Skip to content

feat: add kid-based signature validation with enhanced error handling #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chrisingenhaag merged 9 commits into from
Dec 12, 2025
Merged

feat: add kid-based signature validation with enhanced error handling #8

chrisingenhaag merged 9 commits into from
Dec 12, 2025
+729 −35

Conversation

@chrisingenhaag
Copy link
Member

@chrisingenhaag chrisingenhaag commented Dec 5, 2025
edited
Loading

  • add proper kid based single validation for the correct public key instead of trying all available public keys
  • if kid is missing, search for unique match of alg for validation
  • else fail

@chrisingenhaag
feat: add automatic key selection when kid header is absent
3ac1b91 
Implements fallback key selection based on JWT algorithm and key metadata when kid header is missing. Plugin now attempts to find a single unambiguous matching key by comparing JWT algorithm (RS256/384/512, PS256/384/512, ES256/384/512) with key metadata (alg, kty, use). Rejects tokens when multiple keys match or no matching key is found. Adds key_metadata tracking throughout the key retrieval chain and comprehensive test coverage for various
@chrisingenhaag
chore: add explicit docker network configuration for service isolation
11d8a71 
Defines kong-net bridge network and assigns all services to it for improved network isolation and DNS resolution. Adds diagnostic network connectivity test script that validates DNS resolution for kong, kc, and httpbin services during test initialization.
@chrisingenhaag
chore: add diagnostic logging to GitHub Actions test workflow
dd51044 
Adds Docker version information output and failure diagnostics that display container status and logs for kong, keycloak, and test services when tests fail. Improves troubleshooting capabilities for CI test failures.
@chrisingenhaag
fix: add signature validator module to rockspec build configuration
89ba8ec 
Registers the new validators.signature module in the rockspec build modules list and aligns formatting of validator module entries for consistency.
@chrisingenhaag
fix: set all fetching public keys security events to ua221
ec87c0a
@chrisingenhaag chrisingenhaag marked this pull request as ready for review December 11, 2025 07:24
luispflamminger
luispflamminger reviewed Dec 11, 2025
View reviewed changes
Copy link

@luispflamminger luispflamminger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a couple of comments, mostly for better understanding on my side :)

@chrisingenhaag @luispflamminger
Update src/handler.lua
7019567 
Co-authored-by: Luis Pflamminger <luis.pflamminger@gmail.com>
@chrisingenhaag
test: remove kty-based key matching and simplify algorithm validation
6873da0 
Removes key type (kty) field from key metadata tracking and eliminates kty-based key matching logic. Simplifies algorithm validation to only check explicit alg field matches when present. Updates test descriptions to reflect that keys match when no alg is specified rather than matching by kty. Removes PS256 algorithm test and kid-optional integration test notes that are now covered by unit tests.
@chrisingenhaag chrisingenhaag merged commit ae1023f into main Dec 12, 2025
26 checks passed
@chrisingenhaag chrisingenhaag deleted the fix/properValidation branch December 12, 2025 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luispflamminger luispflamminger luispflamminger approved these changes

Assignees

@chrisingenhaag chrisingenhaag

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisingenhaag @luispflamminger