zalando / skipper / 23247778842

79%

Build Type

push

github

Committed by web-flow

Commit Message

feat: add jwtValidationKeys filter for JWT validation with direct JWKS URL (#3922)

## Summary

- Add new `jwtValidationKeys` filter that verifies JWT Bearer tokens
using a JWKS URL directly, without requiring OIDC discovery via
`.well-known/openid-configuration`
- Reuses existing `jwtValidationFilter` — the new spec only provides an
alternative entry point that skips OIDC discovery
- Claims validation delegated to `oidcClaimsQuery` as per existing
convention
- Registered alongside `jwtValidation` in skipper.go

## Motivation

The existing `jwtValidation` filter only supports JWKS discovery via
`.well-known/openid-configuration`. Services like Google Chat bots sign
webhook requests with JWTs but publish their public keys at non-standard
JWKS endpoints without OIDC discovery support, making it impossible to
verify these tokens with the current filter.

## Usage

```
jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
-> oidcClaimsQuery("/:@_:iss==\"chat@system.gserviceaccount.com\"")
-> oidcClaimsQuery("/:@_:aud==\"123456789\"")
```

Closes #3921

## Test plan

- [x] Spec validation (missing args, too many args, non-string args)
- [x] Valid token, expired token, missing sub claim
- [x] Missing/empty/malformed Bearer tokens
- [x] Algorithm none rejected
- [x] Existing jwtValidation tests still pass

---------

Signed-off-by: ivan-digital <root@ivan.digital>
Co-authored-by: ivan-digital <root@ivan.digital>

Run Details

29 of 34 new or added lines in 2 files covered. (85.29%)

22 existing lines in 4 files now uncovered.

25908 of 32988 relevant lines covered (78.54%)

86650.92 hits per line