-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key not found result is not cached resulting in extra jwks requests #319
Comments
Hi @tzuge - thanks for raising this
This is expected behaviour, otherwise the cache could be filled up with spurious results. |
@adamjmcgrath , could you clarify what you mean by spurious results? The response coming back with 200 and a body that does not contain the I acknowledge that this might be a pain to change since the error is used for both cases and the memoize lib is quite reasonably not memoizing that. |
Hi @tzuge
Sure, if you cached non existent kids - someone could generate many access tokens with different kid's and quickly fill the cache. The SDK is not optimised to accept access tokens from the wrong issuer, you'll need to find a way to select the correct issuer based on the request (like the workaround you described) |
Describe the problem
Failure to find the key from the jwks endpoint leads to a
SigningKeyNotFoundError
, and lru-memoizer does not appear to cache this 'no key' result, so caching does not limit requests to the jwks endpoint when kid is not found in the response.Expected behaviour
I would expect that a failure in the request to jwks endpoint would not be cache (i.e. if server returns 500, then trying again next time is appropriate). However, if the request is successful and the kid is not in the response, that's a valid result that should be cached for the regular TTL.
Reproduction
In my specific case, I have express applications with multiple jwt strategies with passport and it's expected that tokens will pass one or the other. The 'no key' result not being cached results in extra overhead on requests; this is partly interaction with issuer check happening after secretOrKeyProvider in jwt strategy. Workaround is possible by decoding jwt header and comparing against issuer to skip jwks key resolution.
Configure a jwks uri that is not consistent with access tokens provided in requests.
Environment
jwks-rsa version: 2.1.4
The text was updated successfully, but these errors were encountered: