Migrate OIDC discovery and key fetching from legacy HTTP client to new curl-based client#8005
Merged
Merged
Conversation
…#7989) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com> Co-authored-by: Amaury Chamayou <amaury@xargs.fr> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
@copilot create a summary of the changes. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates CCF’s JWT/JWK auto-refresh implementation to use the existing libcurl multi client (improving observability of network/TLS failures) and introduces a new startup configuration to cap the maximum accepted response size when fetching OpenID metadata and JWKS.
Changes:
- Switch JWT/JWK auto-refresh outbound fetches from
RPCSessions::create_client()to the curl multi singleton, counting connection/TLS failures in refresh failure metrics. - Add
jwt.key_refresh_max_response_sizeto limit OpenID metadata/JWKS response body sizes, wiring it through config, schema, CLI/test infra, and docs. - Expand JWT auto-refresh tests to cover connection failure, TLS failure, invalid metadata, cross-authority
jwks_uri, and response-size limiting.
Custom instructions used:
.github/copilot-instructions.md.github/instructions/reviewing.instructions.md
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/programmability.py | Sets a smaller max-response-size in a programmability test network config. |
| tests/jwt_test.py | Adds several new auto-refresh negative/edge-case tests and adjusts metrics assertions. |
| tests/infra/remote.py | Threads jwt_key_refresh_max_response_size through node startup config rendering. |
| tests/infra/network.py | Forwards jwt_key_refresh_max_response_size as a supported node arg. |
| tests/infra/jwt_issuer.py | Adds SAN to generated issuer certs (needed for strict curl hostname verification). |
| tests/infra/e2e_args.py | Adds CLI arg --jwt-key-refresh-max-response-size. |
| tests/infra/crypto.py | Adds optional SAN support to test certificate generation. |
| tests/config.jinja | Emits jwt.key_refresh_max_response_size into generated node config JSON. |
| src/node/node_state.h | Passes max-response-size config into JwtKeyAutoRefresh. |
| src/node/jwt_key_auto_refresh.h | Reworks auto-refresh fetch path to curl multi, adds https validation and response size limiting. |
| src/http/curl.h | Improves curl error handling/checking and shutdown logging; updates slist append behaviour. |
| src/common/configuration.h | Adds JWT config JSON field key_refresh_max_response_size. |
| include/ccf/node/startup_config.h | Defines new startup config field key_refresh_max_response_size. |
| doc/host_config_schema/host_config.json | Documents the new JWT config option in the host config schema. |
| doc/build_apps/auth/jwt.rst | Updates JWT docs to mention key_refresh_interval and the new max-response-size setting. |
| python/pyproject.toml | Bumps Python package version to 7.0.7. |
| CHANGELOG.md | Adds 7.0.7 entries describing the curl multi switch and max response size configuration. |
Contributor
|
…efresh-curl # Conflicts: # CHANGELOG.md
achamayou
commented
Jun 30, 2026
achamayou
commented
Jun 30, 2026
maxtropets
reviewed
Jun 30, 2026
maxtropets
reviewed
Jun 30, 2026
…quirement Co-authored-by: maxtropets <16566519+maxtropets@users.noreply.github.com>
Collaborator
|
Not able to review this due to unfamiliarity with both |
eddyashton
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes items 2 and 3 in #7262 by migrating JWK download and refresh to the curl client, plus a few fixes to the client along the way.
This leaves the Join client as the last httpclient user, to be removed in a separate PR.
Review follow-up: