JWT Validation: Caching JWKS derived from cached discovery document via Azure API Management

1
votes

I setup caching for discovery endpoint below by wrapping it and caching it via Azure API Management.

https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration

So the new link below does the caching:

https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey

Below is policy for token validation:

 <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error: expired token or invalid token" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">

        <openid-config url="https://my.azure-api.net/sso/.well-known/openid-configuration?subscription-key=mykey" />
        <audiences>
            <audience>id</audience>
        </audiences>
        <issuers>
            <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
       </issuers>
    </validate-jwt>

My question is that do I need to cache the JWKS link below that is on the discovery document above and used for the validation? If so, how can I cache it?

https://openid-connect-eu.onelogin.com/oidc/certs

3
azureazure-api-management
From my experience I believe Azure APIM is caching the OpenID configuration, so it's not fetched on every request, however I can't find any information about it, such as how long it's cached for. As usual documentation is awful. - darnmason

3 Answers

0
votes

You will need to cache the contents of the JWKS endpoint somewhere in the service that you are trying to validate the requesting JWT. A good way to cache these keys is to use a caching library that will cache the keys at the service level for a specified amount of time. The library that I use in my services is called caffeine by Ben Mames and can be found here. Here is a quick example of how you could cache a JWK for 30 minutes:

cache = Caffeine.newBuilder()
        .maximumSize(5)
        .expireAfterWrite(30, TimeUnit.MINUTES)
        .build(k -> jwksMap.get(k));

Your service could then refetch the keys from the endpoint every 30 minutes to refresh the cache.

0
votes

I do not know the reason why you're caching this document, but both metadata endpoint (https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration) and key set endpoint (https://openid-connect-eu.onelogin.com/oidc/certs) are fetched by APIM from within validate-jwt policy.

0
votes

The url on the html body returned is modified and replaced with a new url that is cached via APIM.