You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
add the missing ASB sessionjwt edge-case coverage for expiration, signing method, tampering, and required-claim variants
expand OIDC verifier coverage for empty subject-prefix config, expiration, future nbf, and wrong signing algorithm
harden the OIDC verifier to reject signing methods that do not match the configured public-key type
Why
asb#61 calls out missing security-sensitive coverage around session JWT validation and OIDC attestation verification. The issue text is partially stale because sessionjwt already had a baseline test file, but the high-risk edge cases were still uncovered, and the OIDC verifier did not explicitly pin signing methods to the configured key type.
Validation
repo commit hook
gofmt on staged files
golangci-lint
go test ./...
focused reruns during development
go test ./internal/authn/oidc ./internal/crypto/sessionjwt -count=1
GOTOOLCHAIN=go1.26.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.3 run ./internal/authn/... ./internal/crypto/sessionjwt
git diff --check
Scope
This is a first bounded slice of asb#61. It covers the verifier and session-token security tests only; the durable audit sink, Helm chart, connector hardening, and remaining test gaps stay out of scope for this PR.
Medium Risk
Touches token verification logic in an authentication-critical path by adding signing-method restrictions; behavior changes could reject previously-accepted tokens if key/alg configuration is inconsistent.
Overview
Hardens OIDC JWT attestation verification by rejecting tokens whose alg does not match the public-key type returned by Keyfunc (Ed25519/RSA/ECDSA), preventing algorithm/key-type confusion.
Expands security-focused tests for both internal/authn/oidc and internal/crypto/sessionjwt to cover subject-prefix behavior when unset, expiration and nbf validation failures, unexpected signing methods, missing required claims, and tampered signatures (plus small test refactors via shared helpers).
Reviewed by Cursor Bugbot for commit cee26c3. Bugbot is set up for automated code reviews on this repo. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sessionjwtedge-case coverage for expiration, signing method, tampering, and required-claim variantsnbf, and wrong signing algorithmWhy
asb#61calls out missing security-sensitive coverage around session JWT validation and OIDC attestation verification. The issue text is partially stale becausesessionjwtalready had a baseline test file, but the high-risk edge cases were still uncovered, and the OIDC verifier did not explicitly pin signing methods to the configured key type.Validation
gofmton staged filesgolangci-lintgo test ./...go test ./internal/authn/oidc ./internal/crypto/sessionjwt -count=1GOTOOLCHAIN=go1.26.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.3 run ./internal/authn/... ./internal/crypto/sessionjwtgit diff --checkScope
This is a first bounded slice of
asb#61. It covers the verifier and session-token security tests only; the durable audit sink, Helm chart, connector hardening, and remaining test gaps stay out of scope for this PR.