Feature request: support multiple jwksURIs in JWT filter

[yanickbelanger]

Please describe your use case / problem. Our users are managed by 3 different Identity Providers, so JWT tokens are signed by 3 different authorization servers. Currently, the JWT filter configuration accepts only one jwksURIs.

Describe the solution you'd like Have the JWT filter supports multiple jwksURIs, make the JWT filter accepts tokens if they're signed by one of the keys in any of those JWKS endpoints.

Example configuration:

apiVersion: getambassador.io/v2
kind: Filter
metadata:
  name: "example-jwt-filter"
  namespace: "example-namespace"
spec:
  JWT:
    jwksURIs:
    - "https://myIdp1.com/oauth2/v1/keys"
    - "https://myIdp2.com/oauth2/v1/keys"
    - "https://myIdp3.com/oauth2/v1/keys"
[...]

Describe alternatives you've considered We've considered deploying a JWKS aggregator microservice, but we haven't found a serious product doing it. There are few projects on GitHub, such as https://github.com/upgear/jwks-proxy (in Go), that we consider re-packaging in our own microservice, but it would be a lot simpler if Ambassador would support this out-of-the-box.

[jaynis]

I dont know if this is still relevant but you could create three different Filters each containing one of your JWKS URIs and then reference all of them in your corresponding FilterPolicy (.spec.rules[].filters[] is a list). This is how I solved this.