public final class RefreshingHttpsJwks extends Object implements Initable, Closeable
HttpsJwks
that will periodically refresh the JWKS cache to reduce or
even prevent HTTP/HTTPS traffic in the hot path of validation. It is assumed that it's
possible to receive a JWT that contains a kid
that points to yet-unknown JWK,
thus requiring a connection to the OAuth/OIDC provider to be made. Hopefully, in practice,
keys are made available for some amount of time before they're used within JWTs.
This instance is created and provided to the
HttpsJwksVerificationKeyResolver
that is used when using
an HTTP-/HTTPS-based VerificationKeyResolver
, which is then
provided to the ValidatorAccessTokenValidator
to use in validating the signature of
a JWT.HttpsJwksVerificationKeyResolver
,
VerificationKeyResolver
,
ValidatorAccessTokenValidator
Constructor and Description |
---|
RefreshingHttpsJwks(org.apache.kafka.common.utils.Time time,
org.jose4j.jwk.HttpsJwks httpsJwks,
long refreshMs,
long refreshRetryBackoffMs,
long refreshRetryBackoffMaxMs)
Creates a
RefreshingHttpsJwks that will be used by the
RefreshingHttpsJwksVerificationKeyResolver to resolve new key IDs in JWTs. |
Modifier and Type | Method and Description |
---|---|
void |
close() |
List<org.jose4j.jwk.JsonWebKey> |
getJsonWebKeys()
Our implementation avoids the blocking call within
HttpsJwks.refresh() that is
sometimes called internal to HttpsJwks.getJsonWebKeys() . |
String |
getLocation() |
void |
init()
Lifecycle method to perform any one-time initialization of the retriever.
|
boolean |
maybeExpediteRefresh(String keyId)
maybeExpediteRefresh is a public method that will trigger a refresh of
the JWKS cache if all of the following conditions are met:
The given keyId parameter is <e; the
MISSING_KEY_ID_MAX_KEY_LENGTH
The key isn't in the process of being expedited already
|
public RefreshingHttpsJwks(org.apache.kafka.common.utils.Time time, org.jose4j.jwk.HttpsJwks httpsJwks, long refreshMs, long refreshRetryBackoffMs, long refreshRetryBackoffMaxMs)
RefreshingHttpsJwks
that will be used by the
RefreshingHttpsJwksVerificationKeyResolver
to resolve new key IDs in JWTs.time
- Time
instancehttpsJwks
- HttpsJwks
instance from which to retrieve the JWKS
based on the OAuth/OIDC standardrefreshMs
- The number of milliseconds between refresh passes to connect
to the OAuth/OIDC JWKS endpoint to retrieve the latest setrefreshRetryBackoffMs
- Time for delay after initial failed attempt to retrieve JWKSrefreshRetryBackoffMaxMs
- Maximum time to retrieve JWKSpublic void init() throws IOException
Initable
init
in interface Initable
IOException
- Thrown on errors related to IO during initializationpublic void close()
close
in interface Closeable
close
in interface AutoCloseable
public List<org.jose4j.jwk.JsonWebKey> getJsonWebKeys() throws org.jose4j.lang.JoseException, IOException
HttpsJwks.refresh()
that is
sometimes called internal to HttpsJwks.getJsonWebKeys()
. We want to avoid any
blocking I/O as this code is running in the authentication path on the Kafka network thread.
The list may be stale up to refreshMs
.List
of JsonWebKey
instancesorg.jose4j.lang.JoseException
- Thrown if a problem is encountered parsing the JSON content into JWKsIOException
- Thrown f a problem is encountered making the HTTP requestpublic String getLocation()
public boolean maybeExpediteRefresh(String keyId)
maybeExpediteRefresh
is a public method that will trigger a refresh of
the JWKS cache if all of the following conditions are met:
keyId
parameter is <e; the
MISSING_KEY_ID_MAX_KEY_LENGTH
This expedited refresh is scheduled immediately.
keyId
- JWT key IDtrue
if an expedited refresh was scheduled, false
otherwise