-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add request throttling support #30
Comments
How long keys get cached? Can you provide a setter to override the default? |
Currently public keys are cached until a new keyid is requested (and not found in the cache) at that point the key store is updated to reflect the current set of keys. The goal of this issue is to add a minimum time between those requests. |
in the case of current key "kid A" got cracked and we have performed the key rotation from Okta. |
@blackjackyau the easiest way is to create a new instance of the Verifier. This would be application-specific code. We generally recommend reducing the amount of time a JWT is valid to help mitigate risk. For example, if your tokens were only valid for 5 minutes, your application would only be at risk for 5 minutes. |
@bdemers i see, the public key will be cached until the new kid is located and hence a shorter timer of access token will help. |
How so? You could clear the cache (by creating a new instance) and minimize the duration of the token (this part is just general advice) |
@bdemers i mean, this should be configurable from the verification. JwkProvider provider = new JwkProviderBuilder("https://samples.auth0.com/")
.cached(10, 24, TimeUnit.HOURS)
.rateLimited(10, 1, TimeUnit.MINUTES)
.build();
Jwk jwk = provider.get("{kid of the signing key}"); //throws Exception when not found or can't get one |
We do have plans to improve the caching (and allow for pluggable caching as we have in our management SDK) However, the goal of this library is not a general-purpose JWT library (I'd recommend JJWT for that), so how the cache is used would still be tailored to Okta (I'm not sure if that is your intent or not). You would want to invalidate the cache somehow on demand in the case of a leaked private key (and not wait until the cache timeout). Thanks for the feedback! |
@bdemers thanks for that. Yes in my case, a force cache invalidation will be the way but it is also good if i am able to define the worst risk time |
Limit the number of outbound requests to the
/key
endpoint.The text was updated successfully, but these errors were encountered: