JWS_URI caching removed when keyCache is omitted #4124
Description
The keyCache value in jwks policy is a required value. This requirement is not being enforced.
When keyCache is omitted, it removes all the caching pieces for jwks_uri.
This is what the .conf looks like when keyCache is omitted (removing all caching)
auth_jwt "MyProductAPI" token=$http_token;
auth_jwt_key_request /_jwks_uri_server;
location = /_jwks_uri_server {
internal;
proxy_method GET;
proxy_set_header Content-Length "";
proxy_set_header Host login.microsoftonline.com;
set $idp_backend login.microsoftonline.com;
proxy_pass https://$idp_backend/<removed>/discovery/v2.0/keys;
}
Here is the policy used for the above .conf output
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: jwt-policy
spec:
jwt:
realm: MyProductAPI
token: $http_token
jwksURI: https://login.microsoftonline.com/<removed>/discovery/v2.0/keys
Here is the expected .conf output we want to ensure caching of the JWT public keys:
auth_jwt "MyProductAPI" token=$http_token;
auth_jwt_key_cache 1h;
auth_jwt_key_request /_jwks_uri_server;
location = /_jwks_uri_server {
internal;
proxy_method GET;
proxy_set_header Content-Length "";
proxy_cache jwks_uri;
proxy_cache_valid 200 12h;
proxy_set_header Host login.microsoftonline.com;
set $idp_backend login.microsoftonline.com;
proxy_pass https://$idp_backend/<removed>/discovery/v2.0/keys;
}
Here is the policy that has beeb configured for the above .conf output:
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: jwt-policy
spec:
jwt:
realm: MyProductAPI
token: $http_token
jwksURI: https://login.microsoftonline.com/<removed>/discovery/v2.0/keys
keyCache: 1h
### Tasks
- [x] Design tests to capture invalid and valid inputs
- [x] Implement correct validation logic based on the rules in NIC docs
- [x] verify if python tests need to be updated
### Tasks