esistfarouk opened a new pull request, #13379: URL: https://github.com/apache/apisix/pull/13379
# Description ### Summary Currently, the `jwt-auth` plugin strictly searches for the `key_claim_name` (used to identify the Consumer) within the **JWT Payload**. However, many identity providers and standard JWT implementations place the Key ID (`kid`) or issuer (`iss`) solely in the **JWT Header**. This PR enhances the plugin to look for the claim in both the **Payload** and the **Header**, ensuring broader compatibility with standard OIDC and third-party JWT providers. ### Why this is needed In many security architectures, the **Header** contains the metadata required to identify which key or secret should be used to verify the signature. By restricting the lookup to the Payload, APISIX currently forces developers to either: 1. **Non-standardly duplicate** the `kid` into the Payload. 2. **Write custom serverless functions** or modify core code to handle standard JWTs. This change makes the `jwt-auth` plugin more robust and "plug-and-play" for modern authentication flows. ### Changes - **Plugin Logic:** Modified `find_consumer` in `apisix/plugins/jwt-auth.lua`. - **Fallback Mechanism:** Updated the `user_key` lookup to check the JWT Header if the claim is missing from the Payload. - **Backward Compatibility:** Maintained existing behavior by prioritizing the Payload if the claim exists in both locations. ### Verification Results - [x] **Test Case 1:** JWT with `kid` in Header only (HS512) -> **Passed** (Consumer identified, Signature verified). - [x] **Test Case 2:** JWT with claim in Payload only -> **Passed** (Backward compatibility confirmed). - [x] **Test Case 3:** JWT with claim in both Header and Payload -> **Passed** (Payload prioritized). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
