Requests are failed when JWK set retrieve resource call to jwkSetURL fails
We are currently working with nimbus-jose-jwt-7.8 jar version.
As per DefaultJWKSetCache
and RemoteJWKSet
implementation:
JWK set is by default cached for lifespan of 5 minutes:
/**
* Creates a new JWK set, the default lifespan of the cached JWK set is
* set to 5 minutes.
*/
public DefaultJWKSetCache() {
this(DEFAULT_LIFESPAN_MINUTES, TimeUnit.MINUTES);
}
After 5 minutes, the jwkSet i.e. cache is cleared:
@Override
public JWKSet get() {
if (isExpired()) {
jwkSet = null; // clear
}
return jwkSet;
}
Once the cache is cleared, the fresh JWK set information is fetched by making call to JWKS endpoint:
Inside RemoteJWKSet
, if cache is empty, latest JWKS is fetched by retrieving resource from jwkSetURL
.
JWKSet jwkSet = jwkSetCache.get();
if (jwkSet == null) {
jwkSet = updateJWKSetFromURL();
}
Now, for some reason jwkSetURL
endpoint throws an error/exception, the cache will not be populated again and token validation fails even though in this case the token is valid.
We think the way it should be implemented is:
Cache should not be cleared before retrieving the fresh JWKS information. So every 5 minutes, fresh JWKS should be fetched by calling jwkSetURL
endpoint and once this request is successful, re-populate the cache with latest fetched information. Also, we cannot forever rely on the outdated information, so there could be a mechanism where there should be a buffer time for which we can rely on old cached data. This would be helpful in scenarios where JWKS endpoint service is momentarily down.
Comments (9)
-
-
Yes, a diff patch / PR with a test would be nice!
-
reporter Sure Yavor.
-
reporter - attached Nimbus-JOSE-JWT-Issue-348_v1.patch
PR v1
-
reporter @Yavor Vasilev , I have uploaded a change set. Might not be good coding standards but looking for changes on similar lines.
Wanted to get your quick feedback. Let me know your views.
-
Thanks!
@Vladimir Dzhuvinov -
- changed status to resolved
Thanks for the patch, I merged it after some refactoring: f65bfa5
Instead of introducing a second "expiration", I made that a signal "please refresh the JWK set before it's going to expire".
Will be released as v8.10 in a few minutes.
-
Ta-da: https://twitter.com/connect2id/status/1237724014644248581
Happy coding everyone!
-
reporter Thanks @Vladimir Dzhuvinov !!
- Log in to comment
Thank you Sarvesh for this super detailed report.
Would be able to submit a PR?