JWKS not been cached

[enzomotta]

Hi there,

I was using only AWS Cognito to authenticate my users and everything was perfect til I had to support Google and Apple native logins. So, to validate those jwts so I added the respective JWKS on my application.yml and I'm validating issuer and audience on a custom JwtAuthenticationFactory implementation. After that I notice that every request I received had Micronaut downloading the JWKS jsons from Google and Apple. Wasn't it supposed to cache those calls? It appears to me that the cognito JWKS is been cached cause its not been downloaded all the time.

My application.yml looks something like this:

signatures:
  jwks:
    awscognito:
      url: 'https://cognito-idp.us-east-1.amazonaws.com/${integrations.cognito.userPoolId}/.well-known/jwks.json'
    google:
      url: 'https://www.googleapis.com/oauth2/v3/certs'
    apple:
      url: 'https://appleid.apple.com/auth/keys'

Am I missing something?

Thanks in advance,

Enzo.

[sdelamo]

Thanks for the feedback @enzomotta

They are supposed to be cached. See the logic here: https://github.com/micronaut-projects/micronaut-security/blob/master/security-jwt/src/main/java/io/micronaut/security/token/jwt/signature/jwks/JwksSignature.java

[enzomotta]

I guess the problem is when you have multiple jwks. Cause it only caches the one it matches and delete the others. So next time it has to request those keys again.

[sdelamo]

You should have a bean of type JwksSignature per JWKS configuration.

I need some time to investigate this and see If can write a test with a reproducible example.

[sdelamo]

I am going to move this to an issue.