Azure AD B2C has an OpenID Connect metadata endpoint, which allows an application to fetch information at runtime. This endpoint has information about the token signing keys, token contents and endpoints.I need to query this endpoint to get the jwk_uris. the jwk_uri has the uri for the keys used to sign the jwt. I need to cache these keys for no more than 24 hours. Can anyone suggest me how i can do this in Spring? Is there any api which supports this?
Asked
Active
Viewed 839 times
0
-
Have you tried anything so far? – UditS Apr 28 '16 at 11:56
-
i am still doing my research but i haven't found anything which i can use for caching. I referred [link] (https://bitbucket.org/b_c/jose4j/wiki/Home) . I also found [link] (http://www.programcreek.com/java-api-examples/index.php?source_dir=identity-providers-examples-master/OpenID-Connect-MITREid-Java-Spring-Server/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java) but not sure if I should use it – Shiv Apr 28 '16 at 12:48
-
org.jose4j.jwk.HttpsJwks does caching. So I think I can use jose4j for my problem?But I did not get any detail documentation about HttpsJwks. Can anyone help me on this? – Shiv May 01 '16 at 12:02
2 Answers
1
HttpsJwks will cache keys for a time period based on the cache directive headers or the http response or setDefaultCacheDuration(long defaultCacheDuration), if the cache directive headers of the response are not present or indicate that the content should not be cached.
An HttpsJwks object can be used in conjunction with a JwtConsumer/JwtConsumerBuilder and HttpsJwksVerificationKeyResolver that will also make a fresh call to the jwk_uri and reeastablitsh the cache, if it encounters a kid (Key ID) in the JWT that isn't in the cached set of keys.
Brian Campbell
- 2,293
- 12
- 13
-
thanks for the reply. I am using Two-pass JWT consumption and passing verification key using as new HttpsJwksVerificationKeyResolver(httpsJkws); I am able to process the claims but i am having a confusion about validating signature. Do i need to do more to validate the signature or HttpsJwksVerificationKeyResolver internally validate the signature aswell. – Shiv May 03 '16 at 11:40
-
I am confused between Validating claims and validating signature. Are these both handled by HttpsJwksVerificationKeyResolver? – Shiv May 03 '16 at 13:13
-
The JwtConsumer class does both validating of claims and validating of the signature (depending, of course, on how it's created using the JwtConsumerBuilder). The HttpsJwksVerificationKeyResolver finds the appropriate key, looking at the headers of the JWT, from the JWKs at the jwk_uri and provides it to the JwtConsumer, which uses the key verify the signature. If the signature is valid, then the claims are checked. Using Two-pass JWT consumption, the all that validation happens on the second pass. Also note that you'll need to reuse HttpsJwks instance(s) to get the caching benefit. – Brian Campbell May 03 '16 at 21:48
-
1Thanks a lot for the clarification. Yes i am reusing the HttpsJwks instance for caching benefit. – Shiv May 05 '16 at 11:45
0
A possible solution using spring framework would be to combine the scheduler and the cache:
- Use spring cache to cache the jwks key retrieval service
- Use spring task scheduler to evict the key each 24 hours
Eugenio Cuevas
- 10,858
- 3
- 29
- 51