Ideas to obtain original JWK(S) for caching

[Tilogorn]

Since JWKS do not change too often I want to cache it for a certain amount of time to reduce the calls to the IdPs .well-known/jwks.json endpoint.

I was thinking about using createRemoteJWKSet, but unfortunately it seems I cannot access the keys as they come from the server. createRemoteJWKSet just returns an anonymous function (I guess for lazy loading). The key returned from jwtVerify is stripped down.

This is my idea as pseudo code.

let jwk = await cache.get('some_cache_key');
if (jwk === null) { // cache expired or similar
    JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'));
    const { payload, protectedHeader, key } = await jose.jwtVerify(jwt, JWKS);
    await cache.set('some_cache_key', JSON.stringify(key));
} else {
    const publicKey = await jose.importJWK(jwk);
    const { payload, protectedHeader} = await jose.jwtVerify(jwt, publicKey);
}

But the original JWKS looks like:

{
    "use": "sig",
    "alg": "RS256",
    "n": "pOpd5-7RpMvcfBcSjqlTNYjGg3YRwYRV9T9k7eDOEWgMBQEs6ii3cjcuoa1oD6N48QJmcNvAme_ud985DV2mQpOaCUy22MVRKI8DHxAKGWzZO5yzn6otsN9Vy0vOEO_I-vnmrO1-1ONFuH2zieziaXCUVh9087dRkM9qaQYt6QJhMmiNpyrbods6AsU8N1jeAQl31ovHWGGk8axXNmwbx3dDZQhx-t9ZD31oF-usPhFZtM92mxgehDqi2kpvFmM0nzSVgPrOXlbDb9ztg8lclxKwnT1EtcwHUq4FeuOPQMtZ2WehrY10OvsqS5ml3mxXUQEXrtYfa5V1v4o3rWx9Ow",
    "kid": "6f9777a685907798ef794062c00b65d66c240b1b",
    "e": "AQAB",
    "kty": "RSA"
}

And the key returned from jwtVerify contains only these properties. But kid is crucial for me to cache and re-input to jwtVerify as the JWKS contains more than one key and kid is being used to differentiate between them.

{
   "kty": "RSA",
    "n": "pOpd5-7RpMvcfBcSjqlTNYjGg3YRwYRV9T9k7eDOEWgMBQEs6ii3cjcuoa1oD6N48QJmcNvAme_ud985DV2mQpOaCUy22MVRKI8DHxAKGWzZO5yzn6otsN9Vy0vOEO_I-vnmrO1-1ONFuH2zieziaXCUVh9087dRkM9qaQYt6QJhMmiNpyrbods6AsU8N1jeAQl31ovHWGGk8axXNmwbx3dDZQhx-t9ZD31oF-usPhFZtM92mxgehDqi2kpvFmM0nzSVgPrOXlbDb9ztg8lclxKwnT1EtcwHUq4FeuOPQMtZ2WehrY10OvsqS5ml3mxXUQEXrtYfa5V1v4o3rWx9Ow",
    "e": "AQAB"
}

Is there any API in your library around createRemoteJWKSet that returns the JWKS as is?

Otherwise I'll have to fetch the JWKS by myself and pass it to createLocalJWKSet, which is also okay. But I like the error handling and all that stuff around createRemoteJWKSet. Also the solution above would store/cache the keys granularly whereas this solution just stores and re-inputs the whole JWKS (which is also okay).

let jwks = await cache.get('some_cache_key');
if (jwks === null) {
    jwks = await axios.get('https://www.googleapis.com/oauth2/v3/certs');
    await cache.set('some_cache_key', jwks);
}

const JWKS = jose.createLocalJWKSet(jwks);
const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS);

[panva]

createRemoteJWKSet already caches the results it gets and only reloads occasionally or when required due to key rotation...

https://github.com/panva/jose/blob/v5.x/src/jwks/remote.ts

[Tilogorn]

Understood, but my environment is short living and therefore using an external cache server. (AWS Lamba + AWS ElastiCache/Redis). Your internal in-memory cache won‘t work there.

[panva]

In that case just use fetch() to get the JWKS response, cache that and pass it to createLocalJWKSet, you'll just need to handle re-fetching and throttling on your own.