I'm trying to implement caching of public key provided by openid-configuration/jwks
endpoint of our JWT provider. I want to use cached value for validation of signature of incoming request. We want to have cache in place in order to lower requesting jwks endpoint. So we decided to create custom APIM policy in order to do that. After few hours of struggles I found myself clueless. Therefore I would like to address some questions about APIM xml policies.
kid
or x5t
in policy? Regarding to APIM policy expressions calling AsJwt()
returns Jwt
object which does not contains Header
property which should contain required fields
Id
, Claims
with no successful reach of kid
or x5t
( <set-variable name="requestKid" value="@(context.Request.Headers.GetValueOrDefault("Authorization","").Split(' ')[1].AsJwt()?.____)"/>
)<set-variable
. Seems like (IResponse)context.Variables["jwksResponse"])
is null when calling second time. Does context variables get destroyed after first read?<send-request mode="new" response-variable-name="jwksResponse" timeout="10" ignore-error="true">
<set-url>https://some.identity.server/.well-known/openid-configuration/jwks</set-url>
<set-method>GET</set-method>
</send-request>
<set-variable name="jwksn" value="@(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["n"])" />
<set-variable name="jwkse" value="@(((IResponse)context.Variables["jwksResponse"]).Body.As<JObject>()["keys"][0]["e"])" />
"ValidationError" - "Error in element 'validate-jwt' on line 8, column 4: value is not a valid base64url string."
while It works when when hardcoded. (I also tried hacks with Convert.ToBase64String()
, with no success, to me seems like xml validator issue - can it be overriden?) <issuer-signing-keys>
<key e="@((string)context.Variables["jwkse"])" n="@((string)context.Variables["jwksn"])"/>
</issuer-signing-keys>
x5c
value retrieved from our JWKs provider as key value? like so:<issuer-signing-keys>
<key>@((string)context.Variables["jwksx5c"])</key>
</issuer-signing-keys>
After further investigation we found gitHub thread regarding caching of JWKs when using JWT validation with OpenId. It seems JKWs are cached for 1 hour and also recached when validation fails. However this behavior is not stated in documentation.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.