New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Enhanced Backoff Policy for JWKs Retrieval and Validation #1135
Comments
/bounty 300 |
💎 $300 bounty created by Permify Don't wait to be assigned. A reward will be given for the best PR. 👉 Add a bounty • Share on socials 🔴 Livestream on Algora TV while solving this bounty and receive $200 upon merge!
|
I would like to give it a try, can I be assigned? @tolgaOzen |
Adding myself in queue.. |
Adding myself in the queue as well |
/attempt #1135 Options |
💡 @ahmethakanbesel submitted a pull request that claims the bounty. You can visit your bounty board to reward. |
@tolgaOzen - I noticed one of the features was
I do not see anything in the merged PR #1137 that adds the backoff strategy or even retries the JWKS attempt if the KID is not found but rather just failing to authenticate. I see that it handles the auto-refresh but not the backoff part of the needs. There are scenarios where the One could say that you should set the refresh timer to a low number (5 minutes) so your maximum outage of a key rotation is low, but that is also making Permify a bit chatty when it doesn't have to be if there is some logic to refresh if a new KID is presented that isn't in the keyset and it has been more than |
Context
This feature request relates to our OIDC implementation, which is located at
/internal/authn/oidc
within our Permify's repository.Current Behavior
The system currently operates by fetching JWKs on a set timed interval. This mechanism does not support scenarios requiring urgent token rotation and may not be effective in mitigating abuse through the submission of invalid tokens.
Proposed Enhancements
Rationale
This enhancement aims to bolster security by facilitating urgent token rotation and preventing potential abuse scenarios without overwhelming the JWKS server with requests due to invalid token submissions.
Suggested Libraries/References
We are using the lestrrat-go/jwx/jwk library for JWK handling.
Timeline
Urgently needed by Wednesday (20.03.2024) to meet security and operational standards.
Request
We are seeking feedback on this proposed approach and would appreciate any support in implementing these changes. Thank you for your attention and assistance.
The text was updated successfully, but these errors were encountered: