JWT key ID (kid) validation does not enforce matching key

[stanleykc]

Summary

During security testing, it was discovered that the server validates JWT signatures against all configured keys regardless of the kid (key ID) in the token header. Tokens with an unknown or mismatched kid are accepted if the signature matches any configured key.

Current Behavior

1. Token is created with kid: "unknown-key-id-12345" in the header
2. Token is signed with the primary key
3. Server accepts the token because it validates against all keys, ignoring the kid header

Expected Behavior

When a token includes a kid header, the server should:

1. Look up the key with that specific kid
2. Validate the signature only against that key
3. Reject the token if the kid doesn't match any known key

Security Impact

Medium: This behavior means:

• Attackers cannot exploit this to bypass authentication (signatures are still validated)
• However, it reduces the effectiveness of key rotation
• If a key is compromised and rotated out, old tokens might still validate if signed with a remaining key

Technical Details

• Location: JWT signature validation in JsonWebKeysProvider / Micronaut Security
• Test Reference: SecurityEdgeCasesTest.tokenWithUnknownKeyId_documentsKeyIdBehavior()
• Current Implementation: Server tries all keys from the JWK set

Suggested Fix

Configure Micronaut's JWT signature validation to:

1. Use the kid header to select the appropriate key
2. Fall back to trying all keys only if kid is not present
3. Reject tokens with unknown kid values

Labels

• security
• enhancement