Loading JWKS should not use URLConnection cache
Hello,
inside the Get class and within the get method the URLConnection
should not use cache.
it could be disabled by setUseCaches
to false.
This could be critical if the IDP do key rotation and our URLConnection instance continue to use its cache.
Please let me know if I'm wrong in my analysis.
Regards
Comments (20)
-
-
reporter Thanks for you quick answer!
No, did not get an issue with your lib, but in another contexte, yes !
For me regarding the existing code, we don’t have the control on the caching over different system layers.
In plus to setUseCaches to false we could also addsetRequestProperty("Cache-Control", "no-cache")
.
If you accepte PR, i could contribute. -
reporter Do you have any suggestion please ? i could contribute if you accept PR!
-
I would consider a PR.
-
reporter How i could create a new branch? Could you point me your guide for contribution ?
-
This workflow https://www.atlassian.com/git/tutorials/comparing-workflows/forking-workflow is commonly used in public open-source projects.
-
Or I could just add the one or two lines…
-
reporter I forked the project and did the change, however i could not create PR, could you please give me the correct permission ?
-
repo owner No special permission should be needed. I don’t know why you can’t create a PR. But https://bitbucket.org/khamlaoui/jose4j/commits/4c73787c94e8f77f9ed1dec61eb6df20f7cd29fc has more changes in it than I’d accept, regardless.
You can have
HttpsJwks
use your ownSimpleGet
implementation via https://javadoc.io/doc/org.bitbucket.b_c/jose4j/latest/org/jose4j/jwk/HttpsJwks.html#setSimpleHttpGet(org.jose4j.http.SimpleGet) if you really need/want all that.
-
reporter I could remove the
disableServerSideCache
option to keep it more simple.
We could keep only thepreventHttpCaching
method.
You could see my last commit (the http headers are really need to disable the servers/ proxies cache) -
reporter PR created @Brian Campbell
-
urlConnection.setUseCaches(false)
is fine.I would be okay with
setRequestProperty("Cache-Control", "no-cache")
not more
-
reporter Ok, i updated my PR.
Thanks for your quick response! -
repo owner - changed status to resolved
Merged pull request #20 to address this issue
#195 -
reporter Thanks Brian for your support.
Do you have an estimated date of the new version release ?
-
repo owner I don’t currently have concrete plans around the next release.
-
reporter I need this new changes for my projets, please let me know when you publish a new version!
Thanks -
reporter Hello Brian,
Any idea about the next release date please ? i need the new version with recent changes please.Thanks
-
repo owner - changed status to closed
released with jose4j-0.7.10
-
reporter Thank you so much Brian!
- Log in to comment
The analysis seems generally correct. With
HttpsJwks
andHttpsJwksVerificationKeyResolver,
the library does do some caching and forcing updates based on perceived key rotation. But that’s wouldn’t work if the underlyingHttpsURLConnection
is caching locally.Have you experienced an issue with this? Or is it a speculative concern?
I wasn’t aware of the
setUseCaches
onHttps/URLConnection
. Does it actually use a local cache? I’ve never observed it doing so. And I’m not aware of anyone experiencing this issue.But adding a
urlConnection.setUseCaches(false)
toGet.get(...)
seems reasonable.