RE: Restrict issuer when using "External JWT" identity provider

@dan thanks for your answer.

I believe it should be possible to add this restriction in FusionAuth by configuration, as it presents a security issue for integrations using more than one External JWT. And as FusionAuth is multi-tenant, this could seriously go wrong.

What I would like to propose, is that the setting Default verification key is changed into Verification key. If the token contains a kid, it must match with what is configured there and the signature must be correct. If the token does not contain a kid, the signature must be correct according to the key selected there. Is this the correct place to request such feature?

The "External JWT" identity provider, allows us to authenticate against an application using an external JWT. As far as I can see, the only way to allow/disallow external JWTs on this "External JWT" identity provider is whether or not the kid is known in the Key Master configuration.

I can't seem to find a way to restrict a certain external issuer to a certain "External JWT" identity provider which is problematic if we have multiple applications with different relying-parties.

For example:

"External JWT IdP A" is linked to "Application A"
"External JWT IdP B" is linked to "Application B"
on "Application A" we want to allow external JWTs of Issuer 1, with kid X.
on "Application B" we want to allow external JWTs of Issuer 2, with kid Y.

But since both kids are known in Key Master, both External JWT IdPs will accept any JWT, doesn't matter if it's kid X or Y. Is there a way to restrict this (f.e. link specific signing key to specific external IdP or validate the iss field in the external JWT)? As currently this is a major security issue for us.