[
https://issues.apache.org/jira/browse/KNOX-3150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandeep More updated KNOX-3150:
-------------------------------
Description:
Currently the JWKS keys are not cached by knox this is a problem. There are two
major issues here
1. Knox will hit the JWKS endpoint for every single request to verify the token
this would overwhelm the JWKS endpoint
2. In case the endpoint goes down we need a way for Knox to be able to verify
the tokens.
The parameters that can be configured in gateway-site.xml are
{code:java}
// defailt: in millisec 20 mins
gateway.jwks.cache.ttl = 20 * 60 * 1000
// default: in millisecs 15 secs
gateway.jwks.cache.refresh.interval = 15 * 1000
{code}
This can be done is DefaultTokenAuthoritySerive class
by using
{code:java}
JWKSource<SecurityContext> keySource = JWKSourceBuilder.create(new URL(jwksurl))
.retrying(true)
.cache(TTL, cacheRefreshTTL)
.outageTolerant(outageTTL)
.build();
{code}
was:
Currently the JWKS keys are not cached by knox this is a problem. There are two
major issues here
1. Knox will hit the JWKS endpoint for every single request to verify the token
this would overwhelm the JWKS endpoint
2. In case the endpoint goes down we need a way for Knox to be able to verify
the tokens.
The parameters are
{code:java}
// defailt: in millisec 20 mins
gateway.jwks.cache.ttl = 20 * 60 * 1000
// default: in millisecs 15 secs
gateway.jwks.cache.refresh.interval = 15 * 1000
{code}
This can be done is DefaultTokenAuthoritySerive class
by using
{code:java}
JWKSource<SecurityContext> keySource = JWKSourceBuilder.create(new URL(jwksurl))
.retrying(true)
.cache(TTL, cacheRefreshTTL)
.outageTolerant(outageTTL)
.build();
{code}
> Support for caching JWKS keys
> -----------------------------
>
> Key: KNOX-3150
> URL: https://issues.apache.org/jira/browse/KNOX-3150
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
>
> Currently the JWKS keys are not cached by knox this is a problem. There are
> two major issues here
> 1. Knox will hit the JWKS endpoint for every single request to verify the
> token this would overwhelm the JWKS endpoint
> 2. In case the endpoint goes down we need a way for Knox to be able to verify
> the tokens.
> The parameters that can be configured in gateway-site.xml are
> {code:java}
> // defailt: in millisec 20 mins
> gateway.jwks.cache.ttl = 20 * 60 * 1000
> // default: in millisecs 15 secs
> gateway.jwks.cache.refresh.interval = 15 * 1000
> {code}
> This can be done is DefaultTokenAuthoritySerive class
> by using
> {code:java}
> JWKSource<SecurityContext> keySource = JWKSourceBuilder.create(new
> URL(jwksurl))
> .retrying(true)
> .cache(TTL, cacheRefreshTTL)
> .outageTolerant(outageTTL)
> .build();
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
