feat: allow use of empty alg fields in jwks

[SkArchon]

Current Behaviour
Currently we require "ALG" to be present in the JWKS, however this is optional as per the rfc. We filter out a default list of algorithms / passed algorithms, based on the alg parameter, but if the alg parameter is "", this is skipped, which leads us to this issue.

What this PR does
This PR cleans up the validation store and we validate the algorithm on the hot path now instead if an algorithm HAS been specified. In order to prevent repeating logic of getting and casting the algorithm, we looked at forking the keyfunc from https://github.com/MicahParks/keyfunc (this is simple since its one file we need to maintain and it gets rarely updated, it is also the expectation of the author for users to fork the keyfunc for customization, reference). However as its more likely the router will get security reports, we opted not to do this.

This PR also upgrades the jwkset library to include this downstream change

To summarise, this PR will not filter JWKS on startup / refresh, this could increase potential memory usage by a few kb, we removed the validation store for simplicity. And moves the validation of the algorithm to the hot path, this adds a few microseconds to every request. The validation for loop can run for a max of 12 cycles since we only allow 12 algorithms.

Prior PR: wundergraph/keyfunc#1

Summary by CodeRabbit

• New Features

  • Per-provider audience and algorithm enforcement plus a new configurable refresh_unknown_kid option for JWKS sources.

• Tests

  • Greatly expanded authentication tests: multi-provider audience cases, algorithm families and overrides, unknown-KID refresh flows, concurrent requests, malformed/edge-case tokens.

• Chores

  • Upgraded JWKS/JWT dependencies for improved compatibility.

• Breaking/Removal

  • Removed legacy JWKS validation wrapper; validation now uses the new per-entry approach.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Moves JWKS handling from a global validation store to per-entry keyfuncs with per-entry audience and allowed-algorithm checks, removes the validationStore implementation, adds refresh_unknown_kid config, extends JWKS test helpers (TokenOpts/TokenWithOpts and changed TokenForKID), expands authentication tests, and bumps jwkset/keyfunc versions.

Changes

Cohort / File(s)	Summary of Changes
Tests: authentication scenarios & JWKS helpers router-tests/authentication_test.go, router-tests/jwks/jwks.go, router-tests/go.mod	Added extensive authentication tests for multi-provider JWKS (HTTP and secret), audience permutations, algorithm matrices, parallel requests, and invalid-token paths. Introduced TokenOpts, TokenWithOpts, Token, and changed TokenForKID to TokenForKID(kid string, claims map[string]any, useInvalidKID bool). Updated test module deps (github.com/MicahParks/jwkset and github.com/MicahParks/keyfunc/v3).
Auth core: JWKS token decoder refactor router/pkg/authentication/jwks_token_decoder.go	Replaced map-based keyfunc with per-entry keyFuncEntry/configKey collection; built entries storing jwks, allowed audiences and allowedAlgorithms; switched URL storage to jwkset.NewMemoryStorage; jwt.Keyfunc now iterates entries enforcing per-entry audience and algorithm checks, delegates to per-entry jwks.Keyfunc, and aggregates errors.
Auth core: validation store removal router/pkg/authentication/validation_store.go	Removed the validationStore type and NewValidationStore plus all associated methods and algorithm-filtering/marshal logic that previously wrapped jwkset.Storage to filter JWKs by algorithm.
Config schema router/pkg/config/config.schema.json	Added authentication.jwt.jwks[].refresh_unknown_kid and extended schema constraints to disallow refresh_unknown_kid in the secret+algorithm+header_key_id branch.
Dependency updates: main module router/go.mod	Bumped github.com/MicahParks/jwkset from v0.9.0 → v0.11.0 and github.com/MicahParks/keyfunc/v3 from v3.3.5 → v3.6.2.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix: jwt validation blocks on multiple requests #2216 — Shares changes to TokenForKID signature, per-JWKS allowed-algorithms handling, and refresh-on-unknown-KID behavior (strong overlap with test helpers and decoder changes).
• feat: add audience validation #2074 — Implements per-JWKS-entry audience validation and related decoder refactor (overlaps entry-level audience logic).
• feat: support symmetric key algorithms for JWKs #2067 — Covers secret/HS key handling and algorithm configuration for JWKS and tests (related to secret-based JWKS and algorithm overrides).

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The provided title clearly and concisely describes the primary change to the JWKS implementation by indicating that empty algorithm fields will now be allowed, directly reflecting the main objective of the PR without extraneous detail or ambiguity.

✨ Finishing touches

• 📝 Generate Docstrings

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 59323d9 and 54ad4f3.

📒 Files selected for processing (1)

• router/pkg/authentication/jwks_token_decoder.go (5 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections. The validation store maintains its own internal supported algorithms map that gets returned regardless of input parameters.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

🧬 Code graph analysis (1)

router/pkg/authentication/jwks_token_decoder.go (1)

router/pkg/authentication/authentication.go (1)

• Claims (10-10)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build-router
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (7)

router/pkg/authentication/jwks_token_decoder.go (7)

8-8: LGTM: Import added for algorithm validation.

The slices import is appropriately added to support the new per-entry algorithm validation logic.

---

65-76: LGTM: Clean per-entry architecture.

The new configKey and keyFuncEntry types establish a clear per-entry model that supports independent audience and algorithm validation for each JWKS source.

---

192-203: LGTM: Audience validation correctly enforced per-entry.

The per-entry audience validation properly checks token audiences against each entry's expected audience set, joining errors and continuing to the next entry on mismatch. This allows tokens valid for one JWKS source to succeed even if rejected by others.

---

205-225: Algorithm validation correctly moved to hot path.

The explicit algorithm allowlist check addresses the RFC 7517 optional alg field requirement. The logic correctly:

• Only validates when allowedAlgorithms is non-empty (line 208)
• Handles missing or non-string alg headers appropriately (lines 210-218)
• Checks the algorithm against the per-entry allowlist (line 221)
• Continues to next entry on validation failure, enabling multi-source fallback

Note: Custom validations wrap keyfunc.ErrKeyfunc (lines 211, 216, 222), which maintains consistency with the upstream error handling pattern and allows consumers to detect JWT key function errors uniformly.

---

227-236: LGTM: Multi-source key resolution with proper error aggregation.

The delegation to each entry's jwks.Keyfunc after per-entry validation is correct. Aggregating errors across all entries (line 229) and returning the first successful key (line 232) provides good observability while supporting fallback across multiple JWKS sources.

---

243-278: LGTM: Helper functions support new architecture.

The getAudienceSet, createKeyFunc, and hasAudience helpers correctly support the per-entry validation model without requiring changes to their internal logic.

---

183-186: Secret-based JWKS algorithm validation is correct
Secret‐based entries intentionally omit allowedAlgorithms—they rely on the JWK’s own alg metadata (set when constructing the in‐memory JWK) and the default keyfunc validation rather than an explicit per‐entry allowlist. No changes required.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-7e22a451b13bcd0548ebd6081145b1d6c546bfef

[SkArchon]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (6)

router-tests/utils.go (1)

45-47: Remove or wire up ConfigureAuthOpts (currently unused).

Dead code in tests tends to linger. Either use it in ConfigureAuth/ConfigureAuthWithJwksConfig or drop it.

Apply this diff to remove for now:

-type ConfigureAuthOpts struct {
-	AllowEmptyAlgorithm bool
-}

router/pkg/authentication/jwks_token_decoder.go (2)

186-189: Fix error text for non‑string alg.

Current message implies alg is missing; it’s present but of wrong type.

-        if !ok {
-          return nil, fmt.Errorf(`%w: the JWT header did not contain the "alg" parameter, which is required by RFC 7515 section 4.1.1`, keyfunc.ErrKeyfunc)
-        }
+        if !ok {
+          return nil, fmt.Errorf(`%w: the JWT header "alg" parameter must be a string per RFC 7515 section 4.1.1`, keyfunc.ErrKeyfunc)
+        }

---

80-93: Pass the URL‑scoped logger to the validation store for better diagnostics.

Use l (logger.With(url)) so “Skipping key with unsupported algorithm” logs include the URL.

-      newValidationStore, processedAllowedAlgorithms := NewValidationStore(logger, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)
+      newValidationStore, processedAllowedAlgorithms := NewValidationStore(l, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)

Please confirm we don’t lose any other structured fields by switching to l here.

router/pkg/authentication/validation_store.go (1)

114-121: Preallocate filtered slice in KeyReplaceAll.

-  filtered := make([]jwkset.JWK, 0)
+  filtered := make([]jwkset.JWK, 0, len(given))

router/pkg/config/config.schema.json (2)

1690-1694: Clarify scope of allow_empty_algorithm.

Make it explicit this applies only to URL‑based JWKS entries.

-          "description": "This attribute can be enabled to allow for the JWK to contain keys with empty algorithms"
+          "description": "URL-based JWKS only: allow keys in the remote JWK Set to omit the 'alg' parameter. When enabled, the JWT header 'alg' must be present and allowed by 'algorithms'."

---

1695-1715: Align ‘algorithms’ description with the conditional requirement.

Currently says empty list means “allow all”, which conflicts with the conditional when allow_empty_algorithm is true.

-          "description": "The allowed algorithms for the keys that are retrieved from the JWKs. An empty list means that all algorithms are allowed.",
+          "description": "The allowed algorithms for remote JWK keys. If allow_empty_algorithm is true, this list must be non-empty. Otherwise, an empty list means all supported algorithms are allowed.",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eaf3c13 and 25cf242.

📒 Files selected for processing (11)

• router-tests/authentication_test.go (1 hunks)
• router-tests/jwks/crypto.go (1 hunks)
• router-tests/jwks/jwks.go (1 hunks)
• router-tests/utils.go (1 hunks)
• router/core/supervisor_instance.go (1 hunks)
• router/pkg/authentication/jwks_token_decoder.go (7 hunks)
• router/pkg/authentication/validation_store.go (8 hunks)
• router/pkg/config/config.go (1 hunks)
• router/pkg/config/config.schema.json (3 hunks)
• router/pkg/config/fixtures/full.yaml (1 hunks)
• router/pkg/config/testdata/config_full.json (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/core/supervisor_instance.go
• router/pkg/config/fixtures/full.yaml
• router/pkg/authentication/jwks_token_decoder.go
• router/pkg/config/testdata/config_full.json
• router/pkg/config/config.schema.json

📚 Learning: 2025-07-21T15:06:36.664Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Applied to files:

• router/pkg/config/config.schema.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./events)

🔇 Additional comments (14)

router/pkg/config/fixtures/full.yaml (1)

275-275: Fixture updated for allow_empty_algorithm; confirm schema/docs alignment.

Looks good. Please ensure config.schema.json and cosmo-docs reflect this flag and its semantics.

router/pkg/config/config.go (1)

480-482: JWKSConfiguration: plumbs AllowEmptyAlgorithm correctly.

Tags and defaults look consistent with surrounding fields.

router/core/supervisor_instance.go (1)

267-269: AllowEmptyAlgorithm and Audiences wiring LGTM.

The new fields are passed through to authentication.JWKSConfig as expected.

router-tests/jwks/crypto.go (1)

50-53: Omit JWK alg when empty — good.

Matches RFC; ensures tests can exercise empty-alg keys. Verify no callers rely on baseCrypto.SigningMethod() when alg is empty.

router/pkg/config/testdata/config_full.json (1)

486-488: Test config updated to include AllowEmptyAlgorithm — OK.

Values (true/false) across entries look intentional.

Also applies to: 499-501, 510-511

router-tests/authentication_test.go (1)

2544-2584: Good coverage for empty-alg keys; add a NONE‑alg regression test.

Nice positive/negative cases. Please add a case with AllowEmptyAlgorithm=true and JWT alg "none" to assert it’s still rejected.

Also applies to: 2586-2626

router-tests/jwks/jwks.go (2)

39-41: TokenOpts addition is fine.

---

44-45: Delegating Token to TokenWithOpts is fine.

router/pkg/authentication/jwks_token_decoder.go (2)

203-213: Audience intersection logic LGTM.

Efficient and correct; rejects tokens lacking any configured audience for a source.

---

8-8: No action required — Go version requirement satisfied (router/go.mod: go 1.25).
stdlib "slices" requires Go ≥1.21; router module declares go 1.25, so the import in router/pkg/authentication/jwks_token_decoder.go is supported.

router/pkg/authentication/validation_store.go (3)

37-69: Store construction and algorithm filtering look solid.

• Defaults to all supported algs when none specified.
• Returns the effective set when a subset is configured.

---

104-107: Tiny perf nit: preallocate filtered slice.

-  filter := make([]jwkset.JWK, 0, len(keys))
+  filter := make([]jwkset.JWK, 0, len(keys))

You already preallocated here; keep as is. Nothing to change.

---

160-173: Filter logic for empty alg and allowlist LGTM.

Matches RFC (alg optional in JWK) and project semantics.

router/pkg/config/config.schema.json (1)

1767-1774: Secret-based branch exclusion LGTM.

Disallowing allow_empty_algorithm (and algorithms/refresh_interval) for secret mode prevents config misuse.

[SkArchon]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router/pkg/authentication/jwks_token_decoder.go (1)

206-215: Don’t return early on audience mismatch; continue to next source.
Prevents false negatives when multiple JWKS providers are configured with different audiences.

Apply this diff:

-      if len(expectedAudiences) > 0 {
-        tokenAudiences, err := token.Claims.GetAudience()
-        if err != nil {
-          return nil, fmt.Errorf("could not get audiences from token claims: %w", err)
-        }
-        if !hasAudience(tokenAudiences, expectedAudiences) {
-          return nil, errUnacceptableAud
-        }
-      }
+      if len(expectedAudiences) > 0 {
+        tokenAudiences, err := token.Claims.GetAudience()
+        if err != nil {
+          errJoin = errors.Join(errJoin, fmt.Errorf("could not get audiences from token claims: %w", err))
+          continue
+        }
+        if !hasAudience(tokenAudiences, expectedAudiences) {
+          errJoin = errors.Join(errJoin, errUnacceptableAud)
+          continue
+        }
+      }

♻️ Duplicate comments (1)

router/pkg/config/config.schema.json (1)

1727-1760: Correct conditional schema for allow_empty_algorithm.
Only triggers when the flag is true; requires non‑empty algorithms. Nice.

🧹 Nitpick comments (6)

router/pkg/authentication/validation_store.go (3)

37-69: Constructor behavior is sane; return both storage and processed algs.
Minor: for determinism across runs/tests, consider returning a sorted []string.

Apply this diff:

 func NewValidationStore(logger *zap.Logger, inner jwkset.Storage, algs []string, allowEmptyAlgorithm bool) (jwkset.Storage, []string) {
@@
-  if len(algs) == 0 {
-    return store, store.getSupportedAlgorithms()
-  }
+  if len(algs) == 0 {
+    return store, store.getSupportedAlgorithms()
+  }
@@
-  return store, store.getSupportedAlgorithms()
+  return store, store.getSupportedAlgorithms()
 }

And sort in getSupportedAlgorithms (see next comment).

---

71-77: Return algorithms in stable order.
Prevents flaky logs/tests.

Apply this diff:

 func (v *validationStore) getSupportedAlgorithms() []string {
   algs := make([]string, 0, len(v.algs))
   for alg := range v.algs {
     algs = append(algs, alg)
   }
-  return algs
+  sort.Strings(algs)
+  return algs
 }

Add import:

 import (
   "context"
   "encoding/json"
   "fmt"
+  "sort"

---

89-94: Improve error when alg is empty but disallowed.
Current message prints an empty alg string; make it explicit for operators.

Apply this diff:

-  return jwkset.JWK{}, fmt.Errorf("key with ID %q has an unsupported algorithm %s", keyID, key.Marshal().ALG.String())
+  alg := key.Marshal().ALG.String()
+  if alg == "" {
+    return jwkset.JWK{}, fmt.Errorf("key with ID %q has empty algorithm and allowEmptyAlgorithm=false", keyID)
+  }
+  return jwkset.JWK{}, fmt.Errorf("key with ID %q has an unsupported algorithm %q", keyID, alg)

router/pkg/authentication/jwks_token_decoder.go (2)

80-81: Pass URL-scoped logger to ValidationStore.
Ensures skip/warn logs include provider context.

Apply this diff:

-      newValidationStore, processedAllowedAlgorithms := NewValidationStore(logger, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)
+      newValidationStore, processedAllowedAlgorithms := NewValidationStore(l, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)

---

176-199: Alg header validation: minor polish.
Use %q for alg to quote value.

Apply this diff:

-        if !slices.Contains(keyFuncAndOpts.allowedAlgorithms, alg) {
-          errJoin = errors.Join(errJoin, fmt.Errorf("%w: could not find alg %s in allow list", keyfunc.ErrKeyfunc, alg))
+        if !slices.Contains(keyFuncAndOpts.allowedAlgorithms, alg) {
+          errJoin = errors.Join(errJoin, fmt.Errorf("%w: alg %q not allowed by configured allow list", keyfunc.ErrKeyfunc, alg))
           continue
         }

router/pkg/config/config.schema.json (1)

1690-1693: Add clarifying note to description.
State that JWT header alg remains required and will be validated against algorithms when this flag is true.

Apply this diff:

-                  "allow_empty_algorithm": {
-                    "type": "boolean",
-                    "description": "This attribute can be enabled to allow for the JWK to contain keys with empty algorithms"
-                  },
+                  "allow_empty_algorithm": {
+                    "type": "boolean",
+                    "description": "Allow JWKS keys without an 'alg' parameter. Note: the JWT header 'alg' remains required (RFC 7515 §4.1.1) and will be validated against 'algorithms' when this is true."
+                  },

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 25cf242 and 090d750.

📒 Files selected for processing (4)

• router-tests/jwks/jwks.go (1 hunks)
• router/pkg/authentication/jwks_token_decoder.go (7 hunks)
• router/pkg/authentication/validation_store.go (8 hunks)
• router/pkg/config/config.schema.json (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• router-tests/jwks/jwks.go

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router/pkg/config/config.schema.json

📚 Learning: 2025-07-21T15:06:36.664Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Applied to files:

• router/pkg/config/config.schema.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build_test
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)

🔇 Additional comments (5)

router/pkg/authentication/validation_store.go (3)

15-19: Struct additions look good.
Encapsulates config cleanly; no concerns.

---

124-131: Log context might miss URL.
This logger isn’t URL-scoped; pass the URL‑scoped logger to NewValidationStore at the call site so these warnings carry the provider URL.

I’ve proposed the change in jwks_token_decoder.go (see related comment).

---

160-173: Filtering logic LGTM.
Allows empty alg only when configured, rejects "none".

router/pkg/authentication/jwks_token_decoder.go (1)

50-52: Config surface LGTM.
New AllowEmptyAlgorithm flag is clear.

router/pkg/config/config.schema.json (1)

1774-1777: Secret-based branch correctly forbids allow_empty_algorithm.
Avoids invalid combinations.

[SkArchon]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

router/pkg/authentication/jwks_token_decoder.go (1)

193-197: Good: continue on alg not allowed (don’t short‑circuit other sources).

This addresses the earlier “return vs continue” concern so other providers can still validate.

🧹 Nitpick comments (3)

router/pkg/authentication/jwks_token_decoder.go (3)

69-69: Use URL-scoped logger when constructing the validation store.

Pass l (with url field) to NewValidationStore so its logs carry the source context.

- newValidationStore, processedAllowedAlgorithms := NewValidationStore(logger, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)
+ newValidationStore, processedAllowedAlgorithms := NewValidationStore(l, nil, c.AllowedAlgorithms, c.AllowEmptyAlgorithm)

Also applies to: 80-81, 92-92, 113-117

---

189-191: Tighten error message for non‑string alg.

The header may contain alg but not as a string; reflect that precisely.

-                    errJoin = errors.Join(errJoin, fmt.Errorf(`%w: the JWT header did not contain the "alg" parameter, which is required by RFC 7515 section 4.1.1`, keyfunc.ErrKeyfunc))
+                    errJoin = errors.Join(errJoin, fmt.Errorf(`%w: the JWT header "alg" parameter must be a string (RFC 7515 §4.1.1)`, keyfunc.ErrKeyfunc))

---

37-38: Avoid potential panic on claims assertion.

Be defensive in case the parser is customized to a different claims type.

-    claims := token.Claims.(jwt.MapClaims)
-    return Claims(claims), nil
+    claims, ok := token.Claims.(jwt.MapClaims)
+    if !ok {
+        return nil, fmt.Errorf("unexpected claims type %T", token.Claims)
+    }
+    return Claims(claims), nil

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 090d750 and 04bc7ab.

📒 Files selected for processing (1)

• router/pkg/authentication/jwks_token_decoder.go (8 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./events)

🔇 Additional comments (3)

router/pkg/authentication/jwks_token_decoder.go (3)

61-66: Wrapper type for per-source options looks good.

The keyed wrapper cleanly scopes alg checks per source.

---

167-170: Secret-based path: confirm AllowEmptyAlgorithm semantics.

Here allowEmptyAlgorithm isn’t set. If intentional (secret JWKs always carry ALG so extra header check is redundant), add a brief comment. If not, consider mirroring the URL path for consistency.

---

8-8: Stdlib "slices" is safe to use (Go ≥1.21).
All go.mod files declare go 1.25 and no references to golang.org/x/exp/slices were found — the import of "slices" in router/pkg/authentication/jwks_token_decoder.go is acceptable.

[SkArchon]

Forked keyfunc, PR can be found here
PR: wundergraph/keyfunc#1
cc: @StarpTech @Noroth

[StarpTech]

wundergraph/keyfunc#1 (comment)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

router-tests/authentication_test.go (1)

270-344: Consider adding assertions for request timing distribution.

The parallel test correctly verifies that only one request returns quickly when max wait is exceeded. However, it would be valuable to also assert that the other requests wait for approximately the expected interval (around 1 second each).

 var elapsedFastCounter atomic.Int64
+var elapsedSlowCounter atomic.Int64
 var wg sync.WaitGroup

 for range waitEntries + 1 {
     wg.Add(1)

     go func() {
         defer wg.Done()

         start := time.Now()
         res2, err := xEnv.MakeRequest(http.MethodPost, "/graphql", header, strings.NewReader(employeesQuery))
         require.NoError(t, err)
         defer func() { _ = res2.Body.Close() }()

         elapsed := time.Since(start)

         if elapsed < 100*time.Millisecond {
             elapsedFastCounter.Add(1)
+        } else if elapsed >= 700*time.Millisecond && elapsed < 1500*time.Millisecond {
+            elapsedSlowCounter.Add(1)
         }

         require.True(t, elapsed < 50*time.Millisecond || elapsed >= 700*time.Millisecond)
         require.Equal(t, http.StatusUnauthorized, res2.StatusCode)
         data, err := io.ReadAll(res2.Body)
         require.NoError(t, err)
         require.JSONEq(t, unauthorizedExpectedData, string(data))
     }()
 }

 wg.Wait()

 // We only exit early on the 5th request as by the 5th request we have accumulated
 // enough tokens to exceed the max wait duration
 require.Equal(t, 1, int(elapsedFastCounter.Load()))
+// The other requests should have waited approximately 1 second each
+require.Equal(t, waitEntries, int(elapsedSlowCounter.Load()))

router/pkg/authentication/jwks_token_decoder.go (1)

220-224: Document why UseWhitelist is limited to signing keys

Add a one-line inline comment above the UseWhitelist entry in router/pkg/authentication/jwks_token_decoder.go stating that only signing keys (jwkset.UseSig) are accepted for JWT verification and encryption-use keys are intentionally excluded; tests (router-tests/jwks/crypto.go) and nearby code already use UseSig — no code changes required.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 482d572 and 2ff8405.

⛔ Files ignored due to path filters (2)

• router-tests/go.sum is excluded by !**/*.sum
• router/go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• router-tests/authentication_test.go (8 hunks)
• router-tests/go.mod (2 hunks)
• router-tests/jwks/jwks.go (1 hunks)
• router/go.mod (2 hunks)
• router/pkg/authentication/jwks_token_decoder.go (7 hunks)
• router/pkg/config/config.schema.json (2 hunks)
• router/pkg/config/fixtures/full.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• router-tests/go.mod
• router/pkg/config/config.schema.json
• router/pkg/config/fixtures/full.yaml

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router-tests/authentication_test.go

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections. The validation store maintains its own internal supported algorithms map that gets returned regardless of input parameters.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router-tests/authentication_test.go

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router-tests/authentication_test.go

📚 Learning: 2025-07-21T15:06:36.664Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

🧬 Code graph analysis (2)

router/pkg/authentication/jwks_token_decoder.go (1)

router/pkg/config/config.go (1)

• RefreshUnknownKID (484-489)

router-tests/authentication_test.go (6)

router-tests/testenv/testenv.go (3)

• Run (107-124)
• Config (286-342)
• Environment (1729-1765)

router-tests/jwks/jwks.go (3)

• NewServer (189-195)
• NewServerWithCrypto (138-187)
• TokenOpts (39-41)

router-tests/utils.go (2)

• ConfigureAuthWithJwksConfig (59-70)
• JwksName (19-19)

router/pkg/authentication/jwks_token_decoder.go (2)

• JWKSConfig (42-54)
• RefreshUnknownKIDConfig (56-61)

router/pkg/config/config.go (2)

• RefreshUnknownKID (484-489)
• Config (995-1069)

router-tests/testenv/utils.go (1)

• AwaitFunc (32-42)

🔇 Additional comments (18)

router/go.mod (1)

61-61: jwks upgrade to v0.11.0 — confirm compatibility & tests

No references to github.com/WunderGraph/jwkset; imports use github.com/MicahParks/jwkset.

• router/go.mod:61 and router-tests/go.mod:6 require github.com/MicahParks/jwkset v0.11.0; demo/go.mod:28 still references v0.9.0 (indirect).
• Files importing jwkset: router/pkg/authentication/jwks_token_decoder.go:13, router-tests/authentication_test.go:18, router-tests/header_set_test.go:10, router-tests/jwks/*.

Run tests in router and router-tests (go test ./...) and confirm they exercise any behavior changes from v0.11.0; update tests or align demo/go.mod if the older indirect version is unacceptable.

router/pkg/authentication/jwks_token_decoder.go (6)

52-60: LGTM! Clean type definition for refresh throttling configuration.

The new RefreshUnknownKIDConfig struct follows Go conventions and provides sensible controls for rate-limiting unknown KID refreshes.

---

110-114: LGTM! Well-implemented rate limiting for unknown KID refresh.

The implementation correctly configures the rate limiter only when explicitly enabled, preventing unnecessary resource allocation when the feature is not needed.

---

116-116: LGTM! Consistent algorithm propagation through the call chain.

The changes correctly pass AllowedAlgorithms for HTTP-based sources and an empty slice for secret-based sources (which have a single algorithm defined).

Also applies to: 166-166, 214-214

---

180-186: LGTM! Error accumulation improves multi-source JWKS handling.

The change from returning early on audience mismatch to accumulating errors and continuing to the next source is correct. This allows tokens to be validated against multiple JWKS sources when configured.

---

189-194: LGTM! Clean delegation to keyfunc with proper error handling.

The simplified key resolution logic properly delegates to the forked keyfunc implementation while maintaining error accumulation for multi-source scenarios.

---

7-7: Verify & document fork: github.com/wundergraph/keyfunc/v3

• Found: router/pkg/authentication/jwks_token_decoder.go imports "github.com/wundergraph/keyfunc/v3"; router/go.mod and router/go.sum pin github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9.
• Also found upstream entries: demo/go.mod uses github.com/MicahParks/keyfunc/v3 v3.3.5 and aws-lambda-router/go.mod uses github.com/MicahParks/keyfunc/v2 v2.1.0 — mixed sources/versions.
• Action: confirm the wundergraph fork is actively maintained and tracks upstream security fixes; document the fork in project dependency docs (README/CONTRIBUTING or central dependency management) and reconcile/unify the keyfunc source/version across modules.

router-tests/jwks/jwks.go (3)

39-41: LGTM! Clean struct definition for algorithm override.

The TokenOpts struct provides a clear and extensible way to pass token generation options.

---

52-59: LGTM! Robust algorithm validation prevents panics.

The implementation correctly validates that GetSigningMethod returns a non-nil value before using it, preventing potential panics from invalid algorithm names.

---

68-79: LGTM! Flexible KID handling for testing scenarios.

The useInvalidKID parameter provides useful flexibility for testing unknown KID scenarios while maintaining backward compatibility.

router-tests/authentication_test.go (8)

63-111: LGTM! Comprehensive test for rate limit enforcement.

The test correctly verifies that requests exceeding the burst limit are throttled for at least 700ms, ensuring the rate limiter is working as expected.

---

113-162: LGTM! Well-structured test for burst budget recovery.

The test properly validates that after waiting for the interval period, the burst budget is replenished and requests are not throttled.

---

166-215: LGTM! Good edge case coverage for max wait behavior.

The test ensures that when the wait time would exceed MaxWait, the rate limiter returns immediately rather than blocking indefinitely.

---

346-388: LGTM! Important regression test for disabled refresh behavior.

This test ensures that when refresh is disabled, authentication with unknown KIDs doesn't block, maintaining backward compatibility.

---

796-849: LGTM! Excellent test for multi-source audience validation.

The test properly validates that authentication succeeds when at least one JWKS source accepts the token's audience, even if others reject it. The loop ensures the test covers different ordering scenarios.

---

890-929: LGTM! Critical test for empty algorithm field handling.

This test validates the core PR objective - allowing JWKs with empty alg fields while still validating the algorithm from the token header. This aligns with RFC 7517 which marks the alg field as optional.

---

931-970: LGTM! Good security validation test.

The test ensures that even with empty alg in JWKS, the allowed algorithms list is still enforced, preventing algorithm confusion attacks.

---

2972-3009: LGTM! Comprehensive test for invalid algorithm rejection.

The test properly validates that tokens with non-IANA registered algorithms are rejected, maintaining security even when JWKS has empty algorithm fields.

[SkArchon]

cc: @StarpTech

[StarpTech]

LGTM

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router/pkg/authentication/jwks_token_decoder.go (1)

258-268: Add missing replace directive for keyfunc fork
We still require the upstream github.com/MicahParks/keyfunc/v3 but the PR is meant to consume our wundergraph-hosted fork. Add a replace in router/go.mod (and mirror it in router-tests/go.mod) to point github.com/MicahParks/keyfunc/v3 → github.com/wundergraph/keyfunc/v3.

🧹 Nitpick comments (1)

router/pkg/authentication/jwks_token_decoder.go (1)

184-187: Secret path ignores AllowedAlgorithms; consider applying for parity.

For HTTP entries you enforce header alg only when AllowedAlgorithms is non-empty, but for secret-based entries it’s silently ignored. Either wire it through for consistency or document that AllowedAlgorithms applies only to HTTP-backed JWKS.

Apply to include the allowlist:

-      entries = append(entries, keyFuncEntry{
-        jwks: jwks,
-        aud:  audiencesMap[key],
-      })
+      entries = append(entries, keyFuncEntry{
+        jwks:              jwks,
+        aud:               audiencesMap[key],
+        allowedAlgorithms: c.AllowedAlgorithms,
+      })

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 688c884 and 25bad88.

📒 Files selected for processing (2)

• router-tests/authentication_test.go (3 hunks)
• router/pkg/authentication/jwks_token_decoder.go (5 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router-tests/authentication_test.go

📚 Learning: 2025-09-17T18:13:31.021Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2224
File: router/pkg/authentication/jwks_token_decoder.go:176-199
Timestamp: 2025-09-17T18:13:31.021Z
Learning: In router/pkg/authentication/jwks_token_decoder.go, when AllowEmptyAlgorithm is true, the allowedAlgorithms slice is populated by getSupportedAlgorithms() from validation_store.go, ensuring it's never empty and preventing unintended token rejections. The validation store maintains its own internal supported algorithms map that gets returned regardless of input parameters.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go
• router-tests/authentication_test.go

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router/pkg/authentication/jwks_token_decoder.go

🧬 Code graph analysis (2)

router/pkg/authentication/jwks_token_decoder.go (1)

router/pkg/authentication/authentication.go (1)

• Claims (10-10)

router-tests/authentication_test.go (5)

router-tests/testenv/testenv.go (3)

• Run (107-124)
• Config (286-342)
• Environment (1729-1765)

router-tests/jwks/jwks.go (3)

• NewServer (189-195)
• NewServerWithCrypto (138-187)
• TokenOpts (39-41)

router-tests/utils.go (2)

• ConfigureAuthWithJwksConfig (59-70)
• JwksName (19-19)

router/pkg/authentication/jwks_token_decoder.go (1)

• JWKSConfig (45-57)

router-tests/jwks/crypto.go (1)

• NewRSACrypto (67-84)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: build-router
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_test
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan
• GitHub Check: build_push_image
• GitHub Check: image_scan (nonroot)
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

router-tests/authentication_test.go (1)

2969-2993: No changes required for NewRSACrypto calls

Go allows untyped string constants to be passed into parameters of a named string type (jwkset.ALG), so calls like NewRSACrypto("", "R4ND0M", 2048) compile correctly against the signature func NewRSACrypto(kID string, alg jwkset.ALG, size int) (Crypto, error).