Skip to content

NimbusJwtDecoderJwkSupport should proactively invalidate JWK cache #5853

New issue
New issue
Closed
Closed
NimbusJwtDecoderJwkSupport should proactively invalidate JWK cache#5853
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
 
5.2.0.M1
@jzheaux

Description

@jzheaux
jzheaux
opened on Sep 17, 2018

Summary

NimbusJwtDecoderJwkSupport's JWK cache is only reset when an unrecognized key is part of an incoming JWT.

However, this doesn't account for the case when a key is invalidated by the provider, but no new key is issued.

Actual Behavior

If an existing key is removed from the provider's JWK set, but no new keys are issued, then this JwtDecoder will maintain its cache, potentially admitting JWTs with the invalid key.

Expected Behavior

The Jwt Decoder should refresh its cache actively on a regular basis (e.g. daily) in addition to reacting to unrecognized keys.

Note that this expected behavior could be provided by this Nimbus ticket.

Version

5.1.0.BUILD-SNAPSHOT, 5.0.8

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions