JWT authentication as built in function

[containerpope]

Context

Figuring out how to do oidc token validation with rego is just pain. I tried setting it up with proposed examples but was not able to get it to work properly. Usually tokens are only validated on JWKs and some parameters like scope, audience or issuer so configuration should be simple, but rego makes troubleshooting really hard on this particular case.

Decision

We will introduce our own built in function to allow JWT based authentication in golang. Similar how we did with SpiceDB.
The built in has to support the following properties (similar to what oathkeeper does today):

jwt:
    config:
      jwks_urls:
        - https://my-website.com/.well-known/jwks.json
        - https://my-other-website.com/.well-known/jwks.json
        - [file://path/to/local/jwks.json](file:///to/local/jwks.json)
      target_audience:
        - ""
      trusted_issuers:
        - ""
      allowed_algorithms:
        - ""
      jwks_max_wait: 100ms
      jwks_ttl: 30m
      scope_strategy: hierarchic
      token_from: null
      required_scope:
        - ""

A reference implementation on the golang-jwt package, which does everything we need can be found here.

The built in would be used in the already existing space for authentication logic as a replacement to configuring the oidc stuff in rego. The built in has to live as a global in the background and refresh the JWK tokens in the configured timeframes.

Consequences

It will be way easier to configure JWT based authentication. There is a chance, that other auth methods will also require custom implementation but we will see.