update

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/mcp_route.go

@@ -280,8 +280,10 @@ type MCPAuthorizationTarget struct {
 type MCPAuthorizationSource struct {
 	// JWTSource defines the JWT scopes required for this rule to match.
 	//
-	// +kubebuilder:validation:Optional
-	JWTSource *JWTSource `json:"jwtSource,omitempty"`
+	// +kubebuilder:validation:Required
+	JWTSource JWTSource `json:"jwtSource"`
+
+	// TODO: JWTSource can be optional in the future when we support more source types.
 }
 
 type JWTSource struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -34,10 +34,8 @@ func (m *MCPProxy) authorizeRequest(authorization *filterapi.MCPRouteAuthorizati
 	}
 
 	claims := jwt.MapClaims{}
-	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
 	// JWT verification is performed by Envoy before reaching here. So we only need to parse the token without verification.
-	// codeql[go/missing-jwt-signature-check]
-	if _, _, err := parser.ParseUnverified(token, claims); err != nil {
+	if _, _, err := jwt.NewParser().ParseUnverified(token, claims); err != nil {
 		m.l.Info("failed to parse JWT token", slog.String("error", err.Error()))
 		return false
 	}

internal/mcpproxy/authorization.go

@@ -632,6 +632,8 @@ spec:
                                   required:
                                   - scopes
                                   type: object
+                              required:
+                              - jwtSource
                               type: object
                             target:
                               description: Target defines the authorization target