formancehq
diff --git a/‎pkg/authn/jwt/auth.go‎
Lines changed: 31 additions & 32 deletions b/‎pkg/authn/jwt/auth.go‎
Lines changed: 31 additions & 32 deletions
diff --git a/‎pkg/authn/jwt/auth_test.go‎
Lines changed: 26 additions & 26 deletions b/‎pkg/authn/jwt/auth_test.go‎
Lines changed: 26 additions & 26 deletions
diff --git a/‎pkg/authn/jwt/flags.go‎
Lines changed: 19 additions & 2 deletions b/‎pkg/authn/jwt/flags.go‎
Lines changed: 19 additions & 2 deletions
@@ -10,31 +10,28 @@ import (
 )
 
 type JWTAuth struct {
-	issuer           string
+	keySets          map[string]oidc.KeySet // issuer -> keySet
 	checkScopes      bool
 	service          string
-	keySet           oidc.KeySet
 	additionalChecks []AdditionalCheck
 }
 
 func NewJWTAuth(
-	keySet oidc.KeySet,
-	issuer string,
+	keySets map[string]oidc.KeySet,
 	service string,
 	checkScopes bool,
 	additionalChecks []AdditionalCheck,
 ) *JWTAuth {
 	return &JWTAuth{
-		issuer:           issuer,
+		keySets:          keySets,
 		checkScopes:      checkScopes,
 		service:          service,
-		keySet:           keySet,
 		additionalChecks: additionalChecks,
 	}
 }
 
 func (ja *JWTAuth) authenticate(r *http.Request) (ControlPlaneAgent, error) {
-	claims, err := ClaimsFromRequest(r, ja.issuer, ja.keySet)
+	claims, err := ClaimsFromRequest(r, ja.keySets)
 	if err != nil {
 		return nil, err
 	}
@@ -77,44 +74,42 @@ var (
 	ErrMalformedHeader       = errors.New("malformed authorization header")
 )
 
-func ClaimsFromRequest(r *http.Request, expectedIssuer string, keySet oidc.KeySet) (*oidc.AccessTokenClaims, error) {
-	claims := &oidc.AccessTokenClaims{}
-	if err := claimsFromRequest(r, claims, keySet); err != nil {
-		return claims, err
-	}
-
-	if err := oidc.CheckIssuer(claims, expectedIssuer); err != nil {
-		return claims, err
-	}
-
-	if err := oidc.CheckExpiration(claims, 0); err != nil {
-		return claims, err
-	}
-
-	return claims, nil
-}
-
-func claimsFromRequest[CLAIMS any](r *http.Request, claims CLAIMS, keySet oidc.KeySet) error {
+func ClaimsFromRequest(r *http.Request, keySets map[string]oidc.KeySet) (*oidc.AccessTokenClaims, error) {
 	authHeader := r.Header.Get("authorization")
 	if authHeader == "" {
-		return ErrNoAuthorizationHeader
+		return nil, ErrNoAuthorizationHeader
 	}
 
 	if !strings.HasPrefix(authHeader, "bearer") &&
 		!strings.HasPrefix(authHeader, "Bearer") {
-		return ErrMalformedHeader
+		return nil, ErrMalformedHeader
 	}
 
 	token := authHeader[6:]
 	token = strings.TrimSpace(token)
 
+	claims := &oidc.AccessTokenClaims{}
 	decrypted, err := oidc.DecryptToken(token)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	payload, err := oidc.ParseToken(decrypted, &claims)
+	payload, err := oidc.ParseToken(decrypted, claims)
 	if err != nil {
-		return err
+		return nil, err
+	}
+
+	keySet, ok := keySets[claims.Issuer]
+	if !ok {
+		issuers := make([]string, 0, len(keySets))
+		for iss := range keySets {
+			issuers = append(issuers, iss)
+		}
+		return claims, fmt.Errorf(
+			"%w: got: %s, trusted: %v",
+			oidc.ErrIssuerInvalid,
+			claims.Issuer,
+			issuers,
+		)
 	}
 
 	if _, err = oidc.CheckSignature(
@@ -124,8 +119,12 @@ func claimsFromRequest[CLAIMS any](r *http.Request, claims CLAIMS, keySet oidc.K
 		[]string{}, // Default to RS256
 		keySet,
 	); err != nil {
-		return err
+		return claims, err
+	}
+
+	if err := oidc.CheckExpiration(claims, 0); err != nil {
+		return claims, err
 	}
 
-	return nil
+	return claims, nil
 }
@@ -151,7 +151,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		t.Parallel()
 		keySet, privateKey, issuer := setupTestKeySet(t)
 
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, []AdditionalCheck{})
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, []AdditionalCheck{})
 
 		// Create access token
 		token := createAccessToken(t, privateKey, issuer, "", []string{}, "test-user")
@@ -175,11 +175,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, []AdditionalCheck{}),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, []AdditionalCheck{}),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -206,11 +206,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -237,11 +237,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -267,11 +267,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -329,11 +329,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -364,11 +364,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -398,11 +398,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -433,11 +433,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -468,11 +468,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		}{
 			{
 				name: "JWTAuth",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),
 			},
 			{
 				name: "JWTAuth with additional checks",
-				auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),
+				auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),
 			},
 		}
 
@@ -516,7 +516,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 			},
 		}
 
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, autoFailingAdditionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoFailingAdditionalChecks)
 
 		// Create access token
 		token := createAccessToken(t, privateKey, issuer, "", []string{}, "test-user")
@@ -543,7 +543,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 			CheckOrganizationIDClaim(provider),
 		}
 
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", expectedOrgID)
@@ -566,7 +566,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		additionalChecks := []AdditionalCheck{
 			CheckOrganizationIDClaim(provider),
 		}
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")
@@ -590,7 +590,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		additionalChecks := []AdditionalCheck{
 			CheckOrganizationIDClaim(provider),
 		}
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "someotherorgid")
@@ -615,7 +615,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		additionalChecks := []AdditionalCheck{
 			CheckOrganizationIDClaim(provider),
 		}
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")
@@ -639,7 +639,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		additionalChecks := []AdditionalCheck{
 			CheckAudienceClaim(expectedAudience),
 		}
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")
@@ -663,7 +663,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {
 		additionalChecks := []AdditionalCheck{
 			CheckAudienceClaim(expectedAudience),
 		}
-		auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)
+		auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)
 
 		// Create access token
 		tokenAudience := expectedAudience
 
@@ -7,14 +7,16 @@ import (
 const (
 	AuthEnabledFlag              = "auth-enabled"
 	AuthIssuerFlag               = "auth-issuer"
+	AuthIssuersFlag              = "auth-issuers"
 	AuthReadKeySetMaxRetriesFlag = "auth-read-key-set-max-retries"
 	AuthCheckScopesFlag          = "auth-check-scopes"
 	AuthServiceFlag              = "auth-service"
 )
 
 func AddFlags(flags *flag.FlagSet) {
 	flags.Bool(AuthEnabledFlag, false, "Enable auth")
-	flags.String(AuthIssuerFlag, "", "Issuer")
+	flags.String(AuthIssuerFlag, "", "Issuer (single issuer, for backward compatibility)")
+	flags.StringSlice(AuthIssuersFlag, nil, "Trusted issuers (comma-separated, e.g. --auth-issuers=https://issuer1,https://issuer2)")
 	flags.Int(AuthReadKeySetMaxRetriesFlag, 10, "ReadKeySetMaxRetries")
 	flags.Bool(AuthCheckScopesFlag, false, "CheckScopes")
 	flags.String(AuthServiceFlag, "", "Service")
@@ -23,13 +25,28 @@ func AddFlags(flags *flag.FlagSet) {
 func ConfigFromFlags(flags *flag.FlagSet) Config {
 	authEnabled, _ := flags.GetBool(AuthEnabledFlag)
 	authIssuer, _ := flags.GetString(AuthIssuerFlag)
+	authIssuers, _ := flags.GetStringSlice(AuthIssuersFlag)
 	authReadKeySetMaxRetries, _ := flags.GetInt(AuthReadKeySetMaxRetriesFlag)
 	authCheckScopes, _ := flags.GetBool(AuthCheckScopesFlag)
 	authService, _ := flags.GetString(AuthServiceFlag)
 
+	// Merge --auth-issuer into --auth-issuers for backward compatibility
+	if authIssuer != "" {
+		found := false
+		for _, iss := range authIssuers {
+			if iss == authIssuer {
+				found = true
+				break
+			}
+		}
+		if !found {
+			authIssuers = append(authIssuers, authIssuer)
+		}
+	}
+
 	return Config{
 		Enabled:              authEnabled,
-		Issuer:               authIssuer,
+		Issuers:              authIssuers,
 		ReadKeySetMaxRetries: authReadKeySetMaxRetries,
 		CheckScopes:          authCheckScopes,
 		Service:              authService,
Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`151`	`151`	`t.Parallel()`
`152`	`152`	`keySet, privateKey, issuer := setupTestKeySet(t)`
`153`	`153`
`154`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, []AdditionalCheck{})`
	`154`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, []AdditionalCheck{})`
`155`	`155`
`156`	`156`	`// Create access token`
`157`	`157`	`token := createAccessToken(t, privateKey, issuer, "", []string{}, "test-user")`
`@@ -175,11 +175,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`175`	`175`	`}{`
`176`	`176`	`{`
`177`	`177`	`name: "JWTAuth",`
`178`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, []AdditionalCheck{}),`
	`178`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, []AdditionalCheck{}),`
`179`	`179`	`},`
`180`	`180`	`{`
`181`	`181`	`name: "JWTAuth with additional checks",`
`182`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),`
	`182`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),`
`183`	`183`	`},`
`184`	`184`	`}`
`185`	`185`
`@@ -206,11 +206,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`206`	`206`	`}{`
`207`	`207`	`{`
`208`	`208`	`name: "JWTAuth",`
`209`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),`
	`209`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),`
`210`	`210`	`},`
`211`	`211`	`{`
`212`	`212`	`name: "JWTAuth with additional checks",`
`213`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),`
	`213`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),`
`214`	`214`	`},`
`215`	`215`	`}`
`216`	`216`
`@@ -237,11 +237,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`237`	`237`	`}{`
`238`	`238`	`{`
`239`	`239`	`name: "JWTAuth",`
`240`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),`
	`240`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),`
`241`	`241`	`},`
`242`	`242`	`{`
`243`	`243`	`name: "JWTAuth with additional checks",`
`244`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),`
	`244`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),`
`245`	`245`	`},`
`246`	`246`	`}`
`247`	`247`
`@@ -267,11 +267,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`267`	`267`	`}{`
`268`	`268`	`{`
`269`	`269`	`name: "JWTAuth",`
`270`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),`
	`270`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),`
`271`	`271`	`},`
`272`	`272`	`{`
`273`	`273`	`name: "JWTAuth with additional checks",`
`274`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),`
	`274`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),`
`275`	`275`	`},`
`276`	`276`	`}`
`277`	`277`
`@@ -329,11 +329,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`329`	`329`	`}{`
`330`	`330`	`{`
`331`	`331`	`name: "JWTAuth",`
`332`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),`
	`332`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),`
`333`	`333`	`},`
`334`	`334`	`{`
`335`	`335`	`name: "JWTAuth with additional checks",`
`336`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),`
	`336`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),`
`337`	`337`	`},`
`338`	`338`	`}`
`339`	`339`
`@@ -364,11 +364,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`364`	`364`	`}{`
`365`	`365`	`{`
`366`	`366`	`name: "JWTAuth",`
`367`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),`
	`367`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),`
`368`	`368`	`},`
`369`	`369`	`{`
`370`	`370`	`name: "JWTAuth with additional checks",`
`371`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),`
	`371`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),`
`372`	`372`	`},`
`373`	`373`	`}`
`374`	`374`
`@@ -398,11 +398,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`398`	`398`	`}{`
`399`	`399`	`{`
`400`	`400`	`name: "JWTAuth",`
`401`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),`
	`401`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),`
`402`	`402`	`},`
`403`	`403`	`{`
`404`	`404`	`name: "JWTAuth with additional checks",`
`405`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),`
	`405`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),`
`406`	`406`	`},`
`407`	`407`	`}`
`408`	`408`
`@@ -433,11 +433,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`433`	`433`	`}{`
`434`	`434`	`{`
`435`	`435`	`name: "JWTAuth",`
`436`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, nil),`
	`436`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, nil),`
`437`	`437`	`},`
`438`	`438`	`{`
`439`	`439`	`name: "JWTAuth with additional checks",`
`440`		`- auth: NewJWTAuth(keySet, issuer, "test-service", true, autoPassingAdditionalChecks),`
	`440`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", true, autoPassingAdditionalChecks),`
`441`	`441`	`},`
`442`	`442`	`}`
`443`	`443`
`@@ -468,11 +468,11 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`468`	`468`	`}{`
`469`	`469`	`{`
`470`	`470`	`name: "JWTAuth",`
`471`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, nil),`
	`471`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, nil),`
`472`	`472`	`},`
`473`	`473`	`{`
`474`	`474`	`name: "JWTAuth with additional checks",`
`475`		`- auth: NewJWTAuth(keySet, issuer, "test-service", false, autoPassingAdditionalChecks),`
	`475`	`+ auth: NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoPassingAdditionalChecks),`
`476`	`476`	`},`
`477`	`477`	`}`
`478`	`478`
`@@ -516,7 +516,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`516`	`516`	`},`
`517`	`517`	`}`
`518`	`518`
`519`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, autoFailingAdditionalChecks)`
	`519`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, autoFailingAdditionalChecks)`
`520`	`520`
`521`	`521`	`// Create access token`
`522`	`522`	`token := createAccessToken(t, privateKey, issuer, "", []string{}, "test-user")`
`@@ -543,7 +543,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`543`	`543`	`CheckOrganizationIDClaim(provider),`
`544`	`544`	`}`
`545`	`545`
`546`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`546`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`547`	`547`
`548`	`548`	`// Create access token`
`549`	`549`	`token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", expectedOrgID)`
`@@ -566,7 +566,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`566`	`566`	`additionalChecks := []AdditionalCheck{`
`567`	`567`	`CheckOrganizationIDClaim(provider),`
`568`	`568`	`}`
`569`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`569`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`570`	`570`
`571`	`571`	`// Create access token`
`572`	`572`	`token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")`
`@@ -590,7 +590,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`590`	`590`	`additionalChecks := []AdditionalCheck{`
`591`	`591`	`CheckOrganizationIDClaim(provider),`
`592`	`592`	`}`
`593`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`593`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`594`	`594`
`595`	`595`	`// Create access token`
`596`	`596`	`token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "someotherorgid")`
`@@ -615,7 +615,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`615`	`615`	`additionalChecks := []AdditionalCheck{`
`616`	`616`	`CheckOrganizationIDClaim(provider),`
`617`	`617`	`}`
`618`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`618`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`619`	`619`
`620`	`620`	`// Create access token`
`621`	`621`	`token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")`
`@@ -639,7 +639,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`639`	`639`	`additionalChecks := []AdditionalCheck{`
`640`	`640`	`CheckAudienceClaim(expectedAudience),`
`641`	`641`	`}`
`642`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`642`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`643`	`643`
`644`	`644`	`// Create access token`
`645`	`645`	`token := createAccessTokenWithOrgClaims(t, privateKey, issuer, "", []string{}, "test-user", "")`
`@@ -663,7 +663,7 @@ func TestJWTAuth_Authenticate(t *testing.T) {`
`663`	`663`	`additionalChecks := []AdditionalCheck{`
`664`	`664`	`CheckAudienceClaim(expectedAudience),`
`665`	`665`	`}`
`666`		`- auth := NewJWTAuth(keySet, issuer, "test-service", false, additionalChecks)`
	`666`	`+ auth := NewJWTAuth(map[string]oidc.KeySet{issuer: keySet}, "test-service", false, additionalChecks)`
`667`	`667`
`668`	`668`	`// Create access token`
`669`	`669`	`tokenAudience := expectedAudience`