Package uk.co.spudsoft.jwtvalidatorvertx.impl

Class JWKSStaticSetHandlerImpl

java.lang.Object

uk.co.spudsoft.jwtvalidatorvertx.impl.JWKSStaticSetHandlerImpl

All Implemented Interfaces:

JsonWebKeySetHandler, JsonWebKeySetKnownJwksHandler

public class JWKSStaticSetHandlerImpl
extends Object
implements JsonWebKeySetKnownJwksHandler

Implementation of JsonWebKeySetKnownJwksHandler that stores JWKs in a HashMap.

Author:

jtalbut

Constructor Summary

Constructors

Constructor	Description
JWKSStaticSetHandlerImpl(io.vertx.ext.web.client.WebClient webClient, Collection<String> jwksUrls, Duration defaultJwkCacheDuration)	Constructor.

Method Summary

Modifier and Type	Method	Description
io.vertx.core.Future<io.vertx.ext.auth.impl.jose.JWK>	findJwk(String issuer, String kid)	Find a JWK for the given issuer and kid.
void	optimize()	Perform whatever initialization is required to get this handler working.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JWKSStaticSetHandlerImpl

public JWKSStaticSetHandlerImpl(io.vertx.ext.web.client.WebClient webClient,
 Collection<String> jwksUrls,
 Duration defaultJwkCacheDuration)

Constructor. With a static map of JWKs the security of the system is not compromised by allowing any issuer, though you should question why this is necessary. Each JWKs endpoint must use KIDs that are globally unique. When a KID is requested and cannot be found ALL the configured JWKS URLs will be queried and the single cache will be updated. Entries in the cache will be retained for a duration based on either the Cache-Control max-age header of the response or, if that is not present, the defaultJwkCacheDuration. Given that only positive responses are cached it is reasonable for the defaultJwkCacheDuration to be 24 hours (or more).

Parameters:

webClient - Vertx WebClient instance, that will be used for querying the JWKS URLs.

jwksUrls - Static set of URLs that will be used for obtaining JWKs.

defaultJwkCacheDuration - Time to keep JWKs in cache if no cache-control: max-age header is found. The JWKS URLs must be accessed via https for the environment to offer any security. This is not enforced at the code level.

Method Details

optimize

public void optimize()

Description copied from interface: JsonWebKeySetHandler

Perform whatever initialization is required to get this handler working.

This is primarily intended to provide the opportunity for handlers to preload JWKs. It shouldn't matter whether or not the preload has completed, hence this method returns void and it is expected that processing continues in the background.

Specified by:

optimize in interface JsonWebKeySetHandler

findJwk

public io.vertx.core.Future<io.vertx.ext.auth.impl.jose.JWK> findJwk(String issuer,
 String kid)

Description copied from interface: JsonWebKeySetHandler

Find a JWK for the given issuer and kid. A specific implementation of JsonWebKeySetHandler will either require the issuer to be null, or not null. The issuer should never be extracted from the payload of a JWT for the purpose of finding the JWK. If the client has a mechanism for knowing the issuer of the token it can work with a greater number of issuers, if the client is not able to determine the issuer for a token (before validation) then it must maintain a cache of the keys for all known JWK sets.

Specified by:

findJwk in interface JsonWebKeySetHandler

Parameters:

issuer - the issuer of the JWT (and JWK).

kid - The key ID being sought.

Returns:

A Future that will be completed with a JWK.