wundergraph · SkArchon · Jul 23, 2025 · Jul 23, 2025 · Jul 23, 2025 · Jul 23, 2025
diff --git a/router-tests/authentication_test.go b/router-tests/authentication_test.go
diff --git a/router-tests/header_set_test.go b/router-tests/header_set_test.go
@@ -265,11 +265,16 @@ func TestHeaderSetWithExpression(t *testing.T) {
 
 		t.Cleanup(authServer.Close)
 
-		tokenDecoder, err := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+		opts := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), opts)
 		require.NoError(t, err)
 
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)

diff --git a/router-tests/modules/set_scopes_test.go b/router-tests/modules/set_scopes_test.go
@@ -29,12 +29,20 @@ func configureAuth(t *testing.T) ([]authentication.Authenticator, *jwks.Server)
 	authServer, err := jwks.NewServer(t)
 	require.NoError(t, err)
 	t.Cleanup(authServer.Close)
-	tokenDecoder, _ := authentication.NewJwksTokenDecoder(integration.NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{
-		{
-			URL:             authServer.JWKSURL(),
-			RefreshInterval: time.Second * 5,
+
+	jwksConfig := authentication.JWKSTokenDecoderConfig{
+		Logger: zap.NewNop(),
+		JWKSConfigs: []authentication.JWKSConfig{
+			{
+				URL:               authServer.JWKSURL(),
+				RefreshInterval:   time.Second * 5,
+				AllowedAlgorithms: integration.BaseJWKSAlgorithms,
+			},
 		},
-	})
+		AllowInsecureJWKSURLs: true,
+	}
+	tokenDecoder, err := authentication.NewJWKSTokenDecoder(integration.NewContextWithCancel(t), jwksConfig)
+	require.NoError(t, err)
 	authOptions := authentication.HttpHeaderAuthenticatorOptions{
 		Name:         jwksName,
 		TokenDecoder: tokenDecoder,

diff --git a/router-tests/ratelimit_test.go b/router-tests/ratelimit_test.go
@@ -256,12 +256,20 @@ func TestRateLimit(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{
-			{
-				URL:             authServer.JWKSURL(),
-				RefreshInterval: time.Second * 5,
+
+		opts := authentication.JWKSTokenDecoderConfig{
+			Logger: zap.NewNop(),
+			JWKSConfigs: []authentication.JWKSConfig{
+				{
+					URL:               authServer.JWKSURL(),
+					RefreshInterval:   time.Second * 5,
+					AllowedAlgorithms: BaseJWKSAlgorithms,
+				},
 			},
-		})
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), opts)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
 			Name:         "my-jwks-server",
 			TokenDecoder: tokenDecoder,

diff --git a/router-tests/utils.go b/router-tests/utils.go
@@ -16,9 +16,22 @@ import (
 )
 
 const (
-	JwksName = "my-jwks-server"
+	JWKSName = "my-jwks-server"
 )
 
+var BaseJWKSAlgorithms = []string{
+	"RS256",
+	"RS384",
+	"RS512",
+	"ES256",
+	"ES384",
+	"ES512",
+	"PS256",
+	"PS384",
+	"PS512",
+	"EdDSA",
+}
+
 // NewContextWithCancel creates a new context with a cancel function that is called when the test is done.
 func NewContextWithCancel(t *testing.T) context.Context {
 	ctx, cancel := context.WithCancel(context.Background())
@@ -46,22 +59,29 @@ func ConfigureAuth(t *testing.T) ([]authentication.Authenticator, *jwks.Server)
 	authServer, err := jwks.NewServer(t)
 	require.NoError(t, err)
 	t.Cleanup(authServer.Close)
-	authenticators := ConfigureAuthWithJwksConfig(t, []authentication.JWKSConfig{
+
+	authenticators := ConfigureAuthWithJWKSConfig(t, []authentication.JWKSConfig{
 		{
-			URL:             authServer.JWKSURL(),
-			RefreshInterval: time.Second * 5,
+			URL:               authServer.JWKSURL(),
+			RefreshInterval:   time.Second * 5,
+			AllowedAlgorithms: BaseJWKSAlgorithms,
 		},
 	})
 
 	return authenticators, authServer
 }
 
-func ConfigureAuthWithJwksConfig(t *testing.T, jwksConfig []authentication.JWKSConfig) []authentication.Authenticator {
-	tokenDecoder, err := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), jwksConfig)
+func ConfigureAuthWithJWKSConfig(t *testing.T, jwksConfig []authentication.JWKSConfig) []authentication.Authenticator {
+	opts := authentication.JWKSTokenDecoderConfig{
+		Logger:                zap.NewNop(),
+		JWKSConfigs:           jwksConfig,
+		AllowInsecureJWKSURLs: true,
+	}
+	tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), opts)
 	require.NoError(t, err)
 
 	authOptions := authentication.HttpHeaderAuthenticatorOptions{
-		Name:         JwksName,
+		Name:         JWKSName,
 		TokenDecoder: tokenDecoder,
 	}
 	authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)

diff --git a/router-tests/websocket_test.go b/router-tests/websocket_test.go
@@ -126,9 +126,16 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
@@ -175,9 +182,16 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
@@ -224,9 +238,16 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
@@ -283,9 +304,16 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
@@ -341,7 +369,14 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.WebsocketInitialPayloadAuthenticatorOptions{
 			TokenDecoder: tokenDecoder,
 			Key:          "Authorization",
@@ -403,7 +438,13 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.WebsocketInitialPayloadAuthenticatorOptions{
 			TokenDecoder: tokenDecoder,
 			Key:          "Authorization",
@@ -452,7 +493,13 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.WebsocketInitialPayloadAuthenticatorOptions{
 			TokenDecoder: tokenDecoder,
 			Key:          "Authorization",
@@ -853,9 +900,15 @@ func TestWebSockets(t *testing.T) {
 		authServer, err := jwks.NewServer(t)
 		require.NoError(t, err)
 		t.Cleanup(authServer.Close)
-		tokenDecoder, _ := authentication.NewJwksTokenDecoder(NewContextWithCancel(t), zap.NewNop(), []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)})
+		jwksConfig := authentication.JWKSTokenDecoderConfig{
+			Logger:                zap.NewNop(),
+			JWKSConfigs:           []authentication.JWKSConfig{toJWKSConfig(authServer.JWKSURL(), time.Second*5)},
+			AllowInsecureJWKSURLs: true,
+		}
+		tokenDecoder, err := authentication.NewJWKSTokenDecoder(NewContextWithCancel(t), jwksConfig)
+		require.NoError(t, err)
 		authOptions := authentication.HttpHeaderAuthenticatorOptions{
-			Name:         JwksName,
+			Name:         JWKSName,
 			TokenDecoder: tokenDecoder,
 		}
 		authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)

diff --git a/router/core/supervisor_instance.go b/router/core/supervisor_instance.go
@@ -3,9 +3,6 @@ package core
 import (
 	"context"
 	"fmt"
-	"net/http"
-	"os"
-
 	"github.com/KimMachineGun/automemlimit/memlimit"
 	"github.com/dustin/go-humanize"
 	"github.com/wundergraph/cosmo/router/pkg/authentication"
@@ -15,6 +12,8 @@ import (
 	"github.com/wundergraph/cosmo/router/pkg/logging"
 	"go.uber.org/automaxprocs/maxprocs"
 	"go.uber.org/zap"
+	"net/http"
+	"os"
 )
 
 // newRouter creates a new router instance.
@@ -264,7 +263,12 @@ func setupAuthenticators(ctx context.Context, logger *zap.Logger, cfg *config.Co
 		})
 	}
 
-	tokenDecoder, err := authentication.NewJwksTokenDecoder(ctx, logger, configs)
+	decoderConfig := authentication.JWKSTokenDecoderConfig{
+		Logger:                logger,
+		JWKSConfigs:           configs,
+		AllowInsecureJWKSURLs: jwtConf.AllowInsecureJWKSUrls,
+	}
+	tokenDecoder, err := authentication.NewJWKSTokenDecoder(ctx, decoderConfig)
 	if err != nil {
 		return nil, err
 	}

diff --git a/router/pkg/authentication/authentication.go b/router/pkg/authentication/authentication.go
@@ -79,6 +79,8 @@ func (a *authentication) Scopes() []string {
 
 var errUnacceptableAud = errors.New("audience match not found")
 
+var errNoAlgorithmsSpecified = errors.New("algorithms not specified")
+
 // Authenticate tries to authenticate the given Provider using the given authenticators. If any of
 // the authenticators succeeds, the Authentication result is returned with no error. If the Provider
 // has no authentication information, the Authentication result is nil with no error. If the authentication

diff --git a/router/pkg/authentication/jwks_token_decoder.go b/router/pkg/authentication/jwks_token_decoder.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/MicahParks/jwkset"
@@ -58,18 +59,39 @@ type audKey struct {
 
 type audienceSet map[string]struct{}
 
-func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKSConfig) (TokenDecoder, error) {
-	audiencesMap := make(map[audKey]audienceSet, len(configs))
-	keyFuncMap := make(map[audKey]keyfunc.Keyfunc, len(configs))
+type JWKSTokenDecoderConfig struct {
+	Logger                *zap.Logger
+	JWKSConfigs           []JWKSConfig
+	AllowInsecureJWKSURLs bool
+}
+
+func NewJWKSTokenDecoder(ctx context.Context, config JWKSTokenDecoderConfig) (TokenDecoder, error) {
+	audiencesMap := make(map[audKey]audienceSet, len(config.JWKSConfigs))
+	keyFuncMap := make(map[audKey]keyfunc.Keyfunc, len(config.JWKSConfigs))
 
-	for _, c := range configs {
+	for _, c := range config.JWKSConfigs {
 		if c.URL != "" {
 			key := audKey{url: c.URL}
 			if _, ok := audiencesMap[key]; ok {
 				return nil, fmt.Errorf("duplicate JWK URL found: %s", c.URL)
 			}
 
-			l := logger.With(zap.String("url", c.URL))
+			if !config.AllowInsecureJWKSURLs {
+				uri, err := url.ParseRequestURI(c.URL)
+				if err != nil {
+					return nil, fmt.Errorf("failed to parse given URL %q: %w", c.URL, err)
+				}
+				if uri.Scheme != "https" {
+					return nil, fmt.Errorf("insecure JWK URL %q is not allowed", c.URL)
+				}
+			}
+
+			l := config.Logger.With(zap.String("url", c.URL))
+
+			newValidationStore, err := NewValidationStore(config.Logger, nil, c.AllowedAlgorithms)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create validation store: %w", err)
+			}
 
 			jwksetHTTPStorageOptions := jwkset.HTTPClientStorageOptions{
 				Client:             newOIDCDiscoveryClient(httpclient.NewRetryableHTTPClient(l)),
@@ -81,7 +103,7 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 					l.Error("Failed to refresh HTTP JWK Set from remote HTTP resource.", zap.Error(err))
 				},
 				RefreshInterval: c.RefreshInterval,
-				Storage:         NewValidationStore(logger, nil, c.AllowedAlgorithms),
+				Storage:         newValidationStore,
 			}
 
 			store, err := jwkset.NewStorageFromHTTP(c.URL, jwksetHTTPStorageOptions)
@@ -117,7 +139,7 @@ func NewJwksTokenDecoder(ctx context.Context, logger *zap.Logger, configs []JWKS
 				Private: true,
 			}
 			if len(c.Secret) < 32 {
-				logger.Warn("Using a short secret for JWKs may lead to weak security. Consider using a longer secret.")
+				config.Logger.Warn("Using a short secret for JWKs may lead to weak security. Consider using a longer secret.")
 			}
 
 			alg := jwkset.ALG(c.Algorithm)