understanding RemoteJWKSet cache

Hi there,

Question about the RemoteJWKSet cache. Please help me to understand.

Lets say i have a generic method where people can pass two things to validate the token

1) Token

2) jwks Url

My generic method validateToken looks like below

       public void validateToken(String jwkurl,String token){
    try {

        ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
        JWKSource keySource = new RemoteJWKSet(new URL(jwkurl), new DefaultResourceRetriever());
        JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
        JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);
        jwtProcessor.setJWSKeySelector(keySelector);
        SecurityContext ctx = null;
        JWTClaimsSet claimsSet = jwtProcessor.process(token, ctx);
        System.out.println("the claimset is....."+claimsSet.getIssuer());
    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

When we try to call this method . we will pass the token and different url. We only need to create one generic method where people can pass token and url. So we will call

classname.validateToken("www.key.com","token1")

classname.validateToken("www.sss.com","token2")

Everytime when we call the method validateToken, this will call new RemoteJWKSet and this will end up calling the url and the end result there is no cache. I am not sure how does the cache works here. Could you please explain. Is this mean that we have to create different keysource for differnt url and put it in our cache and whenever we call this keysource reference and get it from the cache.

thanks for the help

Comments (5)