JWT Authentication Without KID: Router Feature Request

Aug 14, 2025 by Natalie Brooks 55 views

Router - Allow JWT Authentication Without KID

Introduction

Hey guys! Today, we're diving into a crucial feature request for the WunderGraph Cosmo router: allowing authentication of JWT tokens even when they don't have a Key ID (KID). This is super important because, as it stands, the router throws an error when it encounters these tokens. We'll break down the problem, explore the proposed solution, and see how it can make our lives as developers a whole lot easier. So, let's jump right in!

The Problem: JWT Tokens Without KID

The Issue Explained

When dealing with JWT (JSON Web Token) authentication, the Key ID (KID) is a header parameter that specifies which key was used to sign the token. This is particularly important when you're using a JWKS (JSON Web Key Set) endpoint, which contains multiple public keys. The KID helps the system quickly identify the correct key to verify the token's signature. However, sometimes, tokens are issued without a KID.

In these cases, the current implementation of the WunderGraph Cosmo router falters. The error message failed keyfunc: could not find kid in JWT header is a clear indicator that the router’s keyfunc library—specifically, the one from MicahParks/keyfunc—doesn’t support tokens lacking a KID. This limitation is documented in MicahParks/keyfunc#127. For us, this means any service issuing tokens without a KID will be unable to authenticate through our WunderGraph setup, which is a major roadblock.

Configuration Context

To give you a clearer picture, here’s the relevant part of a config.yaml configuration that triggers this issue:

authentication:
 jwt:
 jwks:
 - url: "https://xxx.com/auth/realms/xxxx/protocol/openid-connect/certs"
 refresh_interval: 1m

This configuration tells the router to fetch the JWKS from the specified URL and refresh it every minute. When a token without a KID arrives, the router tries to match the KID against the keys in the JWKS, fails, and throws the error. This is a common scenario, especially when dealing with certain identity providers or legacy systems that might not always include the KID in the token header.

Example Token and JWKS

To illustrate the problem further, let’s consider an example JWT token:

eyJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiakRkbDdSUXdVT24xVE5hX0NtTi1vdyIsInN1YiI6InVzZXItc3ViamVjdC0xMjM0NTMxIiwiYXVkIjoiZGVmYXVsdCIsImlzcyI6Imh0dHBzOi8vd3d3LmNlcnRpZmljYXRpb24ub3BlbmlkLm5ldC90ZXN0LzJvNGhZdDU3UU1zTmx4UC8iLCJleHAiOjE3MjYxMTkyNjksImlhdCI6MTcyNjExODk2OX0.DAIgDtaglNDTnU8QC-UmqARiO0QG1EzxIo1Krv_EUv9ZHYj5qG1rVrlWPTkhqO0Azw3j3_jK4J1h9VvzeH6_AxtCs-dV9wLBDL_gogDywh-skYYZ_WihvLeSmfHoP-fl8NQxZRJ118Nu3EOcxor85RaeKp3FrTpEqOG94yhgSZ-4mN-jJlN_e1jSetE76gRVlsEp_UP4l6c3DXXZ4-d7y5NqO1Rv93KpFwiC22CBy9Iu2lOkqfPIF4aHdjBxgN8BZGMysWO0DbSqE3fLFD51FzP5NkNvveqV3XPLI9eLMyK7kWswLIcgeFtL7xkv8krw4TLBUBcugcLfgcGAZdtc-w

This token, while valid, doesn't include a KID in its header. When the router tries to validate it against the following JWKS, it encounters the aforementioned error:

{
 "keys": [
 {
 "kty": "RSA",
 "e": "AQAB",
 "use": "sig",
 "n": "uukX5Yo8pM4nFFSQ4ZdinfAnm2cxPDnEeMgTW39Mn_WBUUuP9OkxgJEfCc-_le963N36bpv14fb830eBS2Weld7UhYQQFx48bhBd6OY8NRZJV7Dg1Ub0YdXwfgKPkdbBZLbCpu3FK_KY5aXJKn8nTY-64s37fl91AOlYB2Q-0Q2D1NweRsH-mP5RV9gMG6q5tNhLmbCfDiL2vV2KVMUq2LsoGKF-f5ZzmVlHGy6UDgkC3BH0N7o5nJh_0iyXBieORtFb6TPP3pw-ER9QSLVhLfTUrnXTlhqyAsToaHXstX66JJaZQ_WjqCtiKhLr22809OPOE59g6TKHp6d2ea-saw"
 },
 {
 "kty": "EC",
 "use": "sig",
 "crv": "P-256",
 "x": "4u93KgJZgf1ISOCLSEXTq4GKrwM7hdnkP2m1eQsnHaY",
 "y": "xs1zTvc3yyCIGeWq3poV-T9DqqteP4d5CVTc04qJna0"
 },
 {
 "kty": "EC",
 "use": "sig",
 "crv": "secp256k1",
 "x": "76uOYhPihVpUp2OodREkQZD3pyGKeEzAefzuWGyAPxg",
 "y": "y54_2iPVOUScCYsG81_H-dD-ToSeR8_z0U9aKNkC6Ug"
 },
 {
 "kty": "OKP",
 "use": "sig",
 "crv": "Ed25519",
 "x": "Lf5MH_DJG5UfEDyi5g9VPZ6OAFzhsXUU7qiItvJgpcM"
 },
 {
 "kty": "RSA",
 "e": "AQAB",
 "use": "enc",
 "kid": "371cd27d-a43d-43df-aee0-1de48680307f",
 "alg": "RSA-OAEP",
 "n": "xHudfO1LjEUCx-cpvm4d9bIYRnjuW5lEQSpN0OgvwgDjeu1tludfUGd6hvvH8Qyhtti_GTdz2g5x5Iq3hSd9vcv-VlYR18PHTFuaGisxXwPyqG6qnxL6KizuyXMrkLHXkCP-e_gSN-CTcy7jdGNiYsafnkvSaY87Y_bk4B-tHnmiy750NYpMszp2su64BtzD-qFRkfcFawWbbtOIq1iIyCvE3eMg4Phu5GTK3JQLC-iKTl-yRNN_vUd0CvpBRud6X7JuxGCwV_n2yUy5PTYMJwYWEeDoZu55l2VCVK9vDddDVEp72V3mrrq1DMXMNAD_zCbQjV2iJJFFLsVMa4JYLw"
 },
 {
 "kty": "EC",
 "use": "enc",
 "crv": "P-256",
 "kid": "487710c5-e29f-4f8b-a97e-1f9505c756e6",
 "x": "JuU4Z3N1v6bMyk_a3f1D9_xYbEoysjcEZxFJbfCvkvk",
 "y": "OxuXJZY0dxCRPw6_BAGmmUrK0n6kO5OVep258M5I59Q",
 "alg": "ECDH-ES"
 }
 ]
}

This JWKS contains several keys, but without a KID in the token, the router can't figure out which one to use for validation. This is where the feature request comes into play.

Proposed Solution: Authenticating JWT Tokens Without KID

Leveraging jwt.VerificationKeySet

The suggested solution revolves around leveraging the jwt.VerificationKeySet feature introduced in version 3.5.0 of the MicahParks/keyfunc library. This feature provides a way to return all keys for JWT signature verification. Essentially, it allows the router to consider all available keys in the JWKS when a KID is missing.

The Logic Behind the Solution

The core idea is that if a KID is absent, the router should attempt to identify the correct key by using other available information. One approach is to use the kty (Key Type) and use (intended use of the key, e.g., signing or encryption) parameters from the JWKS entries. Here’s how it could work:

Check for KID: The router first checks if the JWT header contains a KID.
If KID is Present: If a KID is present, the router proceeds with the standard key lookup process, matching the KID against the keys in the JWKS.
If KID is Missing: If the KID is missing, the router uses the jwt.VerificationKeySet to fetch all keys. It then examines the token’s header to determine the signing algorithm (e.g., RS256) and the intended use of the key (e.g., signature verification).
Key Matching: Using the algorithm and usage, the router iterates through the keys in the JWKS, looking for a key that matches the token's requirements. For example, if the token uses the RS256 algorithm for signing, the router will look for an RSA key with the use parameter set to sig.
Token Validation: Once a matching key is found, the router uses it to validate the token's signature.

Code Implementation (Conceptual)

While the exact code implementation would depend on the specifics of the WunderGraph Cosmo router, here’s a conceptual snippet illustrating how this might work:

import (
 "context"
 "fmt"
 "github.com/MicahParks/keyfunc"
 "github.com/golang-jwt/jwt/v5"
)

func validateToken(tokenString string, jwksURL string) (bool, error) {
 ctx := context.Background()
 jwks, err := keyfunc.Get(jwksURL, keyfunc.Options{}) 
 if err != nil {
 return false, fmt.Errorf("failed to get JWKS: %w", err)
 }

 token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
 if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
 return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 }

 if kid, ok := token.Header["kid"].(string); ok {
 return jwks.Key(ctx, kid)
 }

 // If no KID, use VerificationKeySet to get all keys
 keyset := jwks.VerificationKeySet()
 if len(keyset) == 0 {
 return nil, fmt.Errorf("no keys found in JWKS")
 }

 // Iterate through keys and find a matching key based on algorithm and usage
 for _, key := range keyset {
 if key.Algorithm == token.Method.Alg() && key.Use == "sig" {
 return key.Key, nil
 }
 }

 return nil, fmt.Errorf("no matching key found for token without KID")
 })

 if err != nil {
 return false, fmt.Errorf("failed to parse token: %w", err)
 }

 if !token.Valid {
 return false, fmt.Errorf("invalid token")
 }

 return true, nil
}

This is a simplified example, but it captures the essence of the solution. The validateToken function first tries to fetch the key using the KID, if present. If not, it retrieves all keys using jwks.VerificationKeySet() and attempts to find a key that matches the token's signing algorithm and intended use.

Benefits of This Approach

Compatibility: This solution ensures compatibility with a broader range of JWT providers, including those that may not include a KID in their tokens.
Flexibility: It provides a more flexible authentication mechanism, accommodating different token formats.
Security: By still validating the token's signature, it maintains a high level of security, ensuring that only valid tokens are accepted.

Alternatives Considered

As of now, no specific alternatives have been discussed in detail. The focus is primarily on implementing the proposed solution using jwt.VerificationKeySet. However, alternative approaches might include:

Token Transformation: Modifying tokens at the issuer to include a KID. This might not always be feasible, especially when dealing with third-party identity providers.
Custom Key Resolution Logic: Implementing a more complex key resolution logic that considers additional token header parameters or custom claims. This could add complexity and might not be necessary if the jwt.VerificationKeySet approach works well.

Additional Context and Use Cases

Real-World Scenarios

The need to authenticate JWT tokens without a KID isn't just a theoretical concern. In real-world scenarios, it’s quite common. For instance:

Legacy Systems: Many older identity providers or authentication services might not include the KID in their tokens. Migrating these systems or updating them to include the KID can be a significant undertaking.
Interoperability: When integrating with various services and platforms, you might encounter tokens with different formats. Some services might omit the KID for various reasons, such as performance considerations or simply adhering to a different standard.
Simplified Setups: In certain simplified setups, particularly during development or testing, tokens might be issued without a KID to streamline the process.

Impact on WunderGraph Users

For WunderGraph users, this feature is crucial because it directly impacts the ability to authenticate users across different services. If the router can't handle tokens without a KID, it creates a significant barrier to adoption, especially in environments where diverse authentication setups are common. By implementing this feature, WunderGraph can cater to a broader audience and provide a more seamless authentication experience.

The Bigger Picture

In the grand scheme of things, allowing JWT authentication without a KID is about making systems more adaptable and resilient. It’s about accommodating the realities of diverse ecosystems and ensuring that authentication isn’t a bottleneck. For WunderGraph, it’s a step towards becoming a more versatile and user-friendly platform.

Conclusion

In conclusion, the ability to authenticate JWT tokens without a KID is a vital feature for the WunderGraph Cosmo router. It addresses a real-world problem, aligns with modern authentication practices, and enhances the platform’s flexibility and usability. By leveraging the jwt.VerificationKeySet feature, the router can handle a broader range of tokens, ensuring seamless authentication across various services and identity providers. This improvement will not only make developers' lives easier but also strengthen the overall security and adaptability of WunderGraph deployments. So, here’s hoping this feature gets implemented soon! Let me know what you guys think in the comments below!