search

auth0 / node-jwks-rsa

A library to retrieve RSA public keys from a JWKS (JSON Web Key Set) endpoint.
MIT License
836 stars 236 forks source link

Support Cache-Control Response Header from JWKS Endpoint #288

Closed mramos-dev closed 2 years ago

mramos-dev commented 2 years ago

Describe the problem you'd like to have solved

The FHIR Bulk Data Access Implementation Guide from HL7 includes the following section:

The client SHOULD return a “Cache-Control” header in its JWKS response

  • The authorization server SHALL NOT cache a JWKS for longer than the client’s cache-control header indicates.
  • The authorization server SHOULD cache a client’s JWK Set according to the client’s cache-control header; it doesn’t need to retrieve it anew every time.

This implementation guide is referenced from a US Regulatory Requirement which would require that uses of this library in this context could not use caching. We would like to continue to using caching for the reasons it was initially implemented; however, using this library as is could open us up to abuse if we completely disable caching of the JWKS Endpoint results.

Describe the ideal solution

The ideal solution would be adding support of the cache-control header if it's returned by the JWKS Endpoint.

Alternatives and current work-arounds

The only workaround I've arrived at would be disabling caching. If there are other workarounds, that feedback would be appreciated.

Additional information, if any

Issue 39 was submitted in the past for this feature request and eventually closed without any input from maintainers.

mramos-dev commented 2 years ago

@adamjmcgrath I'm not sure how to go about getting input from a maintainer on this issue. I'm reaching out because I'm concerned that this issue with have the same fate as Issue 39. Thank you for anything you can do to help with triaging this issue.

mramos-dev commented 2 years ago

Looks like cacheable-request module might work as an alternative to the memoizer module, lru-memoizer, currently being used by this module. There could be a new option for defining the cache type with the default value being 'lru-memoizer' for backwards compatibility. There could then also be a cache type option 'cacheable-request' that would cause the library to swap out the caching method.

Looks like the functional changes would be limited to the following: https://github.com/auth0/node-jwks-rsa/blob/master/src/wrappers/cache.js

Would the maintainers of this library be amenable to having a new dependency, cacheable-request, added? Maybe there is some other dependency that would do this better so I'd be open to suggestions.

Thanks!

adamjmcgrath commented 2 years ago

Hi @MRamos62786 - thanks for raising this.

We don't have plans to support this, but the SDK allows you to customise the JWKS request (using the fetcher option) - so you should be able to use cacheable-request yourself if you want this behaviour.