Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The JWK retriever does not remove stale JWK from cache #7849

Closed
chunlongliang-ibm opened this issue Jun 11, 2019 · 2 comments · Fixed by #9026
Closed

The JWK retriever does not remove stale JWK from cache #7849

chunlongliang-ibm opened this issue Jun 11, 2019 · 2 comments · Fixed by #9026
Assignees
@brutif
Labels
in:Security release bug This bug is present in a released version of Open Liberty release:190010 team:Security SSO

Comments

@chunlongliang-ibm
Copy link

chunlongliang-ibm commented Jun 11, 2019
edited
Loading

Liberty client caches JWKs for reuse, and fetches and caches new JWKs when JWT is signed with new JWK (new kid or x5t). While fetching new JWKs, Liberty should clean up stale or old JWKs.

There is a regression that disable the cleanup logic.

The code need to be fixed is JwkRetriever.java class

  1. Remove old jwk (not immediately, so token signed with old key can still be verified)
  2. have an configuration option to remove old key immediately upon new key is downloaded (in case private key is stolen).
@ayoho
Copy link
Member

ayoho commented Aug 26, 2019

Need to investigate to see if this is still an issue.

@brutif brutif self-assigned this Sep 16, 2019
@brutif
Copy link
Contributor

brutif commented Sep 17, 2019

looks like the issue is JwkRetriever.parseKeyText calls Jwkset.add(..) but the cleanup algo only runs if JwkSet.addJWK(..) is called.

@brutif brutif mentioned this issue Sep 17, 2019
Merged
@brutif brutif added the release bug This bug is present in a released version of Open Liberty label Sep 17, 2019
@brutif brutif changed the title The JWK retriver need remove stale JWK from cache The JWK retriever does not remove stale JWK from cache Sep 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brutif brutif

Labels
in:Security release bug This bug is present in a released version of Open Liberty release:190010 team:Security SSO
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

purge stale jwks brutif/open-liberty
4 participants
@ayoho @brutif @chunlongliang-ibm @LibbyBot