Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add signing key rotation and custom JWKS URI support #426

Merged
merged 3 commits into from
Feb 10, 2020
Merged

Add signing key rotation and custom JWKS URI support #426

merged 3 commits into from
Feb 10, 2020

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Feb 7, 2020
edited
Loading

Description

  • Adds cache retry if token kid is not found in cached JWKS
  • Adds custom JWKS URL
  • Adds cache TTL of 10 minutes

References

Closes #417, #426

PSR-16 cache interface

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@joshcanhelp joshcanhelp mentioned this pull request Feb 7, 2020
Closed
@joshcanhelp joshcanhelp marked this pull request as ready for review February 7, 2020 19:12
@joshcanhelp joshcanhelp requested a review from a team February 7, 2020 19:12
@joshcanhelp joshcanhelp added this to the 7.1.0 milestone Feb 7, 2020
lbalmaceda
lbalmaceda suggested changes Feb 7, 2020
View reviewed changes
src/Helpers/JWKFetcher.php Outdated Show resolved Hide resolved
src/Helpers/JWKFetcher.php Outdated Show resolved Hide resolved
src/Helpers/JWKFetcher.php Show resolved Hide resolved
src/Helpers/JWKFetcher.php Outdated Show resolved Hide resolved
src/Helpers/JWKFetcher.php Show resolved Hide resolved
src/Helpers/JWKFetcher.php Outdated Show resolved Hide resolved
src/Helpers/Tokens/AsymmetricVerifier.php Show resolved Hide resolved
tests/Helpers/Tokens/AsymmetricVerifierTest.php Show resolved Hide resolved
joshcanhelp
joshcanhelp commented Feb 8, 2020
View reviewed changes
src/Helpers/JWKFetcher.php
$keys = $this->cache->get($cache_key);
if (is_array($keys) && ! empty($keys)) {
return $keys;
$jwks_url = $jwks_url ?? $this->guzzleOptions['base_uri'] ?? '';
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It turns out there is a base_uri setting in the HTTP library already so I'm leveraging that here. We need to know the final URI we're using here to check the cache (if necessary). I'm sticking with the "return empty array if URL is empty" because that is indicating "we don't have keys for that URL" and will fail with the "no kid found in that JWKS" error mentioned earlier. Same outcome for a malformed/empty JWKS.

@joshcanhelp
Copy link
Contributor Author

@lbalmaceda - Ready for you again!

@joshcanhelp joshcanhelp merged commit 378d823 into master Feb 10, 2020
@joshcanhelp
Copy link
Contributor Author

Had to force merge, CodeCov was not completing.

@joshcanhelp joshcanhelp deleted the add-signing-key-rotation branch February 10, 2020 22:12
@github-actions
Copy link
Contributor

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.1.0
Development

Successfully merging this pull request may close these issues.

Consider to customize the jwks path
2 participants
@joshcanhelp @lbalmaceda