Skip to content

Commit

Permalink
Merge pull request #2398 from openziti/fix.2397.jwks.refresh
Browse files Browse the repository at this point in the history
fixes #2397 jwks refreshes would sometimes not update
  • Loading branch information
andrewpmartinez authored Sep 13, 2024
2 parents 8d59ad0 + 1a2d07a commit e5ddb7c
Show file tree
Hide file tree
Showing 8 changed files with 446 additions and 75 deletions.
23 changes: 14 additions & 9 deletions controller/model/authenticator_mod_ext_jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,15 @@ type signerRecord struct {
jwksResolver jwks.Resolver
}

func (r *signerRecord) PubKeyByKid(kid string) (pubKey, bool) {
r.Mutex.Lock()
defer r.Mutex.Unlock()

key, ok := r.kidToPubKey[kid]

return key, ok
}

func (r *signerRecord) Resolve(force bool) error {
r.Mutex.Lock()
defer r.Mutex.Unlock()
Expand Down Expand Up @@ -161,11 +170,7 @@ func (r *signerRecord) Resolve(force bool) error {
return nil

} else if r.externalJwtSigner.JwksEndpoint != nil {
if len(r.kidToPubKey) != 0 && !force {
return nil
}

if !r.jwksLastRequest.IsZero() && time.Since(r.jwksLastRequest) < JwksQueryTimeout {
if (!r.jwksLastRequest.IsZero() && time.Since(r.jwksLastRequest) < JwksQueryTimeout) && !force {
return nil
}

Expand All @@ -180,7 +185,7 @@ func (r *signerRecord) Resolve(force bool) error {
for _, key := range jwksResponse.Keys {
//if we have an x509chain the first must be the signing key
if len(key.X509Chain) != 0 {
x509Der, err := base64.StdEncoding.DecodeString(key.X509Chain[0])
x509Der, err := base64.RawURLEncoding.DecodeString(key.X509Chain[0])

if err != nil {
return fmt.Errorf("could not parse JWKS keys: %v", err)
Expand Down Expand Up @@ -283,14 +288,14 @@ func (a *AuthModuleExtJwt) pubKeyLookup(token *jwt.Token) (interface{}, error) {
return nil, apierror.NewInvalidAuth()
}

key, ok := signerRecord.kidToPubKey[kid]
key, ok := signerRecord.PubKeyByKid(kid)

if !ok {
if err := signerRecord.Resolve(true); err != nil {
if err := signerRecord.Resolve(false); err != nil {
logger.WithError(err).Error("error attempting to resolve extJwtSigner certificate used for signing")
}

key, ok = signerRecord.kidToPubKey[kid]
key, ok = signerRecord.PubKeyByKid(kid)

if !ok {
return nil, fmt.Errorf("kid [%s] not found for issuer [%s]", kid, issuer)
Expand Down
Loading

0 comments on commit e5ddb7c

Please sign in to comment.