HttpsJwksthat will periodically refresh the JWKS cache to reduce or even prevent HTTP/HTTPS traffic in the hot path of validation. It is assumed that it's possible to receive a JWT that contains a
kidthat points to yet-unknown JWK, thus requiring a connection to the OAuth/OIDC provider to be made. Hopefully, in practice, keys are made available for some amount of time before they're used within JWTs. This instance is created and provided to the
HttpsJwksVerificationKeyResolverthat is used when using an HTTP-/HTTPS-based
VerificationKeyResolver, which is then provided to the
ValidatorAccessTokenValidatorto use in validating the signature of a JWT.
|Constructor and Description|
|Modifier and Type||Method and Description|
Our implementation avoids the blocking call within
Lifecycle method to perform any one-time initialization of the retriever.
public RefreshingHttpsJwks(org.apache.kafka.common.utils.Time time, org.jose4j.jwk.HttpsJwks httpsJwks, long refreshMs, long refreshRetryBackoffMs, long refreshRetryBackoffMaxMs)
RefreshingHttpsJwksthat will be used by the
RefreshingHttpsJwksVerificationKeyResolverto resolve new key IDs in JWTs.
HttpsJwksinstance from which to retrieve the JWKS based on the OAuth/OIDC standard
refreshMs- The number of milliseconds between refresh passes to connect to the OAuth/OIDC JWKS endpoint to retrieve the latest set
refreshRetryBackoffMs- Time for delay after initial failed attempt to retrieve JWKS
refreshRetryBackoffMaxMs- Maximum time to retrieve JWKS
public void init() throws IOException
public void close()
public List<org.jose4j.jwk.JsonWebKey> getJsonWebKeys() throws org.jose4j.lang.JoseException, IOException
HttpsJwks.refresh()that is sometimes called internal to
HttpsJwks.getJsonWebKeys(). We want to avoid any blocking I/O as this code is running in the authentication path on the Kafka network thread. The list may be stale up to
public String getLocation()
public boolean maybeExpediteRefresh(String keyId)
maybeExpediteRefresh is a public method that will trigger a refresh of
the JWKS cache if all of the following conditions are met:
keyIdparameter is <e; the
This expedited refresh is scheduled immediately.
keyId- JWT key ID
trueif an expedited refresh was scheduled,