stackoom
  简体   繁体   中英

JWT Validation: Caching JWKS derived from cached discovery document via Azure API Management

 原文  2019-02-28 14:41:31       azure/ azure-api-management

Question

I setup caching for discovery endpoint below by wrapping it and caching it via Azure API Management.

https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration

So the new link below does the caching:

https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey

Below is policy for token validation: 

 <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">

        <openid-config url="https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey" />
        <audiences>
            <audience>id</audience>
        </audiences>
        <issuers>
            <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
       </issuers>
    </validate-jwt>

My question is that do I need to cache the JWKS link below that is on the discovery document above and used for the validation? If so, how can I cache it?

https://openid-connect-eu.onelogin.com/oidc/certs

3 answers

solution1
 0  2019-02-28 18:44:19

You will need to cache the contents of the JWKS endpoint somewhere in the service that you are trying to validate the requesting JWT. A good way to cache these keys is to use a caching library that will cache the keys at the service level for a specified amount of time. The library that I use in my services is called caffeine by Ben Mames and can be found here . Here is a quick example of how you could cache a JWK for 30 minutes: 

cache = Caffeine.newBuilder()
        .maximumSize(5)
        .expireAfterWrite(30, TimeUnit.MINUTES)
        .build(k -> jwksMap.get(k));

Your service could then refetch the keys from the endpoint every 30 minutes to refresh the cache.

solution2
 0  2019-03-01 01:20:54

我不知道为什么要缓存此文档,但是元数据终结点( https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration )和密钥集终结点( https APIM从validate-jwt策略中获取://openid-connect-eu.onelogin.com/oidc/certs )。

solution3
 0 ACCPTED  2019-05-24 11:32:54

返回的html正文上的url被修改,并替换为通过APIM缓存的新url。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure API Management policy caching of JWKs for JWT validation Caching JWKS from Identity Provider using Azure API management for validating JWT Azure API Management JWT validation fails “JWT Validation Failed: JWT not present..” in Azure API Management Service Handle JWT Token validation failute in Azure API Management Service Aquiring JWT-Token from AAD via Azure API Management Gateway Azure API Management caching policy Azure API Management refresh cached response JWT Validation policy suddently not valid when changed to a different audience with Azure API Management Authorization in Azure API management through JWT token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM