Struggle to understand JWKS Cache

[BigBoulard]

Hi !

I struggle to understand this code: jwk_cache_example_test

func ExampleJWK_CachedSet() {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	const googleCerts = `https://www.googleapis.com/oauth2/v3/certs`

	// The first steps are the same as examples/jwk_cache_example_test.go
	c := jwk.NewCache(ctx)
	c.Register(googleCerts, jwk.WithMinRefreshInterval(15*time.Minute))
	_, err := c.Refresh(ctx, googleCerts)
	if err != nil {
		fmt.Printf("failed to refresh google JWKS: %s\n", err)
		return
	}

	cached := jwk.NewCachedSet(c, googleCerts)

	// cached fulfills the jwk.Set interface.
	var _ jwk.Set = cached

	// That means you can pass it to things like jws.WithKeySet,
	// allowing you to pretend as if you are using the result of
	//
	//   jwk.Fetch(ctx, googleCerts)
	//
	// But you are instead using a cached (and periodically refreshed)
	// for each operation.
	_ = jws.WithKeySet(cached)
}

Goal

I need to make 2 separate things in my code:

• initialize the jwk.Set cache so that it is executed only once at startup
• get the jwk.Set either from the cache or from a straight HTTP request if the cache is invalidated. This part is initiated by an HTTP handler, so I guess I can just pass the request context to

Side Questions

• At line _, err := c.Refresh(ctx, googleCerts), I don't understand why we don't save the jwk.Set returned by c.Refresh
• cached := jwk.NewCachedSet(c, googleCerts) also returns a jwk.Set

Thank you so much :)

[lestrrat]

I don't really see a "main" question in your post. I can answer the "side" questions:

At line _, err := c.Refresh(ctx, googleCerts), I don't understand why we don't save the jwk.Set returned by c.Refresh

You could, but the first return value is a snapshot of the jwk.Set pointed by the URL. You could keep using it, but that snapshot will not be updated when the remote resource is updated.

Also, we're only calling it for the side effect of loading the remote resource here; that's why the value is thrown away.

cached := jwk.NewCachedSet(c, googleCerts) also returns a jwk.Set

What do you mean by "also"? Do you mean to say that "c.Refresh() returns a jwk.Set as well, why create a cached set?"

I kind of hinted in the previous answer, but jwk.Cache only returns a snapshot of the JWKS at that URL. jwk.CachedSet is a specialized version of jwk.Set that always selects the latest version of the JWKS from the designated jwk.Cache. In hindsight I suppose jwk.NewCachedSet could have returned *jwk.CachedSet instead.

[BigBoulard]

Thank you for your prompt and detailed answer.

I think I got it, let's see...

• Here the intent of the call to Refresh is just to verify that the cache system is working, but we don't need to use the jwk.Set yet
  _, err := c.Refresh(ctx, googleCerts)

• On the other hand, the following line returns the jwk.Set I can use directly in my program without having to call any kind of function. The value of cached is automatically updated under the hood by your program.
  cached := jwk.NewCachedSet(c, googleCerts)

... from there, any time I need to parse and verify a token, I can use cached like below:

tok, err := jwt.Parse(
    serialized,
    jwt.WithKeySet(cached), // <<<<
  )
  if err != nil {
    fmt.Printf("failed to parse serialized: %s\n", err)
  }

Are my assumptions correct?

[lestrrat]

Yes, that's the intention!

[lestrrat]

Reopen, because otherwise it will not be visible.