Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use cache when JWKS provider is down #826

Closed
zilinjak opened this issue Aug 28, 2024 · 8 comments
Closed

Use cache when JWKS provider is down #826

zilinjak opened this issue Aug 28, 2024 · 8 comments

Comments

@zilinjak
Copy link

Hey,
We are building an app that validated requests, we are using JWKS over HTTP. The problem here is:

  1. App starts
  2. Download keys from JWKS over HTTP
  3. The cache of JWKS is out of date
  4. Tries to get JWKS over HTTP
  5. The JWKS endpoint is down
  6. This means that the smallrye-jwt should try to use old keys from cache, but it ends with an error instead.

Can we make sure that the old keys will be used in case that the keys from OIDC endpoint can't be loaded ?
@sberyozkin
Copy link
Contributor

sberyozkin commented Aug 28, 2024
edited
Loading

Hi @zilinjak
Is it an exception thrown directly from the Jose4j code itself due to its internal refresh call failing ? Would it be better just to disable this refresh and instead rely on smallrye-jwt refreshing only when it can't find a matching key ?

@sberyozkin
Copy link
Contributor

Hi @zilinjak

So, we need to have a new property to do:

https://bitbucket.org/b_c/jose4j/src/756257eb92352600d5dde08c2b8ed25db13a8952/src/main/java/org/jose4j/jwk/HttpsJwks.java#lines-93

Would be interested to open a PR ?

@sberyozkin
Copy link
Contributor

We have jwksRefreshInterval here. So another property like jwksCacheRetainOnErrorDuration, default 0, I guess also in mins, should be added, and then propagated via JWTAuthContextInfo to be set here

@sberyozkin
Copy link
Contributor

sberyozkin commented Aug 28, 2024
edited
Loading

Or even lets call it jwksRetainOnErrorDuration since jwksRefreshInterval does not have Cache in its name, it is implied, ut can be clarified in the property description

@The-Funk
Copy link

@sberyozkin I'm just now seeing this. I use smallrye-jwt from Quarkus and have noticed this runtime issue when configuring the extension according to the Quarkus docs. I have a separate issue opened a few down from this one if you want to close one of them out as duplicate.

I'd be interested to help with this but don't know if I'd have the time to learn the codebase.

@jindrichpilar-kosik
Copy link

jindrichpilar-kosik commented Oct 31, 2024
edited
Loading

@The-Funk Are you referring to #779? It seems like that one is about the first request and retry. That does not seem like a duplicate of this one.

This issue is about long running app and reloading cache content. When this fails we suggest a grace period and use the expired cache. Of course retry would be great too, but is not a replacement.

@sberyozkin
Copy link
Contributor

sberyozkin commented Nov 14, 2024
edited
Loading

@The-Funk Sure, I don't mind fixing it myself, it is just that a lot is happening right now, so I haven't had time yet. I'll fix it, but if you are interested to start contributing, the fix suggested at #826 (comment) above is the most easiest way to start, give it a try if you'd like and I can help along the way... otherwise I'll fix it probably next week

@luneo7 luneo7 mentioned this issue Nov 15, 2024
Merged
@sberyozkin
Copy link
Contributor

Fixed by #840

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sberyozkin @The-Funk @zilinjak @jindrichpilar-kosik