Quarkus SmallRye: JWT JSON Web Key Set refresh

Question

I use a local JSON file (no HTTP(S) URL) which contains the keys as described in the Quarkus guide:

I can use on of the following application properties:

smallrye.jwt.verify.key.location
mp.jwt.verify.publickey.location

The problem is that the content seems to be cached and never updated. Any modification to the file does not affect the service.

Is there any configuration property or mechanism to update/refresh the information in Quarkus?

score 0 · Answer 1 · answered Mar 13 '23 at 12:57

I found one possibility, but I don't like it:

First of all I set the property quarkus.http.auth.proactive to false. In my ContainerRequestFilter (I already had one) I inject the JWTAuthContextInfo, clear there the public key content and set the public key location (if not already set). This leads to a reload of the file when parsing/validating the token.

Example code with a reload for every request:

application.properties

quarkus.http.auth.proactive=false

Code

@Priority(Priorities.AUTHORIZATION)
@Provider
public class RequestFilter implements ContainerRequestFilter {

    @Inject
    JWTParser jwtParser;

    @Inject
    JWTAuthContextInfo authContextInfo;


    @Override
    public void filter(final ContainerRequestContext requestContext) {
        final var token = //... read token
        clearKeyContent();
        try {
            return jsonWebToken = jwtParser.parse(token, authContextInfo);
        } catch (final ParseException e) {
            throw new ForbiddenException("unable to parse/validate token", e);
        }
    }


    private void clearKeyContent() {
        final var location = getKeyLocation(); // Returns the value of the MP/SmallRye property
        if (location != null && !location.startsWith("http")) {
            if (authContextInfo.getPublicKeyLocation() == null) {
                authContextInfo.setPublicKeyLocation(location);
            }
            authContextInfo.setPublicKeyContent(null);
        }
    }

}

score 0 · Answer 2 · answered May 11 '23 at 15:44

0

There is periodic refresh mechanism for public keys IF your key location points to HTTP(S) URL. See property "smallrye.jwt.jwks.refresh-interval" here https://quarkus.io/guides/security-jwt#additional-smallrye-jwt-configuration.

I haven't tested out, but description is pretty straightforward. I on the other hand was looking for a way to additionaly force refresh of the keys programmatically, which is what you are doing so I may be able to use this apporach.

answered May 11 '23 at 15:44

Michal Straňák

1
1

I'm aware about this. It is also the case that the information is refreshed if you provide a token with an unknown kid (by default limited to one refresh every 30 minutes, configurable using `smallrye.jwt.jwks.forced-refresh-interval`). But as I wrote, it's about the refresh of the content from a local JSON file. – Timz May 11 '23 at 20:59

Quarkus SmallRye: JWT JSON Web Key Set refresh

2 Answers2