test: remove kty-based key matching and simplify algorithm validation

Removes key type (kty) field from key metadata tracking and eliminates kty-based key matching logic. Simplifies algorithm validation to only check explicit alg field matches when present. Updates test descriptions to reflect that keys match when no alg is specified rather than matching by kty. Removes PS256 algorithm test and kid-optional integration test notes that are now covered by unit tests.

Author: chrisingenhaag

spec/01-unit/validators/signature_spec.lua

@@ -28,7 +28,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     local public_keys = {
       keys = { "KEY_FOR_RS256" },
       kids = { "kid1" },
-      key_metadata = { { alg = "RS256", use = "sig", kty = "RSA" } }
+      key_metadata = { { alg = "RS256", use = "sig" } }
     }
 
     local err = signature_validator.validate_signature_with_kid({}, jwt, public_keys)
@@ -45,8 +45,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "key1", "key2" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        { alg = "RS256", use = "sig", kty = "RSA" },
-        { alg = "RS256", use = "sig", kty = "RSA" }
+        { alg = "RS256", use = "sig" },
+        { alg = "RS256", use = "sig" }
       }
     }
 
@@ -65,7 +65,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     local public_keys = {
       keys = { "key1" },
       kids = { "kid1" },
-      key_metadata = { { alg = "ES256", use = "sig", kty = "EC" } }
+      key_metadata = { { alg = "ES256", use = "sig" } }
     }
 
     local err = signature_validator.validate_signature_with_kid({}, jwt, public_keys)
@@ -92,7 +92,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.equals("Unable to find public key for token kid", err.message)
   end)
 
-  it("should reject when kid is not found in public keys", function()
+  it("should reject when kid is not found in public keys and no match by alg is found", function()
     local jwt = {
       header = { alg = "RS256", kid = "kidX" },
     }
@@ -154,7 +154,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.equals("Invalid token signature", err.message)
   end)
 
-  it("should match key by kty when kid is missing (EC key)", function()
+  it("should match any key when kid is missing and no alg specified", function()
     local jwt = {
       header = { alg = "ES256" },
       verify_signature = function(self, key)
@@ -166,8 +166,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "RSA_KEY", "EC_KEY" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        { kty = "RSA" },
-        { kty = "EC" }
+        {},
+        {}
       }
     }
 
@@ -188,8 +188,8 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "ENC_KEY", "SIG_KEY" },
       kids = { "kid1", "kid2" },
       key_metadata = {
-        { alg = "RS256", use = "enc", kty = "RSA" },
-        { alg = "RS256", use = "sig", kty = "RSA" }
+        { alg = "RS256", use = "enc" },
+        { alg = "RS256", use = "sig" }
       }
     }
 
@@ -198,7 +198,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.is_nil(err)
   end)
 
-  it("should match when metadata has no alg but kty matches", function()
+  it("should match when metadata has no alg specified", function()
     local jwt = {
       header = { alg = "RS256" },
       verify_signature = function(self, key)
@@ -210,7 +210,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "RSA_KEY" },
       kids = { "kid1" },
       key_metadata = {
-        { kty = "RSA" }  -- no alg specified
+        {}  -- no alg specified
       }
     }
 
@@ -231,7 +231,7 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
       keys = { "KEY_FOR_RS256" },
       kids = { "kid1" },
       key_metadata = {
-        { alg = "RS256", use = "sig", kty = "RSA" }
+        { alg = "RS256", use = "sig" }
       }
     }
 
@@ -276,25 +276,4 @@ describe("Plugin: jwt-keycloak (signature validator)", function()
     assert.equals(401, err.status)
     assert.equals("No public keys available", err.message)
   end)
-
-  it("should support PS256 (RSA-PSS) algorithm matching", function()
-    local jwt = {
-      header = { alg = "PS256" },
-      verify_signature = function(self, key)
-        return key == "RSA_PSS_KEY"
-      end
-    }
-
-    local public_keys = {
-      keys = { "RSA_PSS_KEY" },
-      kids = { "kid1" },
-      key_metadata = {
-        { kty = "RSA" }
-      }
-    }
-
-    local err = signature_validator.validate_signature_with_kid({}, jwt, public_keys)
-
-    assert.is_nil(err)
-  end)
 end)

src/keycloak_keys.lua

@@ -69,8 +69,7 @@ local function get_issuer_keys(well_known_endpoint)
         -- Store metadata for fallback key selection when kid is absent
         key_metadata[i] = {
             alg = key.alg,
-            use = key.use,
-            kty = key.kty
+            use = key.use
         }
     end
 

src/validators/signature.lua

@@ -17,25 +17,11 @@ local function key_matches_algorithm(key_metadata, jwt_alg)
   end
 
   -- If key has alg specified, it must match JWT alg
-  if key_metadata.alg and key_metadata.alg ~= jwt_alg then
-    return false
-  end
-
-  -- Check kty matches algorithm family
-  if jwt_alg then
-    if jwt_alg:sub(1, 2) == "RS" or jwt_alg:sub(1, 2) == "PS" then
-      -- RSA algorithms
-      if key_metadata.kty and key_metadata.kty ~= "RSA" then
-        return false
-      end
-    elseif jwt_alg:sub(1, 2) == "ES" then
-      -- ECDSA algorithms
-      if key_metadata.kty and key_metadata.kty ~= "EC" then
-        return false
-      end
-    end
+  if key_metadata.alg then
+    return key_metadata.alg == jwt_alg
   end
 
+  -- No alg specified on key, accept it
   return true
 end
 
@@ -49,7 +35,7 @@ end
 --   public_keys - table with fields:
 --                   keys = { <decoded_key1>, <decoded_key2>, ... }
 --                   kids = { "kid1", "kid2", ... }
---                   key_metadata = { {alg=..., use=..., kty=...}, ... }
+--                   key_metadata = { {alg=..., use=...}, ... }
 --
 -- Returns:
 --   nil on success (signature valid)

tests/test_kid_optional.sh

@@ -51,19 +51,4 @@ if ! retry_test_after_plugin_change "Token with kid validation" "200" \
 fi
 echo "✅ Test 1 passed: Token with kid works"
 
-# Note: Creating a token without kid requires:
-# 1. Either modifying Keycloak configuration to not include kid
-# 2. Or creating a custom JWT with a valid signature from the JWKS
-# 3. Or using a test issuer that doesn't include kid
-
-echo ""
-echo "📝 Note: To fully test kid-optional behavior:"
-echo "   - Configure Keycloak to issue tokens without kid, or"
-echo "   - Create custom test tokens signed with JWKS keys but without kid header"
-echo "   - When JWKS has a single key, tokens without kid should validate"
-echo "   - When JWKS has multiple keys of the same type, tokens without kid should be rejected"
-
-echo ""
-echo "✅ Kid-optional infrastructure is in place"
-echo "✅ Unit tests verify the kid-optional logic thoroughly"
-echo "✅ Integration tests confirm existing behavior (with kid) still works"
+echo "⚠️ The test for kid-optional JWT validation is only covered in unit tests / spec validation"