telekom
diff --git a/‎CLAUDE.md‎
Lines changed: 7 additions & 4 deletions b/‎CLAUDE.md‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/handler.lua‎
Lines changed: 32 additions & 5 deletions b/‎src/handler.lua‎
Lines changed: 32 additions & 5 deletions
diff --git a/‎tests/README.md‎
Lines changed: 233 additions & 0 deletions b/‎tests/README.md‎
Lines changed: 233 additions & 0 deletions
diff --git a/‎tests/configure_jwt_plugin.sh‎
Lines changed: 0 additions & 1 deletion b/‎tests/configure_jwt_plugin.sh‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎tests/run_tests.sh‎
Lines changed: 5 additions & 5 deletions b/‎tests/run_tests.sh‎
Lines changed: 5 additions & 5 deletions
@@ -17,7 +17,7 @@ Key features:
 - Supports rotating public keys
 - Authorization based on token claims (scope, realm_access, resource_access)
 - Matches Keycloak users/clients to Kong consumers
-- Supports EC256/384/512 signature algorithms (feature branch)
+- Supports RSA (RS256, RS384, RS512) and EC (ES256, ES384, ES512) signature algorithms
 
 ## Development Environment
 
@@ -136,7 +136,10 @@ The plugin supports these version combinations:
 - Postgres: 12.x and higher
 - Keycloak: 9.0.3 (RHSSO-7.4), 15.0.2 (RHSSO-7.5), and 26.2.0
 
-## Branch Information
+## Algorithm Support
 
-- Current branch `feature/ec-support` adds support for Elliptic Curve signature algorithms (ES256, ES384, ES512)
-- Main branch `main` is the stable version of the plugin
+The plugin automatically validates JWT tokens with the following signature algorithms:
+- **RSA algorithms**: RS256, RS384, RS512
+- **EC algorithms**: ES256, ES384, ES512
+
+The algorithm is validated from the JWT's `alg` header field. The plugin no longer uses the `config.algorithm` parameter (deprecated), and instead validates that the token's algorithm is one of the supported algorithms listed above.
@@ -160,7 +160,7 @@ curl -X POST http://localhost:8001/plugins \
 | config.run_on_preflight                | no      | `true`            | A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests, if set to false then `OPTIONS` requests will always be allowed.                                                                                                                                                                                                  |
 | config.header_names                    | no      | `authorization`   | A list of HTTP header names that Kong will inspect to retrieve JWTs. `OPTIONS` requests will always be allowed.                                                                                                                                                                                                                                                                          |
 | config.maximum_expiration              | no      | `0`               | An integer limiting the lifetime of the JWT to `maximum_expiration` seconds in the future. Any JWT that has a longer lifetime will rejected (HTTP 403). If this value is specified, `exp` must be specified as well in the `claims_to_verify` property. The default value of `0` represents an indefinite period. Potential clock skew should be considered when configuring this value. |
-| config.algorithm                       | no      | `RS256`           | The algorithm used to verify the token’s signature. Can be `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, or `ES512`.                                                                                                                                                                                                                                                                      |
+| config.algorithm                       | no      | `RS256`           | **Deprecated - No longer used.** The plugin now automatically validates that the JWT algorithm (`alg` header) is one of the supported algorithms: `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, or `ES512`. This field is kept for backwards compatibility but has no effect.                                                                                                            |
 | config.allowed_iss                     | yes     |                   | A list of allowed issuers for this route/service/api. Can be specified as a `string` or as a [Pattern](http://lua-users.org/wiki/PatternsTutorial).                                                                                                                                                                                                                                      |
 | config.iss_key_grace_period            | no      | `10`              | An integer that sets the number of seconds until public keys for an issuer can be updated after writing new keys to the cache. This is a guard so that the Kong cache will not invalidate every time a token signed with an invalid public key is sent to the plugin.                                                                                                                    |
 | config.well_known_template             | false   | *see description* | A string template that the well known endpoint for keycloak is created from. String formatting is applied on the template and `%s` is replaced by the issuer of the token. Default value is `%s/.well-known/openid-configuration`                                                                                                                                                        |
 
@@ -7,6 +7,7 @@ local kong_meta = require "kong.meta"
 
 local socket = require "socket"
 local keycloak_keys = require("kong.plugins.jwt-keycloak.keycloak_keys")
+local plugin_schema = require("kong.plugins.jwt-keycloak.schema")
 
 local validate_issuer = require("kong.plugins.jwt-keycloak.validators.issuers").validate_issuer
 local validate_scope = require("kong.plugins.jwt-keycloak.validators.scope").validate_scope
@@ -34,6 +35,26 @@ local JwtKeycloakHandler = {
     PRIORITY = priority
 }
 
+-------------------------------------------------------------------------------
+-- custom helper function of the extended plugin "jwt-keycloak"
+-- --> extract allowed algorithms from schema
+-------------------------------------------------------------------------------
+local function get_allowed_algorithms_from_schema()
+    -- Navigate through the schema structure to find the algorithm field
+    for _, field in ipairs(plugin_schema.fields) do
+        if field.config then
+            for _, config_field in ipairs(field.config.fields) do
+                if config_field.algorithm and config_field.algorithm.one_of then
+                    return config_field.algorithm.one_of
+                end
+            end
+        end
+    end
+end
+
+-- Cache the allowed algorithms at module load time
+local ALLOWED_ALGORITHMS = get_allowed_algorithms_from_schema()
+
 -------------------------------------------------------------------------------
 -- custom helper function of the extended plugin "jwt-keycloak"
 -- --> this is contained in jwt_parser, but has a breaking change in 3.5
@@ -416,12 +437,18 @@ local function do_authentication(conf)
         }
     end
 
-    local algorithm = conf.algorithm or "RS256"
-
-    -- Verify "alg"
-    kong.log.debug("Expected JWT algorithm: " .. algorithm)
+    -- Verify "alg" - check if algorithm is in allowed list (from schema)
+    local is_valid_algorithm = false
+    
     kong.log.debug("Provided JWT algorithm: " .. jwt.header.alg)
-    if jwt.header.alg ~= algorithm then
+    for _, alg in ipairs(ALLOWED_ALGORITHMS) do
+        if jwt.header.alg == alg then
+            is_valid_algorithm = true
+            break
+        end
+    end
+    
+    if not is_valid_algorithm then
         security_event('ua201', 'ua, token integrity wrong')
         return false, {
             status = 401,
 
@@ -0,0 +1,233 @@
+<!--
+SPDX-FileCopyrightText: 2025 Deutsche Telekom AG
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Test Suite Documentation
+
+## Overview
+This directory contains integration tests for the kong-plugin-jwt-keycloak plugin. Tests are executed in Docker containers with a full Kong + Keycloak environment.
+
+## Running Tests
+```bash
+# Start all services
+docker compose up -d
+
+# Run the complete test suite
+docker compose up tests
+```
+
+## Test Files
+
+### Core Test Scripts
+- **`_env.sh`**: Environment setup and helper functions
+  - Sets up environment variables (Kong URL, Keycloak URL, etc.)
+  - Provides `wait_for_kong()` and `wait_for_keycloak()` functions
+  - Includes `retry_test_after_plugin_change()` helper for testing with retries
+
+- **`run_tests.sh`**: Main test orchestrator
+  - Runs all test phases in sequence
+  - Exits on first failure
+
+- **`run_unit_tests.sh`**: Lua unit test runner
+  - Executes busted unit tests from `spec/` directory
+
+### Setup Scripts
+- **`configure_keycloak.sh`**: Keycloak configuration
+Sets up Keycloak for testing:
+- Creates test realm with configured signing algorithm
+- Creates test client with OAuth2 client credentials flow
+- Configures client with ES256 signature algorithm by default
+
+- **`configure_jwt_plugin.sh`**: Kong plugin configuration
+  - Creates Kong service and route
+  - Configures jwt-keycloak plugin
+  - Sets up Kong consumer
+
+### Test Suites
+
+#### 1. `test_jwt_keycloak_plugin.sh`
+Basic JWT validation functionality:
+- Valid token acceptance
+- Invalid token rejection
+- Consumer matching
+
+#### 2. `test_algorithms.sh`
+Algorithm validation and security tests:
+- **ES256 token validation** (Elliptic Curve)
+  - Validates plugin accepts ES256 tokens from Keycloak
+- **'none' algorithm rejection** (Security)
+  - Creates unsigned token with `"alg":"none"`
+  - Validates plugin rejects with 401
+  - Protects against "none algorithm attack"
+- **Unsupported algorithm rejection** (Security)
+  - Creates token with `"alg":"HS256"`
+  - Validates plugin rejects with 401
+  - Ensures only supported algorithms are accepted
+
+**Note:** The plugin automatically validates tokens against all supported algorithms:
+- RSA: RS256, RS384, RS512
+- EC: ES256, ES384, ES512
+
+The `config.algorithm` parameter is deprecated and no longer used. RSA algorithm support is verified through the schema validation and the security tests demonstrate that the plugin correctly validates the algorithm header.
+
+#### 3. `test_error_conditions.sh`
+Error handling scenarios:
+- Missing token (401)
+- Invalid token format (401)
+- Expired tokens (401)
+- Wrong issuer (401/403)
+- OPTIONS preflight requests
+
+#### 4. `test_roles_scopes.sh`
+Authorization validation:
+- Scope-based authorization
+  - Valid scope acceptance (200)
+  - Invalid scope rejection (403)
+- Realm role validation
+  - Valid realm role acceptance (200)
+  - Invalid realm role rejection (403)
+- Client role validation
+  - Valid client role acceptance (200)
+  - Invalid client role rejection (403)
+
+#### 5. `test_security_logging.sh`
+Security event logging:
+- Authentication failure events
+- Wrong issuer security events
+- Security event code validation (ua200, ua201, ua220, ua222)
+
+## Test Environment Variables
+Set in `_env.sh`:
+- `KONG_ADMIN_URL`: Kong Admin API endpoint (http://kong:8001)
+- `KONG_PROXY_URL`: Kong Proxy endpoint (http://kong:8000)
+- `KC_URL`: Keycloak server URL (http://kc:8080)
+- `KC_CLIENT_ID`: Test client ID (test-user)
+- `KC_CLIENT_SECRET`: Generated client secret (random)
+- `KC_SIGNING_KEY_ALGORITHM`: Default signing algorithm (ES256)
+- `KC_REALM`: Keycloak realm name (default)
+
+## Helper Functions
+
+### `retry_test_after_plugin_change(description, expected_status, curl_command)`
+Retries a test up to 3 times with delays to allow Kong to apply plugin changes.
+
+**Example:**
+```bash
+if ! retry_test_after_plugin_change "Valid token test" "200" \
+  "curl -s -w \"%{http_code}\" -X GET $KONG_PROXY_URL/example/get -H \"Authorization: Bearer $TOKEN\" -o /dev/null"; then
+  exit 1
+fi
+```
+
+**Parameters:**
+- `description`: Human-readable test description
+- `expected_status`: Expected HTTP status code(s), can be multiple like "200|201"
+- `curl_command`: The curl command to execute
+
+## Test Patterns
+
+### Plugin Reconfiguration Pattern
+When testing different plugin configurations:
+
+```bash
+# Delete existing plugin
+curl -s -X DELETE $KONG_ADMIN_URL/plugins/$(curl -s $KONG_ADMIN_URL/plugins | jq -r '.data[] | select(.name=="jwt-keycloak") | .id') > /dev/null
+
+# Create new plugin configuration
+curl -s -X POST $KONG_ADMIN_URL/plugins \
+  --data "name=jwt-keycloak" \
+  --data "config.allowed_iss=$KC_URL/auth/realms/$KC_REALM" \
+  --data "config.scope[]=email" \
+  --data "route.id=$(curl -s $KONG_ADMIN_URL/routes/example-route | jq -r '.id')"
+
+# Test with retry helper
+if ! retry_test_after_plugin_change "Test description" "200" "curl command"; then
+  exit 1
+fi
+```
+
+### Token Retrieval Pattern
+```bash
+TOKEN_ENDPOINT="$KC_URL/auth/realms/$KC_REALM/protocol/openid-connect/token"
+
+ACCESS_TOKEN=$(curl -s -X POST $TOKEN_ENDPOINT \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "client_id=$KC_CLIENT_ID" \
+  -d "client_secret=$KC_CLIENT_SECRET" \
+  -d "grant_type=client_credentials" | jq -r '.access_token')
+
+if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+  echo "❌ Failed to obtain access token"
+  exit 1
+fi
+```
+
+### Creating Test Tokens with Specific Algorithms
+
+#### Unsigned Token (none algorithm)
+```bash
+# Header: {"alg":"none","typ":"JWT"}
+NONE_HEADER=$(echo -n '{"alg":"none","typ":"JWT"}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
+NONE_PAYLOAD=$(echo -n '{"iss":"http://keycloak/realm","sub":"test","exp":9999999999}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
+NONE_TOKEN="${NONE_HEADER}.${NONE_PAYLOAD}."
+```
+
+#### Unsupported Algorithm Token (HS256)
+```bash
+# Header: {"alg":"HS256","typ":"JWT"}
+HS256_HEADER=$(echo -n '{"alg":"HS256","typ":"JWT"}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
+HS256_PAYLOAD=$(echo -n '{"iss":"http://keycloak/realm","sub":"test","exp":9999999999}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
+HS256_SIGNATURE=$(echo -n "dummy_signature" | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')
+HS256_TOKEN="${HS256_HEADER}.${HS256_PAYLOAD}.${HS256_SIGNATURE}"
+```
+
+## Adding New Tests
+1. Create a new test file: `test_<feature>.sh`
+2. Source `_env.sh` for helper functions
+3. Add test execution to `run_tests.sh`
+4. Make the script executable: `chmod +x test_<feature>.sh`
+5. Document the test in this README
+
+**Example test structure:**
+```bash
+#!/bin/bash
+# SPDX-FileCopyrightText: 2025 Deutsche Telekom AG
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Source environment helpers
+if [ -f ./_env.sh ]; then
+    . ./_env.sh
+fi
+
+echo "🧪 Testing [feature name]..."
+
+# Your test logic here
+
+echo "✅ All [feature] tests passed"
+```
+
+## Troubleshooting
+
+### Tests Fail Intermittently
+- Kong may take time to apply plugin changes
+- Use `retry_test_after_plugin_change()` helper
+- Increase retry count or wait time in `_env.sh`
+
+### Services Not Ready
+- Increase timeout in `wait_for_kong()` or `wait_for_keycloak()`
+- Check service logs: `docker compose logs kong` or `docker compose logs kc`
+
+### Token Validation Fails
+- Verify Keycloak configuration in `configure_keycloak.sh`
+- Check that token's algorithm is supported (RS256/384/512 or ES256/384/512)
+- Inspect token: `echo $ACCESS_TOKEN | cut -d. -f2 | base64 -d | jq .`
+- Verify token's `alg` header matches a supported algorithm
+
+### Algorithm-Related Issues
+- The plugin automatically validates against all supported algorithms
+- `config.algorithm` parameter is deprecated and ignored
+- Supported algorithms: RS256, RS384, RS512, ES256, ES384, ES512
+- Any other algorithm (including 'none', HS256, etc.) will be rejected with 401
@@ -27,7 +27,6 @@ curl -i -X DELETE $KONG_ADMIN_URL/plugins/$(curl -s $KONG_ADMIN_URL/plugins | jq
 curl -i -X POST $KONG_ADMIN_URL/plugins \
   --data "name=jwt-keycloak" \
   --data "config.allowed_iss=$KC_URL/auth/realms/$KC_REALM" \
-  --data "config.algorithm=$KC_SIGNING_KEY_ALGORITHM" \
   --data "config.consumer_match_claim_custom_id=true" \
   --data "config.consumer_match=true" \
   --data "route.id=$(curl -s $KONG_ADMIN_URL/routes/example-route | jq -r '.id')"
@@ -65,12 +65,12 @@ else
     exit 1
 fi
 
-# Test 2: Test EC algorithms
-echo "🧪 Phase 2: Testing EC algorithms..."
-if [ -f ./test_ec_algorithms.sh ]; then
-    . ./test_ec_algorithms.sh
+# Test 2: Test algorithms (RSA and EC)
+echo "🧪 Phase 2: Testing algorithms..."
+if [ -f ./test_algorithms.sh ]; then
+    . ./test_algorithms.sh
 else
-    echo "Error: test_ec_algorithms.sh not found"
+    echo "Error: test_algorithms.sh not found"
     exit 1
 fi