Hello,

I'd like to start the Feature Development process for ELY-2911, a small addition to the Elytron token-realm resource. Target stability: preview.

Summary

JwtValidator today cannot rotate signing keys automatically for JWTs that carry a "kid" header but no "jku" header which is the shape used by most commercial OIDC providers (Auth0, Microsoft EntraID, Okta, Google). Operators must either list every signing key in the realm's key map and restart on rotation, or fall back to a single public-key and lose kid matching.

The proposal adds an optional "jku-fallback-url" attribute on token-realm. When a token has a kid but no jku, and the kid is not already in the key map, the validator treats the configured URL as if the token had included it in its jku header, routing the lookup through the existing JwkManager cache. It reuses the existing allowed-jku-values allowlist, HTTPS scheme check, and SSL-context requirement.

Links
Looking for volunteers

Per FEATURE_PROCESS.adoc I need to form a team. I'm looking for:
  1. At least one SME with knowledge of the Elytron token-realm / JWT validation code.
  2. At least one Outside Perspective reviewer.

Thanks,
Matei-Alexandru Gatin (GitHub: Matei-Gatin)