Requests are failed when JWK set retrieve resource call to jwkSetURL fails

We are currently working with nimbus-jose-jwt-7.8 jar version.

As per DefaultJWKSetCache and RemoteJWKSet implementation:

JWK set is by default cached for lifespan of 5 minutes:

/**
 * Creates a new JWK set, the default lifespan of the cached JWK set is
 * set to 5 minutes.
 */
public DefaultJWKSetCache() {

   this(DEFAULT_LIFESPAN_MINUTES, TimeUnit.MINUTES);
}

After 5 minutes, the jwkSet i.e. cache is cleared:

@Override
public JWKSet get() {

   if (isExpired()) {
      jwkSet = null; // clear
   }

   return jwkSet;
}

Once the cache is cleared, the fresh JWK set information is fetched by making call to JWKS endpoint:

Inside RemoteJWKSet, if cache is empty, latest JWKS is fetched by retrieving resource from jwkSetURL.

JWKSet jwkSet = jwkSetCache.get();
if (jwkSet == null) {
   jwkSet = updateJWKSetFromURL();
}

Now, for some reason jwkSetURL endpoint throws an error/exception, the cache will not be populated again and token validation fails even though in this case the token is valid.

‌

We think the way it should be implemented is:

Cache should not be cleared before retrieving the fresh JWKS information. So every 5 minutes, fresh JWKS should be fetched by calling jwkSetURL endpoint and once this request is successful, re-populate the cache with latest fetched information. Also, we cannot forever rely on the outdated information, so there could be a mechanism where there should be a buffer time for which we can rely on old cached data. This would be helpful in scenarios where JWKS endpoint service is momentarily down.

Comments (9)