From d153553d52fa25c5a6d53dbcdf2ad17fe1e65e38 Mon Sep 17 00:00:00 2001
From: Gani Georgiev <gani.georgiev@gmail.com>
Date: Sat, 2 May 2026 23:20:32 +0300
Subject: [PATCH] added eager alg error check to minimize misuse

---
 tools/auth/internal/jwk/jwk.go      | 4 ++--
 tools/auth/internal/jwk/jwk_test.go | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/tools/auth/internal/jwk/jwk.go b/tools/auth/internal/jwk/jwk.go
index 9de51fc2..27a1adec 100644
--- a/tools/auth/internal/jwk/jwk.go
+++ b/tools/auth/internal/jwk/jwk.go
@@ -114,12 +114,12 @@ func Fetch(ctx context.Context, jwksURL string, kid string) (*JWK, error) {
 	}
 
 	for _, key := range jwks.Keys {
-		if key.Kid == kid {
+		if key.Kid == kid && key.Alg != "" {
 			return key, nil
 		}
 	}
 
-	return nil, fmt.Errorf("JWK with kid %q was not found", kid)
+	return nil, fmt.Errorf("missing JWK with kid %q and non-empty alg", kid)
 }
 
 // ValidateTokenSignature validates the signature of a token with the
diff --git a/tools/auth/internal/jwk/jwk_test.go b/tools/auth/internal/jwk/jwk_test.go
index d628bacc..189efcc2 100644
--- a/tools/auth/internal/jwk/jwk_test.go
+++ b/tools/auth/internal/jwk/jwk_test.go
@@ -168,6 +168,12 @@ func TestFetch(t *testing.T) {
 			true,
 			nil,
 		},
+		{
+			"matching kid (no alg)",
+			"abc",
+			true,
+			nil,
+		},
 		{
 			"matching kid",
 			"def",