1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

increase RemoteJWKSet timeout default from 500 millisec to 5 sec or so

Issue #453 resolved
ZhelyazkoZ created an issue

springboot is using default constructor of RemoteJWKSet in org.springframework.security.oauth2.jwt.JwtDecoders class
Using default of 500 millisec sometimes throw Read timeout and even connect timeout - having half a sec read timeout do not seems reasonable - you could put something in seconds like 2 or 5 sec - if the connection could establish faster it is ok but if it doesn't at least it will not crash springboot application at startup - there are some ways to override springboot classes and create RemoteJWKSet using other defaults but this will require each time (for each springboot project) to create such custom classes that are more springboot system specific instead of providing some meaningful defaults for all clients of this lib

Comments (6)

  1. ZhelyazkoZ reporter

    To give some more info - my connection is 40Mb download, 11 MB upload and 4ms latency. Trying to connect to OKTA (okta.com) oauth2 provider - so it is not so slow internet connection but it could also be related to how okta handles the request as I’m using the free account that have some limit on request per min (100 requests per min I think) so OKTA could throttle the things on their side but all clients to this lib will benefit if the defaults are increased because of issues like network speed/throttle issues

  2. ZhelyazkoZ reporter

    The other option would be to provide System properties that will override those default values when creating RemoteJWKSet class

  3. Vladimir Dzhuvinov
    • changed status to open

    You’re right, some of the Spring integrations don’t allow timeouts to be overridden which can be a pain.

    I'll consider increasing the default timeout. The property also sounds a good idea, although one has to be aware that it will impact all default RemoteJWKSets in a application if used, and this may occur.

    Which is the version used?

  4. ZhelyazkoZ reporter

    version 9.10:

    [INFO] |  +- org.springframework.security:spring-security-oauth2-jose:jar:5.5.1:compile

    [INFO] |  |  +- org.springframework.security:spring-security-oauth2-core:jar:5.5.1:compile

    [INFO] |  |  \- com.nimbusds:nimbus-jose-jwt:jar:9.10:compile

  5. Brannon Smith

    I second this. I had to fork the Nimbus lib to build a custom jar just to extend the timeout for use with our Azure AD. Configuration via system properties would be extremely helpful!

  6. Vladimir Dzhuvinov

    Implemented in commit fe41488 / for release in version 9.16.

    We now have these system props to override the RemoteJWKSet defaults:

    com.nimbusds.jose.jwk.source.RemoteJWKSet.defaultHttpConnectTimeout
com.nimbusds.jose.jwk.source.RemoteJWKSet.defaultHttpReadTimeout
com.nimbusds.jose.jwk.source.RemoteJWKSet.defaultHttpSizeLimit
  7. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Votes
2
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!