Log output of plugin only showing 3 JWKS entries, even when JKWS endpoint has more than 3 entries #34
Description
We have an JWKS endpoint showing 4 JWKS:
{
"keys" : [ {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "xlBe7k71WwToWy4K1qk6wy-vm01MMaqD816eLEm8ngw",
"alg" : "RS256",
"n" : "0Y7jeXW-n2oQHM06kd4YfAGnQfF_es5uhH482Jagc1ogfgKl7SXMrRhq_gGmmOxYqBksRcexQGehNsmk3755AU_LgqpYEyAwTd6xjEGfSh5kppzjnT0gULCo8Ht31PuzMvzDpFkpEjMn4VEuEwvHEdFyo76sfbKaEHNWFnzRCE6KzX0IjfPUUbklAnnV5WQ6oYc4_R6_pqPdwkEfIGTuMswVNLYQBSZ1kzjHk3oCSPLBZVcf0EX0Ol7GKrs3CbWqrETMWiV9rtgaN8OUQmI12ftQkxpt7G-pth5U6A-56mXrjtaE09aDurxZB2kg2XJcg43yRXXnbqOu5sAlRmDZJQ"
}, {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "6_o6_hIm6B-WlHLmidthaPCPRr1aaziC_tV-PD__Sqw",
"alg" : "RS256",
"n" : "nDjhPusvbFHAlJ8hW4YJxMxgp02Ep9DEPv-2kFrhJ93zJxdasEB-MvdD6ZTrwpegERFSfxrC5ruNwIdx7xAtXLneTdG5dpXvllcrXZp3tuuYQjdWOwsJfNU_pbAeHGeV24W2Db5UtnRxcIaMKcg3VhmAEENQgvSU6EgYgaS_TJiwOJK9bTJHKRPeFqGVfHq0m1XHTXzHhOjwOCb6uei2Bh-4UfaPFATU1rDBTRyF0PVdqPlkF_CIKnUOy4o9Dv-IdcVR_er_ODcmuws8TD4AZqyc3hdJYmHhovZqbBfnlfVtrt5YRw5XKZQYnXvkrHyWiFBf_Wge4IfgKuMmtwquxQ"
}, {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "AdeAiNB6pzJdQKh_16M0x1EsQl-SJZbX44VRNIMFSX0",
"alg" : "RS256",
"n" : "7TMwIbuvK6_bq2QW6FQw796JWxwnQEUgxrDmMsj9YyGROhaEAbyVZSZlt0OzaHn4_DdkVPDmPsbfK9glDPj0flN2Q56j1jgohEp6Ek63KuX7zypLUfO3BWJHPUuM0Hja56GgFW_KlYge66kc_BvmZTVU1youpCxVk2Q2JkQw4wBvc_O7JNo9Wo0K6MGOCT30nyAD6YRy_KTdU1q1BzKZAIvtrkWQOnop3HFAvsPCrH7BsyqLj1xQOgbP8_MTFfwiDDxzol4lY3xGHXJsisP0xcuRyvZDwd2e1tMwiMO3UFWU8Qzeyjqv9aEeD6Hwya-C-Ihf6sHkdCq7oR5ld_IpUQ"
}, {
"kty" : "RSA",
"e" : "AQAB",
"use" : "sig",
"kid" : "oO313Iz0ywhKul1OGRKYt38oOUv7LNrTG2vrL4hmHTf",
"alg" : "RS256",
"n" : "AJBsIB8JZnORDmP6rU5NxiXFCcQFh0Q6hstqHgRmmoakyQfEHFs_lQuI7_h9wDmurBfsdfVgpotmbiv2PA4sFVXMcbSGww9UQq62Vm6kiL0Yf5sSexX8aSzMfjvwermIAfo0XqukQwGZ3h8PLj-d41LjmVU9alKS1mjyEr0K6vByFvbzDln8s8QO0yq7TWelbddv4_CeolKEzhPi20V7zhvPOX4Q0cv3Hl7ELUESRI1Y0XHSKpZ7KuDyPK7YqR9VPnP9Z7xfCJ31qSltvKdQMBjfsySqgjjKVlkyzefi5OBvW8tmq6E-cEAxGg3KaqW2DevHgRyEIEb-gB6Kv5Xtv1E="
} ]
}
When starting Traefik only 3 of these 4 entries are printed to log:
2025-03-08T12:55:28+01:00 ERR fetched openid-configuration from url:http://<myURL>/.well-known/openid-configuration module=github.com/agilezebra/jwt-middleware plugin=plugin-jwt runtime=
2025-03-08T12:55:28+01:00 ERR fetched key:UNtjNc7rfv3UhAfFkiZCPNI6VXiJxYbqshdcHpPQDBY from url:http://<myURL>/jwks module=github.com/agilezebra/jwt-middleware plugin=plugin-jwt runtime=
2025-03-08T12:55:28+01:00 ERR fetched key:iM2xxq6ruSvzf03WM9mOeahDtwJyBl45QinYDJFOHag from url:http://<myURL>/jwks module=github.com/agilezebra/jwt-middleware plugin=plugin-jwt runtime=
2025-03-08T12:55:28+01:00 ERR fetched key:hmQU7cHsSWyW-vWr4XqTnLnUMQ7Igd36Bae-IGW_nTo from url:http://<myURL>/jwks module=github.com/agilezebra/jwt-middleware plugin=plugin-jwt runtime=
was changed by me (not allowed to show real names here).
The last on with "kid" : "oO313Iz0ywhKul1OGRKYt38oOUv7LNrTG2vrL4hmHTf" does not show up. The JWKS contents was created with JOSE so I think the JWKS output should be correct.
As a consequence: JWT-Plugin blocks JWTs with this kid with 401.
I did not find a limitation to 3 in go-code of jwt-plugin, but I am not a go programmer....