Closed glorat closed 4 years ago
For reference, the dodgy code in question is in UrlJwkProvider
@Override
public Jwk get(String keyId) throws JwkException {
final List<Jwk> jwks = getAll(); // This calls getJwks, which then does the network hit
if (keyId == null && jwks.size() == 1) {
return jwks.get(0);
}
Apologies, I just realised I've posted this to the wrong project... I'll move it
Description
Reproduction
where we obtain only the right public key from the provider, which obtains it from the URL. However, the provider.get does an internet check on every call, which defeats the purpose of JWT verification being self-contained and fast
Expectation
UrlJwkProvider instances should load public keys only once.
Also, it would be good to have an explicitly documented way of verifying a JWT subject to multiple keys - auth0 docs say this case should be accounted for but I find no code samples that do it well. My above may not be the preferred way. If so, I'll take alternative code
Environment
p.s. I'm using scala for my testing but it is close enough to Java to understand