logan-stytch
commented
3 months ago Thank you for the kind words! As for the codegen-ing, we wrote a blog post about it here, but we're hoping to open-source the library behind it later this year (just need to find time to clean it up a bit and add some examples).
You are correct that our current implementation of JWKS caching is incorrect since it doesn't handle key rotation. Since key rotation is a relatively rare event (keys rotate with about a one month grace window before the old key expires), we decided this was good enough to quickly unblock someone asking for it. With that said, I would love to do it better.
If you'd like to make a PR, I'd be happy to review it! As for the codegen-ing, the client.rs file is not codegen'd at all, so it's safe to modify.
Hi!
Thanks for making this awesome client library! I'm actually really curious how you are codegen-ing this, it's been a joy to use.
I was digging into the library and I found one issue that's mildly concerning. Kudos to implementing caching of JWKS in the http client 👏🏼 , however I believe there is a subtle issue of missing invalidation lurking.
Since this method caches the JWKS once and only once, there is no refresh after a key rotation occurs. This means that according to the documentation,
fetch_jwks()is guaranteed to return an invalid key set at some point in the future after being called once.I think it's a small fix! Happy to make a PR, but since the library appears to be partially codegen'd, I wasn't sure if contributing is possible.