zalando / skipper
79%

DEFAULT BRANCH: master
Repo Added
Files 301
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master
branch: master
CHANGE BRANCH
x

coverage: 78.538% (-0.05%) from 78.592%
23247778842

push

github

web-flow 
feat: add jwtValidationKeys filter for JWT validation with direct JWKS URL (#3922)

## Summary

- Add new `jwtValidationKeys` filter that verifies JWT Bearer tokens
using a JWKS URL directly, without requiring OIDC discovery via
`.well-known/openid-configuration`
- Reuses existing `jwtValidationFilter` — the new spec only provides an
alternative entry point that skips OIDC discovery
- Claims validation delegated to `oidcClaimsQuery` as per existing
convention
- Registered alongside `jwtValidation` in skipper.go

## Motivation

The existing `jwtValidation` filter only supports JWKS discovery via
`.well-known/openid-configuration`. Services like Google Chat bots sign
webhook requests with JWTs but publish their public keys at non-standard
JWKS endpoints without OIDC discovery support, making it impossible to
verify these tokens with the current filter.

## Usage

```
jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
-> oidcClaimsQuery("/:@_:iss==\"chat@system.gserviceaccount.com\"")
-> oidcClaimsQuery("/:@_:aud==\"123456789\"")
```

Closes #3921

## Test plan

- [x] Spec validation (missing args, too many args, non-string args)
- [x] Valid token, expired token, missing sub claim
- [x] Missing/empty/malformed Bearer tokens
- [x] Algorithm none rejected
- [x] Existing jwtValidation tests still pass

---------

Signed-off-by: ivan-digital <root@ivan.digital>
Co-authored-by: ivan-digital <root@ivan.digital>

29 of 34 new or added lines in 2 files covered. (85.29%)

22 existing lines in 4 files now uncovered.

25908 of 32988 relevant lines covered (78.54%)

86650.92 hits per line

Relevant lines Covered
32988 RELEVANT LINES 25908 COVERED LINES
86650.92 HITS PER LINE
Source Files on master

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
23247778842 master feat: add jwtValidationKeys filter for JWT validation with direct JWKS URL (#3922) ## Summary - Add new `jwtValidationKeys` filter that verifies JWT Bearer tokens using a JWKS URL directly, without requiring OIDC discovery via `.well-known/openi... push web-flow github
78.54
23155683181 master fix: panic on auto propagator (#3920) fix: panic on auto propagator panic: duplicate registration: "skipper-debug" [recovered, repanicked] test: add test coverage to otel package Signed-off-by: Sandor Szuecs <sandor.szuecs@zalando.de> push web-flow github
78.59
23143845606 master test: add 100% coverage to rfc package (#3919) test: add 100% coverage to rfc package Signed-off-by: Sandor Szuecs <sandor.szuecs@zalando.de> push web-flow github
78.45
23143522413 master build(deps): bump oss-fuzz-base/base-builder-go from `b0a1a6f` to `35e834b` in /.clusterfuzzlite (#3924) Bumps oss-fuzz-base/base-builder-go from `b0a1a6f` to `35e834b`. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com... push web-flow github
78.38
23137875601 master Optimize: consistent hash algorithm (#3918) optimize: limit hash ring bucket size to max 10k optimize: consistentHash linear scan by using binary search in case it is actually faster than linear scan In practice we will see better results as the... push web-flow github
78.4
23097219486 master feat: add pprof profiling labels to Open Policy Agent filters and main proxy (#3902) To support (continuous) profilers, add Goroutine labels to the main proxy, filter invocation and specifically the Open Policy Agent filters. --------- Signed-o... push web-flow github
78.47
22874271621 master fix: panic on concurrent access of statebag (#3915) httptrace seems to be called concurrently so we can not use unprotected statebag to pass around the time.Time. Add a new member to the context Signed-off-by: Sandor Szücs <sandor.szuecs@zalando... push web-flow github
78.47
22872236893 master feature: expose invalid routes via support listener API (#3897) Fixes #3488 ### Context Operators in multitenant ingress setups currently have no programmatic way to discover which routes failed validation — the only option is grepping logs for... push web-flow github
78.46
22871504743 master fix: example eskip backend type Forward (#3913) fix: example eskip backend type Forward Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de> push web-flow github
78.48
22865671767 master build(deps): bump the all-go-mod-patch-and-minor group with 12 updates (#3910) Bumps the all-go-mod-patch-and-minor group with 12 updates: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/contrib/exporters/autoexport](https://g... push web-flow github
78.48
See All Builds (541)