I setup caching for discovery endpoint below by wrapping it and caching it via Azure API Management.
https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration
So the new link below does the caching:
https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey
Below is policy for token validation:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey" />
<audiences>
<audience>id</audience>
</audiences>
<issuers>
<issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
</issuers>
</validate-jwt>
My question is that do I need to cache the JWKS link below that is on the discovery document above and used for the validation? If so, how can I cache it?
You will need to cache the contents of the JWKS endpoint somewhere in the service that you are trying to validate the requesting JWT. A good way to cache these keys is to use a caching library that will cache the keys at the service level for a specified amount of time. The library that I use in my services is called caffeine
by Ben Mames and can be found here . Here is a quick example of how you could cache a JWK for 30 minutes:
cache = Caffeine.newBuilder()
.maximumSize(5)
.expireAfterWrite(30, TimeUnit.MINUTES)
.build(k -> jwksMap.get(k));
Your service could then refetch the keys from the endpoint every 30 minutes to refresh the cache.
我不知道为什么要缓存此文档,但是元数据终结点( https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration )和密钥集终结点( https APIM从validate-jwt策略中获取://openid-connect-eu.onelogin.com/oidc/certs )。
返回的html正文上的url被修改,并替换为通过APIM缓存的新url。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.