jwt.payload.patch.default", "[ { \"op\": \"copy\", \"from\":\"/resource_access/service-C/groups\", \"path\": \"/groups\" } ]");
+        return ShrinkWrap.create(WebArchive.class, JsonPatchTest.class.getSimpleName() + ".war")
+                .addClasses(TCKApplication.class, PassthroughEndpoint.class)
+                .addAsResource(JsonPatchTest.class.getResource("/publicKey.pem"), "/publicKey.pem");
+    }
+
+    @ArquillianResource
+    private URL base;
+
+    @Test
+    public void test() throws Exception {
+        final Client client = ClientBuilder.newClient();
+        try {
+            final String token = TokenUtils.generateTokenString("/Token2.json");
+            final String serverToken = client.target(base.toExternalForm())
+                    .path("jsonpatch")
+                    .request(TEXT_PLAIN_TYPE)
+                    .cookie(new Cookie("Bearer", token))
+                    .get(String.class);
+            assertEquals(serverToken, token);
+        } finally {
+            client.close();
+        }
+    }
+}
diff --git a/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/RolesAllowedEndpoint.java b/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/RolesAllowedEndpoint.java
new file mode 100644
index 0000000..b135678
--- /dev/null
+++ b/src/test/java/org/apache/geronimo/microprofile/impl/jwtauth/tck/jaxrs/RolesAllowedEndpoint.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.microprofile.impl.jwtauth.tck.jaxrs;
+
+import org.eclipse.microprofile.jwt.JsonWebToken;
+
+import javax.annotation.security.RolesAllowed;
+import javax.enterprise.context.ApplicationScoped;
+import javax.inject.Inject;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+@Path("jsonpatch")
+@ApplicationScoped
+public class RolesAllowedEndpoint {
+    @Inject
+    private JsonWebToken token;
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    @RolesAllowed("groupC")
+    public String passthrough() {
+        return token.getRawToken();
+    }
+}