JWT: Enable reading a JSON Web Key Set from a file #180
Conversation
ForwardingSignatureValidator holds a pointer to some other SignatureValidator and will forward ValidateSignature requests to this validator. The validator it references can be changed by calling Replace().
This changes the jwt.proto definition to take either an inline JWKS struct, or a message containing a file path and a refresh interval. The intention is that when a file path and refresh interval is provided, we create a ForwardingSignatureValidator, and periodically update its internal SignatureValidator with content from the referenced file. When passing inline content, behavior should remain unchanged.
When loading the JWT configuration, check if the config provides inline JWKS content, or a reference to a file. If we get a reference to a file, we set up a goroutine to periodically fetch the file and update a ForwardingSignatureValidator.
Rather than make this configurable, we'll refresh the JWKS file every 300 seconds
…ngSignatureValidator return that
pkg/jwt/configuration.go
Outdated
| } | ||
|
|
||
| var jwks jose.JSONWebKeySet | ||
| err = json.NewDecoder(r).Decode(&jwks) |
There was a problem hiding this comment.
One interesting fact about json.NewDecoder().Decode() I got told about the other day is that it:
- still ends up loading all JSON in memory up front. There is thus no savings in memory usage
- permits trailing garbage, as it simply stops parsing after the top-level object is completed
With that in mind, I guess we should just io.ReadAll() it?
There was a problem hiding this comment.
I have no preference. Even if it did stream the file, these files are so small that I don't think it matters very much
There was a problem hiding this comment.
But my concern is that json.NewDecoder().Decode() permits trailing garbage. Amongst other things, it's designed to also permit reading newline delimited JSON files.
I would suggest we use io.ReadAll() here.
|
@EdSchouten any chance we could get this merged this week? |
pkg/jwt/configuration.go
Outdated
| } | ||
|
|
||
| var jwks jose.JSONWebKeySet | ||
| err = json.NewDecoder(r).Decode(&jwks) |
There was a problem hiding this comment.
But my concern is that json.NewDecoder().Decode() permits trailing garbage. Amongst other things, it's designed to also permit reading newline delimited JSON files.
I would suggest we use io.ReadAll() here.
This reverts commit ba426d0.
|
@EdSchouten ping |
This changes the JWKS configuration to be one of either inline content (as before) or a reference to a file.
To enable this, a new signature validator is added, the ForwardingSignatureValidator, which holds a pointer to some other validator that requests to ValidateSignature are forwarded to. We can replace this validator by calling Replace(). When periodically reading the content at the JWKS file path, this internal validator is updated to one containing the new JWKS content.