Loading JWKS should not use URLConnection cache
Issue #195
closed
Hello,
inside the Get class and within the get method the URLConnection should not use cache.
it could be disabled by setUseCaches to false.
This could be critical if the IDP do key rotation and our URLConnection instance continue to use its cache.
Please let me know if I'm wrong in my analysis.
Regards
Comments (20)
-
-
reporter
Thanks for you quick answer!
No, did not get an issue with your lib, but in another contexte, yes !
For me regarding the existing code, we don’t have the control on the caching over different system layers.
In plus to setUseCaches to false we could also addsetRequestProperty("Cache-Control", "no-cache").
If you accepte PR, i could contribute. -
reporter
Do you have any suggestion please ? i could contribute if you accept PR!
-
I would consider a PR.
-
reporter
How i could create a new branch? Could you point me your guide for contribution ?
-
This workflow https://www.atlassian.com/git/tutorials/comparing-workflows/forking-workflow is commonly used in public open-source projects.
-
Or I could just add the one or two lines…
-
reporter
I forked the project and did the change, however i could not create PR, could you please give me the correct permission ?
-
repo owner
No special permission should be needed. I don’t know why you can’t create a PR. But https://bitbucket.org/khamlaoui/jose4j/commits/4c73787c94e8f77f9ed1dec61eb6df20f7cd29fc has more changes in it than I’d accept, regardless.
You can have
HttpsJwksuse your ownSimpleGetimplementation via https://javadoc.io/doc/org.bitbucket.b_c/jose4j/latest/org/jose4j/jwk/HttpsJwks.html#setSimpleHttpGet(org.jose4j.http.SimpleGet) if you really need/want all that.
-
reporter
I could remove the
disableServerSideCacheoption to keep it more simple.
We could keep only thepreventHttpCachingmethod.
You could see my last commit (the http headers are really need to disable the servers/ proxies cache) -
reporter
PR created @Brian Campbell
-
urlConnection.setUseCaches(false)is fine.I would be okay with
setRequestProperty("Cache-Control", "no-cache")not more
-
reporter
Ok, i updated my PR.
Thanks for your quick response! -
repo owner
- changed status to resolved
Merged pull request #20 to address this issue
#195 -
reporter
Thanks Brian for your support.
Do you have an estimated date of the new version release ?
-
repo owner
I don’t currently have concrete plans around the next release.
-
reporter
I need this new changes for my projets, please let me know when you publish a new version!
Thanks -
reporter
Hello Brian,
Any idea about the next release date please ? i need the new version with recent changes please.Thanks
-
repo owner
- changed status to closed
released with jose4j-0.7.10
-
reporter
Thank you so much Brian!
- Log in to comment
The analysis seems generally correct. With
HttpsJwksandHttpsJwksVerificationKeyResolver,the library does do some caching and forcing updates based on perceived key rotation. But that’s wouldn’t work if the underlyingHttpsURLConnectionis caching locally.Have you experienced an issue with this? Or is it a speculative concern?
I wasn’t aware of the
setUseCachesonHttps/URLConnection. Does it actually use a local cache? I’ve never observed it doing so. And I’m not aware of anyone experiencing this issue.But adding a
urlConnection.setUseCaches(false)toGet.get(...)seems reasonable.