Additional tests and validation

backend.go

@@ -154,12 +154,16 @@ func (b *jwtAuthBackend) jwtValidator(config *jwtConfig) (*jwt.Validator, error)
 		keySet, err = jwt.NewJSONWebKeySet(b.providerCtx, config.JWKSURL, config.JWKSCAPEM)
 		keySets = []jwt.KeySet{keySet}
 	case MultiJWKS:
-		pairs, err := NewJWKSPairsConfig(config)
+		pairs, pairsErr := NewJWKSPairsConfig(config)
+		if pairsErr != nil {
+			return nil, pairsErr
+		}
 
 		for _, p := range pairs {
 			keySet, keySetErr := jwt.NewJSONWebKeySet(b.providerCtx, p.JWKSUrl, p.JWKSCAPEM)
 			if keySetErr != nil {
 				err = multierror.Append(err, keySetErr)
+				continue
 			}
 			keySets = append(keySets, keySet)
 		}

backend_test.go

@@ -0,0 +1,54 @@
+package jwtauth
+
+import (
+	"context"
+	"testing"
+
+	"github.com/hashicorp/cap/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_jwtAuthBackend_jwtValidator(t *testing.T) {
+	type args struct {
+		config *jwtConfig
+	}
+	tests := []struct {
+		name        string
+		args        args
+		want        *jwt.Validator
+		expectedErr string
+	}{
+		{
+			name: "invalid ca pem",
+			args: args{
+				config: &jwtConfig{
+					JWKSPairs: []interface{}{
+						map[string]any{
+							"jwks_url":    "https://www.foobar.com/something",
+							"jwks_ca_pem": "defg",
+						},
+						map[string]any{
+							"jwks_url":    "https://www.barbaz.com/something",
+							"jwks_ca_pem": "",
+						},
+					},
+				},
+			},
+			expectedErr: "could not parse CA PEM value successfully",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b := &jwtAuthBackend{}
+			b.providerCtx = context.TODO()
+
+			got, err := b.jwtValidator(tt.args.config)
+			if tt.expectedErr != "" {
+				require.ErrorContains(t, err, tt.expectedErr)
+				return
+			}
+			assert.Equalf(t, tt.want, got, "jwtValidator(%v)", tt.args.config)
+		})
+	}
+}

path_config.go

@@ -293,6 +293,9 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque
 	case config.JWKSCAPEM != "" && len(config.JWKSPairs) > 0:
 		return logical.ErrorResponse("CA PEMs must be provided as part of the 'jwks_pairs' when using multiple JWKS URLs"), nil
 
+	case len(config.JWKSPairs) > 0 && config.BoundIssuer != "":
+		return logical.ErrorResponse("Bound issuer is not supported for use with 'jwks_pairs'"), nil
+
 	case config.JWKSURL != "":
 		if r := b.validateJWKSURL(ctx, config.JWKSURL, config.JWKSCAPEM); r != nil {
 			return r, nil

path_config_test.go

@@ -195,6 +195,45 @@ func TestConfig_JWKS_Write_Invalid(t *testing.T) {
 	}
 }
 
+func TestConfig_JWKS_Write_BoundIssuer_Invalid(t *testing.T) {
+	b, storage := getBackend(t)
+
+	// Create a config with invalid jwks_pairs and bound issuer combination
+	data := map[string]interface{}{
+		"jwks_url":    "",
+		"jwks_ca_pem": "",
+		"jwks_pairs": []interface{}{
+			map[string]interface{}{"jwks_url": "https://www.foobar.com/certs", "jwks_ca_pem": "cert"},
+			map[string]interface{}{"jwks_url": "https://www.barbaz.com/certs", "jwks_ca_pem": "cert2"},
+		},
+		"oidc_discovery_url":     "",
+		"oidc_discovery_ca_pem":  "",
+		"oidc_client_id":         "",
+		"default_role":           "",
+		"jwt_validation_pubkeys": []string{},
+		"jwt_supported_algs":     []string{},
+		"bound_issuer":           "foobar",
+	}
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      configPath,
+		Storage:   storage,
+		Data:      data,
+	}
+
+	resp, err := b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil || !resp.IsError() {
+		t.Fatal("expected error")
+	}
+	if !strings.HasPrefix(resp.Error().Error(), "Bound issuer is not supported for use with 'jwks_pairs'") {
+		t.Fatalf("got unexpected error: %v", resp.Error())
+	}
+}
+
 func TestConfig_JWKS_Update(t *testing.T) {
 	b, storage := getBackend(t)