Identity provider key caching behavior causing lookup conflict #2915
Commits on Jun 4, 2024
-
Identity provider key caching behavior causing lookup conflict
Problem: UAA caches the key from Identity provider. The default cache eviction time is 10 minutes. When the Identity provider changes the key, the UAA may end up with stale key in the cache. All the token validations will fail during stale key period. Resolution: In case of signature validation failure, invalidate the cache and retrieve the latest/current key from Identity Provider and use it for validation. This behaviour is applicable for all signature validation failure. Another potential solution considered: Provide an endpoint or update existing endpoint that enables Identity provider to trigger cache invalidation upon key change. Testing done: Unit test and IT added Manual testing done by deploying a UAA and an Idenity provider. Signed-off-by: Peter Chen <peter-h.chen@broadcom.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.