Getting autentication error if JWT does not contain kid header

[hoegertn]

Describe the bug
When using a JWT guard with keys specified in the zilla config file and the request token does not contain the kid header authentication fails.

I assume the error is somewhere near:

zilla/runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardHandler.java

Line 145 in a5bf600

String kid = signature.getKeyIdHeaderValue();

As the kid seems to be used to look up the key without a fall back.

To Reproduce
Steps to reproduce the behavior:

1. Configure Zilla as described here: https://docs.aklivity.io/zilla/latest/reference/config/guards/jwt.html
2. Send a request with a JWT that does not contain a kid claim in the header
3. See error in Zilla verbose log "GUARD_JWT_AUTHORIZATION_FAILED JWT token authorization failed for identity (). Invalid alg or key."

Expected behavior
Zilla figures out an appropriate key from the guard config.

Zilla Environment:

Start CMD for docker container

CMD ["start", "-v", "-e", "-Pzilla.engine.verbose=true", "-Pzilla.engine.debug=true"]

Attach the zilla.yaml config file:

https://docs.aklivity.io/zilla/latest/reference/config/guards/jwt.html

Client Environment:

curl request with JWT

Additional context
N/A

[jfallows]

@hoegertn the jwt guard requires kid in JWT header per JWS spec, to identify which public key should be used to verify the JWT signature that was produced by the corresponding private key when the JWT is generated.

[hoegertn]

Ok understand. It would be great if the JWT guard could just work without that if only one key is provided in the keys array.

[jfallows]

@hoegertn understood - we recommend that you include a kid header in your JWT generation, and specify the same kid value in the keys of jwt guard in zilla.yaml.

[hoegertn]

Done, thanks. The same was true for audience and issuer. But now my auth errors are gone.

Thanks.