Description

We had a small surprise when doing tests on latest master in regards to
token authentication. When trying out the code at commit 2314320
the service was rejecting all tokens.

Reproduce

When not specifying auth.token.jwks like:

---
auth:
  token:
    service: "The great registry service"
    realm: "https://auth-server.internal/authorize"
    issuer: "My Auth Issuer"
    rootcertbundle: "./path/to/docker_auth.crt"
    # notice the lack of jwks

try a docker pull localhost:5000/a-sample-image and:

• See the failed pull
• See in the logs failed to verify token: token signed by untrusted key with ID: "key-id-reported-in-the-jwt"

Expected behavior

A similar behavior as the latest stable branch (v2.8.3). When the jwks entry is not provided, it should validate against the keyid of the rootcertbundle

registry version

Built from commit: 2314320

Additional Info

Is this new behavior intended?

If so, I can volunteer to document it in the jwt.md page as well as
in configuration.md to reflect the requirement for a
jwks.json file to state explicitly that either:

• the JWT token includes the x5c section with a certificate that can be
  verified with the auth.token.rootcertbundle.

• or, the auth.token.jwks is a mandatory field containing the JWK
  representation of the signing key.

Maybe related to: #3941