feat: allow use of empty alg fields in jwks

router-tests/go.mod

@@ -3,7 +3,7 @@ module github.com/wundergraph/cosmo/router-tests
 go 1.25
 
 require (
-	github.com/MicahParks/jwkset v0.9.0
+	github.com/MicahParks/jwkset v0.11.0
 	github.com/buger/jsonparser v1.1.1
 	github.com/cloudflare/backoff v0.0.0-20240920015135-e46b80a3a7d0
 	github.com/golang-jwt/jwt/v5 v5.2.2
@@ -45,7 +45,6 @@ require (
 	connectrpc.com/connect v1.16.2 // indirect
 	github.com/99designs/gqlgen v0.17.76 // indirect
 	github.com/KimMachineGun/automemlimit v0.6.1 // indirect
-	github.com/MicahParks/keyfunc/v3 v3.3.5 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
@@ -151,6 +150,7 @@ require (
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/vektah/gqlparser/v2 v2.5.30 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
+	github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect

router-tests/go.sum

@@ -5,10 +5,8 @@ github.com/99designs/gqlgen v0.17.76/go.mod h1:miiU+PkAnTIDKMQ1BseUOIVeQHoiwYDZG
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8=
 github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY=
-github.com/MicahParks/jwkset v0.9.0 h1:xDlGu6mZJdJ+mgAI4mIRqWm2p8Vrx0U98LMgRObw46M=
-github.com/MicahParks/jwkset v0.9.0/go.mod h1:fVrj6TmG1aKlJEeceAz7JsXGTXEn72zP1px3us53JrA=
-github.com/MicahParks/keyfunc/v3 v3.3.5 h1:7ceAJLUAldnoueHDNzF8Bx06oVcQ5CfJnYwNt1U3YYo=
-github.com/MicahParks/keyfunc/v3 v3.3.5/go.mod h1:SdCCyMJn/bYqWDvARspC6nCT8Sk74MjuAY22C7dCST8=
+github.com/MicahParks/jwkset v0.11.0 h1:yc0zG+jCvZpWgFDFmvs8/8jqqVBG9oyIbmBtmjOhoyQ=
+github.com/MicahParks/jwkset v0.11.0/go.mod h1:U2oRhRaLgDCLjtpGL2GseNKGmZtLs/3O7p+OZaL5vo0=
 github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
@@ -354,6 +352,8 @@ github.com/wundergraph/consul/sdk v0.0.0-20250204115147-ed842a8fd301 h1:EzfKHQoT
 github.com/wundergraph/consul/sdk v0.0.0-20250204115147-ed842a8fd301/go.mod h1:wxI0Nak5dI5RvJuzGyiEK4nZj0O9X+Aw6U0tC1wPKq0=
 github.com/wundergraph/graphql-go-tools/v2 v2.0.0-rc.226 h1:3g6KNCG4ydgnpZnIlCK7pmtv0FSge6ILUS5LjrNZNiI=
 github.com/wundergraph/graphql-go-tools/v2 v2.0.0-rc.226/go.mod h1:g1IFIylu5Fd9pKjzq0mDvpaKhEB/vkwLAIbGdX2djXU=
+github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9 h1:7bPpsPUUxy5dEnuDSy2q3PAmflxqKx9vnyaTj3TSMBo=
+github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9/go.mod h1:el0U1ewqJ/T/Urlt3wImfmuBmoQdjL5yoNQ5e/+O98M=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
 github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=

router-tests/header_set_test.go

@@ -275,7 +275,7 @@ func TestHeaderSetWithExpression(t *testing.T) {
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
 		require.NoError(t, err)
 
-		token, err := authServer.TokenForKID(rsa1.KID(), map[string]any{"user_id": "TestId"})
+		token, err := authServer.TokenForKID(rsa1.KID(), map[string]any{"user_id": "TestId"}, false)
 		require.NoError(t, err)
 
 		testenv.Run(t, &testenv.Config{

router-tests/jwks/jwks.go

@@ -36,25 +36,47 @@ func (s *Server) Close() {
 	s.httpServer.Close()
 }
 
+type TokenOpts struct {
+	AlgOverride string
+}
+
 func (s *Server) Token(claims map[string]any) (string, error) {
+	return s.TokenWithOpts(claims, TokenOpts{AlgOverride: ""})
+}
+
+func (s *Server) TokenWithOpts(claims map[string]any, tokenOpts TokenOpts) (string, error) {
 	if len(s.providers) == 0 {
 		return "", jwt.ErrInvalidKey
 	}
 
 	for kid, pr := range s.providers {
-		token := jwt.NewWithClaims(pr.SigningMethod(), jwt.MapClaims(claims))
+		method := pr.SigningMethod()
+		if tokenOpts.AlgOverride != "" {
+			method = jwt.GetSigningMethod(tokenOpts.AlgOverride)
+			if method == nil {
+				return "", fmt.Errorf("unsupported signing method: %s", tokenOpts.AlgOverride)
+			}
+		}
+		token := jwt.NewWithClaims(method, jwt.MapClaims(claims))
 		token.Header[jwkset.HeaderKID] = kid
 		return token.SignedString(pr.PrivateKey())
 	}
 
 	return "", jwt.ErrInvalidKey
 }
 
-func (s *Server) TokenForKID(kid string, claims map[string]any) (string, error) {
+func (s *Server) TokenForKID(kid string, claims map[string]any, useInvalidKID bool) (string, error) {
 	provider, ok := s.providers[kid]
-	if !ok {
+	if useInvalidKID {
+		// If we don't care about the kid, use any available provider
+		for _, pr := range s.providers {
+			provider = pr
+			break
+		}
+	} else if !ok {
 		return "", jwt.ErrInvalidKey
 	}
+
 	token := jwt.NewWithClaims(provider.SigningMethod(), jwt.MapClaims(claims))
 	token.Header[jwkset.HeaderKID] = kid
 	return token.SignedString(provider.PrivateKey())

router-tests/testenv/utils.go

@@ -28,3 +28,15 @@ func AwaitChannelWithCloseWithT[A any](t *testing.T, timeout time.Duration, ch <
 		require.Fail(t, "unable to receive message before timeout", msgAndArgs...)
 	}
 }
+
+func AwaitFunc(t *testing.T, timeout time.Duration, testFunction func()) {
+	t.Helper()
+
+	doneCh := make(chan struct{})
+	go func() {
+		defer close(doneCh)
+		testFunction()
+	}()
+
+	AwaitChannelWithT(t, timeout, doneCh, func(t *testing.T, _ struct{}) {}, "the test function timed out")
+}

router/core/supervisor_instance.go

@@ -265,6 +265,12 @@ func setupAuthenticators(ctx context.Context, logger *zap.Logger, cfg *config.Co
 			KeyId:     jwks.KeyId,
 
 			Audiences: jwks.Audiences,
+			RefreshUnknownKID: authentication.RefreshUnknownKIDConfig{
+				Enabled:  jwks.RefreshUnknownKID.Enabled,
+				MaxWait:  jwks.RefreshUnknownKID.MaxWait,
+				Interval: jwks.RefreshUnknownKID.Interval,
+				Burst:    jwks.RefreshUnknownKID.Burst,
+			},
 		})
 	}
 

router/go.mod

@@ -58,8 +58,7 @@ require (
 
 require (
 	github.com/KimMachineGun/automemlimit v0.6.1
-	github.com/MicahParks/jwkset v0.9.0
-	github.com/MicahParks/keyfunc/v3 v3.3.5
+	github.com/MicahParks/jwkset v0.11.0
 	github.com/alicebob/miniredis/v2 v2.34.0
 	github.com/caarlos0/env/v11 v11.3.1
 	github.com/cep21/circuit/v4 v4.0.0
@@ -79,6 +78,7 @@ require (
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
 	github.com/tonglil/opentelemetry-go-datadog-propagator v0.1.3
 	github.com/wundergraph/astjson v0.0.0-20250106123708-be463c97e083
+	github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9
 	go.uber.org/goleak v1.3.0
 	go.uber.org/ratelimit v0.3.1
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8

router/go.sum

@@ -5,10 +5,8 @@ github.com/99designs/gqlgen v0.17.49/go.mod h1:tC8YFVZMed81x7UJ7ORUwXF4Kn6SXuucF
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8=
 github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY=
-github.com/MicahParks/jwkset v0.9.0 h1:xDlGu6mZJdJ+mgAI4mIRqWm2p8Vrx0U98LMgRObw46M=
-github.com/MicahParks/jwkset v0.9.0/go.mod h1:fVrj6TmG1aKlJEeceAz7JsXGTXEn72zP1px3us53JrA=
-github.com/MicahParks/keyfunc/v3 v3.3.5 h1:7ceAJLUAldnoueHDNzF8Bx06oVcQ5CfJnYwNt1U3YYo=
-github.com/MicahParks/keyfunc/v3 v3.3.5/go.mod h1:SdCCyMJn/bYqWDvARspC6nCT8Sk74MjuAY22C7dCST8=
+github.com/MicahParks/jwkset v0.11.0 h1:yc0zG+jCvZpWgFDFmvs8/8jqqVBG9oyIbmBtmjOhoyQ=
+github.com/MicahParks/jwkset v0.11.0/go.mod h1:U2oRhRaLgDCLjtpGL2GseNKGmZtLs/3O7p+OZaL5vo0=
 github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 h1:uvdUDbHQHO85qeSydJtItA4T55Pw6BtAejd0APRJOCE=
@@ -319,6 +317,8 @@ github.com/wundergraph/astjson v0.0.0-20250106123708-be463c97e083 h1:8/D7f8gKxTB
 github.com/wundergraph/astjson v0.0.0-20250106123708-be463c97e083/go.mod h1:eOTL6acwctsN4F3b7YE+eE2t8zcJ/doLm9sZzsxxxrE=
 github.com/wundergraph/graphql-go-tools/v2 v2.0.0-rc.226 h1:3g6KNCG4ydgnpZnIlCK7pmtv0FSge6ILUS5LjrNZNiI=
 github.com/wundergraph/graphql-go-tools/v2 v2.0.0-rc.226/go.mod h1:g1IFIylu5Fd9pKjzq0mDvpaKhEB/vkwLAIbGdX2djXU=
+github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9 h1:7bPpsPUUxy5dEnuDSy2q3PAmflxqKx9vnyaTj3TSMBo=
+github.com/wundergraph/keyfunc/v3 v3.0.0-20250922133930-92f21becf3d9/go.mod h1:el0U1ewqJ/T/Urlt3wImfmuBmoQdjL5yoNQ5e/+O98M=
 github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
 github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=

router/pkg/authentication/jwks_token_decoder.go

@@ -4,16 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/wundergraph/keyfunc/v3"
 	"net/http"
 	"time"
 
-	"github.com/MicahParks/jwkset"
-	"github.com/MicahParks/keyfunc/v3"
-	"github.com/golang-jwt/jwt/v5"
-	"go.uber.org/zap"
 	"golang.org/x/time/rate"
 
+	"github.com/MicahParks/jwkset"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/wundergraph/cosmo/router/internal/httpclient"
+	"go.uber.org/zap"
 )
 
 type TokenDecoder interface {
@@ -49,6 +49,15 @@ type JWKSConfig struct {
 	KeyId     string
 
 	Audiences []string
+
+	RefreshUnknownKID RefreshUnknownKIDConfig
+}
+
+type RefreshUnknownKIDConfig struct {
+	Enabled  bool
+	Interval time.Duration
+	Burst    int
+	MaxWait  time.Duration
 }
 
 type audKey struct {
@@ -81,7 +90,7 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 					l.Error("Failed to refresh HTTP JWK Set from remote HTTP resource.", zap.Error(err))
 				},
 				RefreshInterval: c.RefreshInterval,
-				Storage:         NewValidationStore(logger, nil, c.AllowedAlgorithms),
+				Storage:         jwkset.NewMemoryStorage(),
 			}
 
 			store, err := jwkset.NewStorageFromHTTP(c.URL, jwksetHTTPStorageOptions)
@@ -95,11 +104,16 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 				HTTPURLs: map[string]jwkset.Storage{
 					c.URL: store,
 				},
-				PrioritizeHTTP:    true,
-				RefreshUnknownKID: rate.NewLimiter(rate.Every(5*time.Minute), 1),
+				PrioritizeHTTP: true,
 			}
 
-			jwks, err := createKeyFunc(ctx, jwksetHTTPClientOptions)
+			// Configure the rate limiter for refreshing unknown KIDs
+			if c.RefreshUnknownKID.Enabled {
+				jwksetHTTPClientOptions.RefreshUnknownKID = rate.NewLimiter(rate.Every(c.RefreshUnknownKID.Interval), c.RefreshUnknownKID.Burst)
+				jwksetHTTPClientOptions.RateLimitWaitMax = c.RefreshUnknownKID.MaxWait
+			}
+
+			jwks, err := createKeyFunc(ctx, jwksetHTTPClientOptions, c.AllowedAlgorithms)
 			if err != nil {
 				return nil, err
 			}
@@ -110,7 +124,6 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 			if _, ok := audiencesMap[key]; ok {
 				return nil, fmt.Errorf("duplicate JWK keyid specified found: %s", c.KeyId)
 			}
-
 			given := jwkset.NewMemoryStorage()
 
 			marshalOptions := jwkset.JWKMarshalOptions{
@@ -150,7 +163,7 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 				PrioritizeHTTP: false,
 			}
 
-			jwks, err := createKeyFunc(ctx, jwksetHTTPClientOptions)
+			jwks, err := createKeyFunc(ctx, jwksetHTTPClientOptions, make([]string, 0))
 			if err != nil {
 				return nil, err
 			}
@@ -161,22 +174,24 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 	keyFuncWrapper := jwt.Keyfunc(func(token *jwt.Token) (any, error) {
 		var errJoin error
 		for key, keyFunc := range keyFuncMap {
-			pub, err := keyFunc.Keyfunc(token)
-			if err != nil {
-				errJoin = errors.Join(errJoin, err)
-				continue
-			}
-
 			expectedAudiences := audiencesMap[key]
 			if len(expectedAudiences) > 0 {
 				tokenAudiences, err := token.Claims.GetAudience()
 				if err != nil {
-					return nil, fmt.Errorf("could not get audiences from token claims: %w", err)
+					errJoin = errors.Join(errJoin, fmt.Errorf("could not get audiences from token claims: %w", err))
+					continue
 				}
 				if !hasAudience(tokenAudiences, expectedAudiences) {
-					return nil, errUnacceptableAud
+					errJoin = errors.Join(errJoin, errUnacceptableAud)
+					continue
 				}
 			}
+
+			pub, err := keyFunc.Keyfunc(token)
+			if err != nil {
+				errJoin = errors.Join(errJoin, err)
+				continue
+			}
 			return pub, nil
 		}
 
@@ -196,16 +211,17 @@ func getAudienceSet(audiences []string) audienceSet {
 	return audSet
 }
 
-func createKeyFunc(ctx context.Context, options jwkset.HTTPClientOptions) (keyfunc.Keyfunc, error) {
+func createKeyFunc(ctx context.Context, options jwkset.HTTPClientOptions, algorithms []string) (keyfunc.Keyfunc, error) {
 	combined, err := jwkset.NewHTTPClient(options)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create HTTP client storage for JWK provider: %w", err)
 	}
 
 	keyfuncOptions := keyfunc.Options{
-		Ctx:          ctx,
-		Storage:      combined,
-		UseWhitelist: []jwkset.USE{jwkset.UseSig},
+		Ctx:               ctx,
+		Storage:           combined,
+		UseWhitelist:      []jwkset.USE{jwkset.UseSig},
+		AllowedAlgorithms: algorithms,
 	}
 
 	jwks, err := keyfunc.New(keyfuncOptions)