Skip to content

Add Support for JWK Cache Configuration in Resource Server #42159

New issue
New issue
Open
Open
Add Support for JWK Cache Configuration in Resource Server#42159
Assignees
moarychan
Labels
ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
 
2025-04
@amaraslam07

Description

@amaraslam07
amaraslam07
opened on Oct 2, 2024

Is your feature request related to a problem? Please describe.
When building the resource server configuration, there is no option to provide the JWK cache which can be passed to the NimbusJwtDecoder when building the object. This results in the JWK being refreshed every 5 minutes.

Describe the solution you'd like
I would like to have an option to provide the JWK cache in the resource server configuration. This would allow the NimbusJwtDecoder to use the cache and avoid frequent JWK refreshes.

Describe alternatives you've considered
The workaround is to build out the JwtDecoder bean manually, but this requires copying the createDefaultValidator private method from the library. Here is an example:

@Bean
@Primary
JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties, CacheManager cacheManager) {
    AadAuthorizationServerEndpoints identityEndpoints = new AadAuthorizationServerEndpoints(
            aadAuthenticationProperties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), aadAuthenticationProperties.getProfile().getTenantId());

    Cache cache = cacheManager.getCache("jwtCache");
    NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder
            .withJwkSetUri(identityEndpoints.getJwkSetEndpoint())
            .restOperations(createRestTemplate(restTemplateBuilder))
            .cache(cache)
            .build();
    List<OAuth2TokenValidator<Jwt>> validators = createDefaultValidator(aadAuthenticationProperties);
    nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));
    return nimbusJwtDecoder;
}

https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration.java

Additional context
The following properties are not working in the context of the resource server:

  • spring.cloud.azure.active-directory.jwk-set-cache-lifespan
  • spring.cloud.azure.active-directory.jwk-set-cache-refresh-time

Currently, this results in the JWK being refreshed every 5 minutes. This can add up to significant delays in a microservices environment where multiple services fetch keys simultaneously, resulting in 200 to 300ms delays including parsing the keys on each service.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Description Added
  • Expected solution specified

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Spring Cloud Azure

Status

Todo

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions