fix: support tokens with multiple audiences and validate issuers

[carodewig]

When issuers or audiences is included in the router's JWK configuration, the router will check each request's JWT for iss or aud and reject requests with mismatches.

Expected behavior:

• If present, the iss claim must be specified as a string.
  • ✅ the JWK's issuers is empty
  • ✅ the iss is a string and is present in the JWK's issuers
  • ✅ the iss is null
  • ❌ the iss is a string but is not present in the JWK's issuers
  • ❌ the iss is not a string or null
• If present, the aud claim can be specified as either a string or an array of strings .
  • ✅ the JWK's audiences is empty
  • ✅ the aud is a string and is present in the JWK's audiences
  • ✅ the aud is an array of strings and at least one of those strings is present in the JWK's audiences
  • ❌ the aud is not a string or array of strings (ie null)

Behavior prior to this change:

• If the iss was not null or a string, it would be permitted (regardless of its value)
• If the aud was an array, it would be rejected (regardless of its value)

---

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

• PR description explains the motivation for the change and relevant context for reviewing
• PR description links appropriate GitHub/Jira tickets (creating when necessary)
• Changeset is included for user-facing changes
• Changes are compatible¹
• Documentation² completed
• Performance impact assessed and acceptable
• Metrics and logs are added³ and documented
• Tests added and passing⁴
  • Unit tests
  • Integration tests
  • Manual tests, as necessary

Exceptions

Note any exceptions here

Notes

Footnotes

1. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩

2. Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩

3. A lot of (if not most) features benefit from built-in observability and debug-level logs. Please read this guidance on metrics best-practices. ↩

4. Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed

* graphos/routing/(latest)/security/jwt.mdx

Build ID: 132268896269090523d8cd39
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/132268896269090523d8cd39