envoyproxy
Jwks doesn't have key to match kid or alg from Jwt
Description:
When OIDC provider rotates the keys, Envoy fails to refetch the keys and returns the following error:
Jwks doesn't have key to match kid or alg from Jwt
Repro steps:
Create a security policy with JWKS using a provider that rotates keys (for example, Zitadel). Wait for the key to expire and try the route associated with the security policy.
Environment:
Envoy Gateway 1.1.0 Envoy 1.31.0
Notes
The OpenID Connect spec specifies that the verifier should try to refetch the keys if it encounters an unknown key, see: https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
If I understand correctly, this needs to be addressed in the Envoy jwt authn filter - the jwt authn filter needs to re-retrieve the keys when it sees an unfamiliar kid value.
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
@zhaohuabing Experiencing the same issue after key rollover, as the new kid is not in the envoy gateway cache. Any chance to implement the cacheDuration, asyncFetch from envoy core as the jwt authn filter issue got closed?
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
