Add JWT verification filter with direct JWKS URL and claims validation

[ivan-digital]

Summary

The current jwtValidation filter discovers JWKS keys exclusively via .well-known/openid-configuration and only validates the sub claim. This makes it impossible to verify JWTs from services that don't expose a standard OIDC discovery endpoint or that require iss/aud validation.

A concrete use case is Google Chat bot webhooks, where requests are signed with a JWT that must be verified against a non-OIDC JWKS endpoint with specific claim requirements:

• JWKS URL: https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com
• iss must equal chat@system.gserviceaccount.com
• aud must equal the Google Cloud project number

Proposal

A new filter (e.g. jwtDirect) that accepts a JWKS URL directly and validates arbitrary claim key-value pairs:

jwtDirect(
    "https://www.googleapis.com/service_accounts/v1/jwk/chat@system.gserviceaccount.com",
    "iss", "chat@system.gserviceaccount.com",
    "aud", "123456789"
)

Behavior

• First argument: JWKS URL (fetched and cached, reusing the existing keyfunc library)
• Remaining arguments: key-value pairs for claim validation (all must match)
• Returns 401 on missing/invalid token or failed claim validation
• Stores validated claims in StateBag under oidcclaimscachekey for downstream filters (e.g. forwardToken, forwardTokenField)

Why not extend jwtValidation?

Changing the argument semantics of the existing filter would be a breaking change. A separate filter keeps the existing interface stable and makes the intent explicit.

Use cases

• Google Chat bot webhook verification
• Firebase/GCP service account JWT verification
• Any service that publishes a JWKS endpoint without full OIDC discovery
• Scenarios requiring iss/aud validation at the proxy layer