test: add kty field to key metadata and enhance algorithm family matching

chrisingenhaag · chrisingenhaag · commit 07b110240fc8 · 2025-12-12T08:23:02.000+01:00
diff --git a/spec/01-unit/validators/signature_spec.lua b/spec/01-unit/validators/signature_spec.lua
@@ -45,8 +45,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "key1", "key2" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        { alg = "RS256", use = "sig" },
-        { alg = "RS256", use = "sig" }
+        { alg = "RS256", use = "sig", kty = "RSA" },
+        { alg = "RS256", use = "sig", kty = "RSA" }
       }
     }
 
@@ -65,7 +65,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     local public_keys = {
       keys = { "key1" },
       kids = { "kid1" },
-      key_metadata = { { alg = "ES256", use = "sig" } }
+      key_metadata = { { alg = "ES256", use = "sig", kty = "EC" } }
     }
 
     local err = signature_validator.validate_signature_with_kid({}, jwt, public_keys)
@@ -154,7 +154,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.equals("Invalid token signature", err.message)
   end)
 
-  it("should match any key when kid is missing and no alg specified", function()
+  it("should match key by kty when kid is missing (EC key)", function()
     local jwt = {
       header = { alg = "ES256" },
       verify_signature = function(self, key)
@@ -166,8 +166,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "RSA_KEY", "EC_KEY" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        {},
-        {}
+        { kty = "RSA" },
+        { kty = "EC" }
       }
     }
 
@@ -188,8 +188,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "ENC_KEY", "SIG_KEY" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        { alg = "RS256", use = "enc" },
-        { alg = "RS256", use = "sig" }
+        { alg = "RS256", use = "enc", kty = "RSA" },
+        { alg = "RS256", use = "sig", kty = "RSA" }
       }
     }
 
@@ -198,7 +198,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.is_nil(err)
   end)
 
-  it("should match when metadata has no alg specified", function()
+  it("should match when metadata has no alg but kty matches", function()
     local jwt = {
       header = { alg = "RS256" },
       verify_signature = function(self, key)
@@ -210,7 +210,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "RSA_KEY" },
       kids = { "kid1" },
       key_metadata = {
-        {}  -- no alg specified
+        { kty = "RSA" }  -- no alg specified
       }
     }
 
@@ -231,7 +231,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "KEY_FOR_RS256" },
       kids = { "kid1" },
       key_metadata = {
-        { alg = "RS256", use = "sig" }
+        { alg = "RS256", use = "sig", kty = "RSA" }
       }
     }
 
@@ -276,4 +276,26 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.equals(401, err.status)
     assert.equals("No public keys available", err.message)
   end)
+
+  it("should support PS256 (RSA-PSS) algorithm matching", function()
+    local jwt = {
+      header = { alg = "PS256" },
+      verify_signature = function(self, key)
+        return key == "RSA_PSS_KEY"
+      end
+    }
+
+    local public_keys = {
+      keys = { "RSA_PSS_KEY" },
+      kids = { "kid1" },
+      key_metadata = {
+        { kty = "RSA" }
+      }
+    }
+
+    local err = signature_validator.validate_signature_with_kid({}, jwt, public_keys)
+
+    assert.is_nil(err)
+  end)
+
 end)
diff --git a/src/keycloak_keys.lua b/src/keycloak_keys.lua
@@ -69,7 +69,8 @@ local function get_issuer_keys(well_known_endpoint)
         -- Store metadata for fallback key selection when kid is absent
         key_metadata[i] = {
             alg = key.alg,
-            use = key.use
+            use = key.use,
+            kty = key.kty
         }
     end
 
diff --git a/src/validators/signature.lua b/src/validators/signature.lua
@@ -21,8 +21,23 @@ local function key_matches_algorithm(key_metadata, jwt_alg)
     return key_metadata.alg == jwt_alg
   end
 
-  -- No alg specified on key, accept it
-  return true
+-- Check kty matches algorithm family
+  if jwt_alg then
+    if jwt_alg:sub(1, 2) == "RS" or jwt_alg:sub(1, 2) == "PS" then
+      -- RSA algorithms
+      if key_metadata.kty and key_metadata.kty ~= "RSA" then
+        return false
+      end
+    elseif jwt_alg:sub(1, 2) == "ES" then
+      -- ECDSA algorithms
+      if key_metadata.kty and key_metadata.kty ~= "EC" then
+        return false
+      end
+    end
+  end
+
+  -- If we get here, the key neither matches the algorithm family nor has a matching alg field, so reject it
+  return false
 end
 
 -- Validates a JWT signature using a key selected by kid from the provided
@@ -35,7 +50,7 @@ end
 --   public_keys - table with fields:
 --                   keys = { <decoded_key1>, <decoded_key2>, ... }
 --                   kids = { "kid1", "kid2", ... }
---                   key_metadata = { {alg=..., use=...}, ... }
+--                   key_metadata = { {alg=..., use=..., kty=...}, ... }
 --
 -- Returns:
 --   nil on success (signature valid)

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,8 @@ local function get_issuer_keys(well_known_endpoint)`
`69`	`69`	`-- Store metadata for fallback key selection when kid is absent`
`70`	`70`	`key_metadata[i] = {`
`71`	`71`	`alg = key.alg,`
`72`		`- use = key.use`
	`72`	`+ use = key.use,`
	`73`	`+ kty = key.kty`
`73`	`74`	`}`
`74`	`75`	`end`
`75`	`76`