Change AuthorizationHeaderParserConfiguration to take a JSON Web Key Set

go.mod

@@ -70,6 +70,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-redis/redis/extra/rediscmd v0.2.0 // indirect

go.sum

@@ -77,6 +77,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fxtlabs/primes v0.0.0-20150821004651-dad82d10a449 h1:HOYnhuVrhAVGKdg3rZapII640so7QfXQmkLkefUN/uM=
 github.com/fxtlabs/primes v0.0.0-20150821004651-dad82d10a449/go.mod h1:i+vbdOOivRRh2j+WwBkjZXloGN/+KAqfKDwNfUJeugc=
+github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
+github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -237,6 +239,7 @@ go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=

go_dependencies.bzl

@@ -249,6 +249,12 @@ def go_dependencies():
         sum = "h1:HOYnhuVrhAVGKdg3rZapII640so7QfXQmkLkefUN/uM=",
         version = "v0.0.0-20150821004651-dad82d10a449",
     )
+    go_repository(
+        name = "com_github_go_jose_go_jose_v3",
+        importpath = "github.com/go-jose/go-jose/v3",
+        sum = "h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=",
+        version = "v3.0.0",
+    )
     go_repository(
         name = "com_github_go_kit_log",
         importpath = "github.com/go-kit/log",

pkg/jwt/BUILD.bazel

@@ -10,6 +10,7 @@ go_library(
         "ed25519_signature_validator.go",
         "generate_authorization_header.go",
         "hmac_sha_signature_validator.go",
+        "jwks_signature_validator.go",
         "rsa_sha_signature_validator.go",
         "signature_generator.go",
         "signature_validator.go",
@@ -23,9 +24,11 @@ go_library(
         "//pkg/proto/configuration/jwt",
         "//pkg/random",
         "//pkg/util",
+        "@com_github_go_jose_go_jose_v3//:go-jose",
         "@com_github_jmespath_go_jmespath//:go-jmespath",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
+        "@org_golang_google_protobuf//encoding/protojson",
     ],
 )
 
@@ -38,6 +41,7 @@ go_test(
         "ed25519_signature_validator_test.go",
         "generate_authorization_header_test.go",
         "hmac_sha_signature_validator_test.go",
+        "jwks_signature_validator_test.go",
         "rsa_sha_signature_validator_test.go",
     ],
     deps = [

pkg/jwt/authorization_header_parser.go

@@ -102,11 +102,12 @@ func (a *AuthorizationHeaderParser) parseSingleAuthorizationHeader(header string
 	// Perform signature validation.
 	headerMessage := struct {
 		Alg string `json:"alg"`
+		Kid string `json:"kid"`
 	}{}
 	if json.Unmarshal(decodedFields[0], &headerMessage) != nil {
 		return unauthenticated
 	}
-	if !a.signatureValidator.ValidateSignature(headerMessage.Alg, match[1], decodedFields[2]) {
+	if !a.signatureValidator.ValidateSignature(headerMessage.Alg, headerMessage.Kid, match[1], decodedFields[2]) {
 		return unauthenticated
 	}
 

pkg/jwt/authorization_header_parser_test.go

@@ -36,6 +36,7 @@ func TestAuthorizationHeaderParser(t *testing.T) {
 		clock.EXPECT().Now().Return(time.Unix(1635747849, 0))
 		signatureValidator.EXPECT().ValidateSignature(
 			"HS256",
+			"",
 			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 			[]byte{
 				0x49, 0xf9, 0x4a, 0xc7, 0x04, 0x49, 0x48, 0xc7,
@@ -59,6 +60,7 @@ func TestAuthorizationHeaderParser(t *testing.T) {
 		clock.EXPECT().Now().Return(time.Unix(1635781700, 0))
 		signatureValidator.EXPECT().ValidateSignature(
 			"HS256",
+			"",
 			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 			[]byte{
 				0x69, 0xf2, 0xcf, 0x62, 0xca, 0x9a, 0xa4, 0x3c,
@@ -102,6 +104,7 @@ func TestAuthorizationHeaderParser(t *testing.T) {
 		clock.EXPECT().Now().Return(time.Unix(1635781778, 0))
 		signatureValidator.EXPECT().ValidateSignature(
 			"HS256",
+			"",
 			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwibmJmIjoxNjM1NzgxNzgwLCJleHAiOjE2MzU3ODE3OTJ9",
 			[]byte{
 				0x9a, 0xf0, 0xa6, 0x11, 0xb2, 0x62, 0xcb, 0xec,
@@ -199,6 +202,7 @@ func TestAuthorizationHeaderParser(t *testing.T) {
 		clock.EXPECT().Now().Return(time.Unix(1636144433, 0))
 		signatureValidator.EXPECT().ValidateSignature(
 			"HS256",
+			"",
 			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb3JiaWRkZW5GaWVsZCI6Im9vcHMifQ",
 			[]byte{
 				0xf1, 0x5c, 0xbc, 0x0c, 0x47, 0x71, 0x2d, 0x88,

pkg/jwt/configuration.go

@@ -1,57 +1,30 @@
 package jwt
 
 import (
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"reflect"
-
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
 	configuration "github.com/buildbarn/bb-storage/pkg/proto/configuration/jwt"
 	"github.com/buildbarn/bb-storage/pkg/util"
 	"github.com/jmespath/go-jmespath"
 
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/encoding/protojson"
 )
 
 // NewAuthorizationHeaderParserFromConfiguration creates a new HTTP
 // "Authorization" header parser based on options stored in a
 // configuration file.
 func NewAuthorizationHeaderParserFromConfiguration(config *configuration.AuthorizationHeaderParserConfiguration) (*AuthorizationHeaderParser, error) {
-	var signatureValidator SignatureValidator
-	switch key := config.Key.(type) {
-	case *configuration.AuthorizationHeaderParserConfiguration_HmacKey:
-		signatureValidator = NewHMACSHASignatureValidator(key.HmacKey)
-	case *configuration.AuthorizationHeaderParserConfiguration_PublicKey:
-		block, _ := pem.Decode([]byte(key.PublicKey))
-		if block == nil {
-			return nil, status.Error(codes.InvalidArgument, "Public key does not use the PEM format")
-		}
-		parsedKey, err := x509.ParsePKIXPublicKey(block.Bytes)
-		if err != nil {
-			return nil, util.StatusWrapWithCode(err, codes.InvalidArgument, "Failed to parse public key")
-		}
-		switch convertedKey := parsedKey.(type) {
-		case *ecdsa.PublicKey:
-			var err error
-			signatureValidator, err = NewECDSASHASignatureValidator(convertedKey)
-			if err != nil {
-				return nil, err
-			}
-		case ed25519.PublicKey:
-			signatureValidator = NewEd25519SignatureValidator(convertedKey)
-		case *rsa.PublicKey:
-			signatureValidator = NewRSASHASignatureValidator(convertedKey)
-		default:
-			keyType := reflect.TypeOf(parsedKey)
-			return nil, status.Errorf(codes.InvalidArgument, "Unsupported public key type: %s/%s", keyType.PkgPath(), keyType.Name())
-		}
-	default:
-		return nil, status.Error(codes.InvalidArgument, "No key type provided")
+	var err error
+	var jwksJson []byte
+
+	jwksJson, err = protojson.Marshal(config.JwksInline)
+	if err != nil {
+		return nil, util.StatusWrap(err, "Failed to parse inline JWKS")
+	}
+
+	signatureValidator, err := NewJWKSSignatureValidator(jwksJson)
+	if err != nil {
+		return nil, util.StatusWrap(err, "Failed to create signature validator")
 	}
 
 	evictionSet, err := eviction.NewSetFromConfiguration[string](config.CacheReplacementPolicy)

pkg/jwt/ecdsa_sha_signature_generator_test.go

@@ -33,6 +33,6 @@ f2EJfEoVNO/YidkVY+J35v8vQoAMS4rRGA==
 		// Ensure that the generated signature is valid.
 		signatureValidator, err := jwt.NewECDSASHASignatureValidator(&key.PublicKey)
 		require.NoError(t, err)
-		require.True(t, signatureValidator.ValidateSignature("ES256", headerAndPayload, signature))
+		require.True(t, signatureValidator.ValidateSignature("ES256", "", headerAndPayload, signature))
 	})
 }

pkg/jwt/ecdsa_sha_signature_validator.go

@@ -60,7 +60,7 @@ func NewECDSASHASignatureValidator(publicKey *ecdsa.PublicKey) (SignatureValidat
 	}, nil
 }
 
-func (sv *ecdsaSHASignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool {
+func (sv *ecdsaSHASignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool {
 	p := sv.parameters
 	if algorithm != p.algorithm || len(signature) != 2*p.keySizeBytes {
 		return false

pkg/jwt/ecdsa_sha_signature_validator_test.go

@@ -25,6 +25,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
 		// Algorithm "HS256" uses HMAC; not ECDSA. Validation should fail.
 		require.False(t, signatureValidator.ValidateSignature(
 			"HS256",
+			"",
 			"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 			[]byte{
 				0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba,
@@ -36,6 +37,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
 		// ECDSA with SHA-256, both with a valid and invalid signature.
 		require.True(t, signatureValidator.ValidateSignature(
 			"ES256",
+			"",
 			"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 			[]byte{
 				// R.
@@ -51,6 +53,7 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
 			}))
 		require.False(t, signatureValidator.ValidateSignature(
 			"ES256",
+			"",
 			"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 			[]byte{
 				// R.
@@ -82,6 +85,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii
 		// 256-bit signatures.
 		require.False(t, signatureValidator.ValidateSignature(
 			"ES256",
+			"",
 			"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 			[]byte{
 				// R.
@@ -99,6 +103,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii
 		// ECDSA with SHA-384, both with a valid and invalid signature.
 		require.True(t, signatureValidator.ValidateSignature(
 			"ES384",
+			"",
 			"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 			[]byte{
 				// R.
@@ -118,6 +123,7 @@ Pk9Yf9rIf374m5XP1U8q79dBhLSIuaojsvOT39UUcPJROSD1FqYLued0rXiooIii
 			}))
 		require.False(t, signatureValidator.ValidateSignature(
 			"ES384",
+			"",
 			"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 			[]byte{
 				// R.
@@ -153,6 +159,7 @@ ihmzIyMgyPuqu8IuyzMNx4G2jpoCKhRu9qPCQUMGDeCG1x3/n/OgkWNQANsB82x7
 		// ECDSA with SHA-512, both with a valid and invalid signature.
 		require.True(t, signatureValidator.ValidateSignature(
 			"ES512",
+			"",
 			"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJmb28iOiJiYXIifQ",
 			[]byte{
 				// R.
@@ -178,6 +185,7 @@ ihmzIyMgyPuqu8IuyzMNx4G2jpoCKhRu9qPCQUMGDeCG1x3/n/OgkWNQANsB82x7
 			}))
 		require.False(t, signatureValidator.ValidateSignature(
 			"ES512",
+			"",
 			"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJmb28iOiJiYXIifQ",
 			[]byte{
 				// R.

pkg/jwt/ed25519_signature_validator.go

@@ -22,7 +22,7 @@ func NewEd25519SignatureValidator(publicKey ed25519.PublicKey) SignatureValidato
 	}
 }
 
-func (sv *ed25519SignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool {
+func (sv *ed25519SignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool {
 	if algorithm != "EdDSA" {
 		return false
 	}

pkg/jwt/ed25519_signature_validator_test.go

@@ -22,6 +22,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc=
 	// Algorithm "HS256" uses HMAC; not Ed25519. Validation should fail.
 	require.False(t, signatureValidator.ValidateSignature(
 		"HS256",
+		"",
 		"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 		[]byte{
 			0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba,
@@ -33,6 +34,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc=
 	// Ed25519, both with a valid and invalid signature.
 	require.True(t, signatureValidator.ValidateSignature(
 		"EdDSA",
+		"",
 		"eyJhbGciOiJFZERTQSJ9.eyJpZCI6MX0",
 		[]byte{
 			0x44, 0x0c, 0x41, 0x01, 0x03, 0xc5, 0x3b, 0x1a,
@@ -46,6 +48,7 @@ MCowBQYDK2VwAyEA7fySb/9h7hVH8j1paD5IoLfXj4prjfNLwOPUYKvsTOc=
 		}))
 	require.False(t, signatureValidator.ValidateSignature(
 		"EdDSA",
+		"",
 		"eyJhbGciOiJFZERTQSJ9.eyJpZCI6MX0",
 		[]byte{
 			0x04, 0x16, 0xeb, 0x4f, 0xfc, 0x5d, 0x6f, 0x39,

pkg/jwt/hmac_sha_signature_validator.go

@@ -26,7 +26,7 @@ func NewHMACSHASignatureValidator(key []byte) SignatureValidator {
 	}
 }
 
-func (sv *hmacSHASignatureValidator) ValidateSignature(algorithm, headerAndPayload string, signature []byte) bool {
+func (sv *hmacSHASignatureValidator) ValidateSignature(algorithm, keyId, headerAndPayload string, signature []byte) bool {
 	// Determine the hashing function that was used to create the
 	// signature.
 	var hashFunc func() hash.Hash

pkg/jwt/hmac_sha_signature_validator_test.go

@@ -13,6 +13,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 	// Algorithm "RS256" uses RSA; not HMAC. Validation should fail.
 	require.False(t, signatureValidator.ValidateSignature(
 		"RS256",
+		"",
 		"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 		[]byte{
 			0x34, 0x75, 0x5a, 0x61, 0xed, 0xba, 0x31, 0xbb, 0x4e,
@@ -49,6 +50,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 	// HMAC with SHA-256, both with a valid and invalid signature.
 	require.True(t, signatureValidator.ValidateSignature(
 		"HS256",
+		"",
 		"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 		[]byte{
 			0xb3, 0x57, 0x72, 0xdf, 0xc5, 0xc6, 0x74, 0xba,
@@ -58,6 +60,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 		}))
 	require.False(t, signatureValidator.ValidateSignature(
 		"HS256",
+		"",
 		"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
 		[]byte{
 			0x6d, 0x32, 0xc8, 0x2c, 0x25, 0xce, 0x4d, 0x54,
@@ -69,6 +72,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 	// HMAC with SHA-384, both with a valid and invalid signature.
 	require.True(t, signatureValidator.ValidateSignature(
 		"HS384",
+		"",
 		"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 		[]byte{
 			0x17, 0xf9, 0x9c, 0xc4, 0x9c, 0x91, 0xdf, 0x4e,
@@ -80,6 +84,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 		}))
 	require.False(t, signatureValidator.ValidateSignature(
 		"HS384",
+		"",
 		"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 		[]byte{
 			0xd9, 0xa6, 0x0a, 0x8f, 0x74, 0xc6, 0xe9, 0x94,
@@ -93,6 +98,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 	// HMAC with SHA-512, both with a valid and invalid signature.
 	require.True(t, signatureValidator.ValidateSignature(
 		"HS512",
+		"",
 		"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 		[]byte{
 			0xa7, 0xaa, 0x8f, 0x98, 0x7a, 0xed, 0xfa, 0x02,
@@ -106,6 +112,7 @@ func TestHMACSHASignatureValidator(t *testing.T) {
 		}))
 	require.False(t, signatureValidator.ValidateSignature(
 		"HS512",
+		"",
 		"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0",
 		[]byte{
 			0x9b, 0x19, 0x35, 0xa6, 0xb3, 0xe0, 0x9c, 0x3a,