[API Policies] JWT Auth Policy Issues

[DakshithaS]

Overview

Multiple critical issues in JWT authentication including blocking operations and test failures indicating potential production bugs.

---

Issues

1. Blocking time.Sleep in Request Path Causes Timeouts

File: jwtauth.go (lines 987-993)

Description:
The JWKS refresh retry loop uses blocking time.Sleep, which can block the request-handling goroutine for up to 3 × 2s = 6s. Combined with fetch timeouts, this can cause very long request latencies when the JWKS endpoint fails.

Impact: Failing JWKS endpoints cause significant request delays and potential timeouts.

Proposed Fix:

• Use context-aware sleep that respects request cancellation
• Cache stale data on fetch failure
• Implement background refresh instead of blocking retries

---

2. Test Failures in Authentication Logic

Description:
Two critical test failures detected:

1. TestJWTAuthPolicy_CustomClaims - Authentication logic issue with custom claims validation
2. TestJWTAuthPolicy_CustomHeaderPrefix - Header prefix handling issue

Additional TLS handshake error detected (likely test cleanup or server shutdown issue).

Impact: Tests are failing, indicating potential bugs in production authentication logic.

Proposed Fix:

• Debug and fix custom claims validation logic
• Fix header prefix extraction/validation
• Ensure proper test cleanup for HTTPS JWKS server

Reference

• Consolidate APIM policies into gateway-controllers repository gateway-controllers#1

[Tharsanan1]

Fixed Unit test failures with this pr: #684