feat: add jwtValidationKeys filter for JWT validation with direct JWKS URL (#3922)

## Summary

- Add new `jwtValidationKeys` filter that verifies JWT Bearer tokens
using a JWKS URL directly, without requiring OIDC discovery via
`.well-known/openid-configuration`
- Reuses existing `jwtValidationFilter` — the new spec only provides an
alternative entry point that skips OIDC discovery
- Claims validation delegated to `oidcClaimsQuery` as per existing
convention
- Registered alongside `jwtValidation` in skipper.go

## Motivation

The existing `jwtValidation` filter only supports JWKS discovery via
`.well-known/openid-configuration`. Services like Google Chat bots sign
webhook requests with JWTs but publish their public keys at non-standard
JWKS endpoints without OIDC discovery support, making it impossible to
verify these tokens with the current filter.

## Usage

```
jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
-> oidcClaimsQuery("/:@_:iss==\"chat@system.gserviceaccount.com\"")
-> oidcClaimsQuery("/:@_:aud==\"123456789\"")
```

Closes #3921

## Test plan

- [x] Spec validation (missing args, too many args, non-string args)
- [x] Valid token, expired token, missing sub claim
- [x] Missing/empty/malformed Bearer tokens
- [x] Algorithm none rejected
- [x] Existing jwtValidation tests still pass

---------

Signed-off-by: ivan-digital <root@ivan.digital>
Co-authored-by: ivan-digital <root@ivan.digital>

Author: ivan-digital

docs/reference/filters.md

@@ -1681,6 +1681,30 @@ Examples:
 jwtValidation("https://login.microsoftonline.com/{tenantId}/v2.0")
 ```
 
+#### jwtValidationKeys
+
+The filter works like [jwtValidation](#jwtvalidation) but takes a JWKS URL directly instead of
+discovering it via `/.well-known/openid-configuration`. This is useful for services that publish
+JWKS keys at non-standard endpoints, such as Google Chat service accounts.
+Unlike `jwtValidation`, the `sub` claim is not required — tokens without `sub` are accepted.
+
+The filter stores token claims into the state bag where they can be used by [oidcClaimsQuery](#oidcclaimsquery), [forwardToken](#forwardtoken) or [forwardTokenField](#forwardtokenfield) filters.
+
+Examples:
+
+```
+jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
+```
+
+To also validate specific claims like `iss` or `aud`, chain with [oidcClaimsQuery](#oidcclaimsquery).
+Note that queries within a single `oidcClaimsQuery` argument are OR-matched, so use separate filters for AND logic:
+
+```
+jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
+-> oidcClaimsQuery("/:@_:iss==\"chat@system.gserviceaccount.com\"")
+-> oidcClaimsQuery("/:@_:aud==\"123456789\"")
+```
+
 #### jwtMetrics
 
 > This filter is experimental and may change in the future, please see tests for example usage.

filters/auth/jwt_validation.go

@@ -21,8 +21,11 @@ type (
 		options TokenintrospectionOptions
 	}
 
+	jwtValidationKeysSpec struct{}
+
 	jwtValidationFilter struct {
-		jwksUri string
+		jwksUri    string
+		requireSub bool
 	}
 )
 
@@ -69,7 +72,8 @@ func (s *jwtValidationSpec) CreateFilter(args []interface{}) (filters.Filter, er
 	}
 
 	f := &jwtValidationFilter{
-		jwksUri: cfg.JwksURI,
+		jwksUri:    cfg.JwksURI,
+		requireSub: true,
 	}
 
 	return f, nil
@@ -146,18 +150,65 @@ func (f *jwtValidationFilter) Request(ctx filters.FilterContext) {
 	}
 
 	sub, ok := info.Claims["sub"].(string)
-	if !ok {
-		unauthorized(ctx, sub, invalidSub, "", "")
-		return
+	if !ok || sub == "" {
+		if f.requireSub {
+			unauthorized(ctx, "", invalidSub, "", "")
+			return
+		}
+		sub = AuthUnknown
+		info.Claims["sub"] = sub
 	}
 
+	info.Subject = sub
 	authorized(ctx, sub)
 
 	ctx.StateBag()[oidcClaimsCacheKey] = info
 }
 
 func (f *jwtValidationFilter) Response(filters.FilterContext) {}
 
+// NewJwtValidationKeys creates a filter spec for JWT validation using a direct JWKS URL.
+//
+// Unlike jwtValidation which discovers JWKS via .well-known/openid-configuration,
+// this filter takes the JWKS URL directly. This is useful for services that publish
+// JWKS keys at non-standard endpoints (e.g. Google Chat service accounts).
+//
+// The filter stores token claims into the state bag where they can be used by
+// oidcClaimsQuery, forwardToken or forwardTokenField filters.
+//
+// Usage:
+//
+//	jwtValidationKeys("https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com")
+func NewJwtValidationKeys() filters.Spec {
+	return &jwtValidationKeysSpec{}
+}
+
+func (s *jwtValidationKeysSpec) Name() string {
+	return filters.JwtValidationKeysName
+}
+
+func (s *jwtValidationKeysSpec) CreateFilter(args []interface{}) (filters.Filter, error) {
+	if len(args) != 1 {
+		return nil, filters.ErrInvalidFilterParameters
+	}
+
+	sargs, err := getStrings(args)
+	if err != nil {
+		return nil, err
+	}
+
+	jwksURL := sargs[0]
+
+	if err := registerKeyFunction(jwksURL); err != nil {
+		return nil, err
+	}
+
+	return &jwtValidationFilter{
+		jwksUri:    jwksURL,
+		requireSub: false,
+	}, nil
+}
+
 func parseToken(token string, jwksUri string) (map[string]interface{}, error) {
 	jwks := getKeyFunction(jwksUri)
 

filters/auth/jwt_validation_test.go

@@ -146,6 +146,136 @@ func TestJWTValidation(t *testing.T) {
 	}
 }
 
+func createTokenWithKey(t *testing.T, key *rsa.PrivateKey, claims jwt.MapClaims) string {
+	t.Helper()
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	token.Header["kid"] = kid
+
+	s, err := token.SignedString(key)
+	if err != nil {
+		t.Fatalf("Failed to sign token: %v", err)
+	}
+	return s
+}
+
+func setupJWKSServer(t *testing.T, key *rsa.PrivateKey) *httptest.Server {
+	t.Helper()
+
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, `{"keys":[{"kty":"RSA", "alg":"RS256", "kid": "%s", "n":"%s","e":"AQAB"}]}`,
+			kid, base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()))
+	}))
+}
+
+func TestJwtValidationKeysSpec(t *testing.T) {
+	spec := NewJwtValidationKeys()
+
+	if spec.Name() != filters.JwtValidationKeysName {
+		t.Errorf("unexpected name: %s", spec.Name())
+	}
+
+	// No arguments
+	_, err := spec.CreateFilter([]interface{}{})
+	if err == nil {
+		t.Error("expected error with no arguments")
+	}
+
+	// Too many arguments
+	_, err = spec.CreateFilter([]interface{}{"url1", "url2"})
+	if err == nil {
+		t.Error("expected error with too many arguments")
+	}
+
+	// Non-string argument
+	_, err = spec.CreateFilter([]interface{}{123})
+	if err == nil {
+		t.Error("expected error with non-string argument")
+	}
+}
+
+func TestJwtValidationKeys(t *testing.T) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	jwksServer := setupJWKSServer(t, key)
+	defer jwksServer.Close()
+
+	cli := net.NewClient(net.Options{
+		IdleConnTimeout: 2 * time.Second,
+	})
+	defer cli.Close()
+
+	backend := httptest.NewServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}))
+	defer backend.Close()
+
+	spec := NewJwtValidationKeys()
+	fr := make(filters.Registry)
+	fr.Register(spec)
+
+	r := &eskip.Route{
+		Filters: []*eskip.Filter{{Name: spec.Name(), Args: []interface{}{jwksServer.URL}}},
+		Backend: backend.URL,
+	}
+
+	proxy := proxytest.New(fr, r)
+	defer proxy.Close()
+
+	for _, ti := range []struct {
+		name     string
+		auth     string
+		expected int
+	}{{
+		name:     "valid token",
+		auth:     authHeaderPrefix + createTokenWithKey(t, key, jwt.MapClaims{"sub": "user1", "exp": jwt.NewNumericDate(time.Now().Add(time.Hour)).Unix()}),
+		expected: http.StatusOK,
+	}, {
+		name:     "expired token",
+		auth:     authHeaderPrefix + createTokenWithKey(t, key, jwt.MapClaims{"sub": "user1", "exp": jwt.NewNumericDate(time.Now().Add(-time.Hour)).Unix()}),
+		expected: http.StatusUnauthorized,
+	}, {
+		name:     "missing sub claim accepted",
+		auth:     authHeaderPrefix + createTokenWithKey(t, key, jwt.MapClaims{"iss": "test", "exp": jwt.NewNumericDate(time.Now().Add(time.Hour)).Unix()}),
+		expected: http.StatusOK,
+	}, {
+		name:     "no authorization header",
+		auth:     "",
+		expected: http.StatusUnauthorized,
+	}, {
+		name:     "empty bearer token",
+		auth:     authHeaderPrefix,
+		expected: http.StatusUnauthorized,
+	}, {
+		name:     "invalid token format",
+		auth:     authHeaderPrefix + "not-a-jwt",
+		expected: http.StatusUnauthorized,
+	}, {
+		name:     "algorithm none rejected",
+		auth:     authHeaderPrefix + createToken(t, jwt.SigningMethodNone),
+		expected: http.StatusUnauthorized,
+	}} {
+		t.Run(ti.name, func(t *testing.T) {
+			reqURL, _ := url.Parse(proxy.URL)
+			req, _ := http.NewRequest("GET", reqURL.String(), nil)
+			if ti.auth != "" {
+				req.Header.Set(authHeaderName, ti.auth)
+			}
+
+			rsp, err := cli.Do(req)
+			if err != nil {
+				t.Fatalf("failed to get response: %v", err)
+			}
+			defer rsp.Body.Close()
+
+			if rsp.StatusCode != ti.expected {
+				t.Errorf("unexpected status code: %v != %v", rsp.StatusCode, ti.expected)
+			}
+		})
+	}
+}
+
 func TestJWTValidationJwksError(t *testing.T) {
 	testOidcConfig := getTestOidcConfig()
 

filters/filters.go

@@ -315,6 +315,7 @@ const (
 	GrantLogoutName                            = "grantLogout"
 	GrantClaimsQueryName                       = "grantClaimsQuery"
 	JwtValidationName                          = "jwtValidation"
+	JwtValidationKeysName                      = "jwtValidationKeys"
 	JwtMetricsName                             = "jwtMetrics"
 	OAuthOidcUserInfoName                      = "oauthOidcUserInfo"
 	OAuthOidcAnyClaimsName                     = "oauthOidcAnyClaims"

skipper.go

@@ -1875,6 +1875,7 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error {
 		auth.NewBearerInjector(sp),
 		auth.NewSetRequestHeaderFromSecret(sp),
 		auth.NewJwtValidationWithOptions(tio),
+		auth.NewJwtValidationKeys(),
 		auth.NewJwtMetrics(),
 		auth.TokenintrospectionWithOptions(auth.NewOAuthTokenintrospectionAnyClaims, tio),
 		auth.TokenintrospectionWithOptions(auth.NewOAuthTokenintrospectionAllClaims, tio),