Cache RS256 JWKS by url to allow for multiple Auth0 tenants per runtime #325
Conversation
| @@ -286,7 +286,7 @@ def jwks_url(url, lifetime: 10 * 60) | |||
|
|
|||
| # Clear the JWK set cache. | |||
| def remove_jwks | |||
| @@cache.remove(:jwks) | |||
| @@cache.remove_by { true } | |||
There was a problem hiding this comment.
The only issue I have here is this now removes everything from the shared cache. Granted, currently the only things being stored there are JWKS documents but could introduce bugs later if we have a need to start storing other things in the cache and forget about this.
However, not sure what you can do about it at this stage unless you also start tracking the URLs you're adding into it.
There was a problem hiding this comment.
The cache only exists for RS256 validation, and purging a cache should always be recoverable regardless of what’s in it. Also, this is only an improvement over the existing implementation, because the cache wasn’t behaving properly when more than one tenant was in play.
With that said, I could prefix cache-keys with something like ”jwks-“ and only purge keys that start with that.
If you feel that’s important, I am happy to do that, but I don’t actually see this cache being used for much else.
There was a problem hiding this comment.
Agree, if that issue happens to occur later, we can solve it then.
Fixes #324
Changes
The underlying issue is discussed in #324, but in summary, JWT validation using RS256 caches the JWKS for the entire runtime, even if multiple Auth0 tenants (varying JWKS URLs are in use). This change caches the JWKS per JWKS url instead of using just a generic cache key. This allows applications that use multiple Auth0 tenants to properly cache their JWKS and avoid unnecessary HTTP requests to pull the well-known JWKS. Otherwise, the JWKS cache thrashes itself while switching between multiple Auth0 tenants.
References
Fixes #324
Testing
Checklist