Package org.forgerock.openig.fapi.jwks

Class CachingJwkSetService

java.lang.Object

org.forgerock.openig.fapi.jwks.CachingJwkSetService

All Implemented Interfaces:

JwkSetService

public class CachingJwkSetService
extends Object
implements JwkSetService

JwkSetService implementation capable of caching JWK Set data. This service caches JWK Set data in memory to avoid repeated network requests to the JWK Set URI.

The principal aim is to limit the overall number of entries in the cache, as there may be a large number of API clients, each referencing different JWK set. The underlying secret store manages cache timeout and refresh, and cache-miss timeout.

 {
       "type": "CachingJwkSetService",
       "config": {
         "endpointHandler":        handler              [OPTIONAL - the handler to use to acquire the JWKS from the
                                                                    jwksUri - default to ClientHandler.]
         "cacheTimeout":           expression<duration> [OPTIONAL - cache timeout to support reloading of the cache
                                                                    periodically - default is "2 minutes".]
         "cacheMissTimeout":       expression<duration> [OPTIONAL - the minimum cache time that must be waited before
                                                                    cache reload, in case of a cache miss - default is
                                                                    "2 minutes".]
         "cacheMaxSize":           expression<integer>  [OPTIONAL - the maximum size that the cache may grow before
                                                                    cached items are evicted - default is 500.]
         }
       }
    
 

Note that CachingJwkSetService serves to constrain JWKs by the specific JWK 'use', to prevent cross-JWK usage (where a valid but unintended JWK may be selected for a given use/ purpose):

1. Transport keys fetched using purpose JwkSetServicePurposes.transportPurpose() are constrained on JWK use 'tls'.
2. Transport keys fetched using purpose JwkSetServicePurposes.signingPurpose() are constrained on JWK use 'sig'.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CachingJwkSetService.Heaplet	Create a CachingJwkSetService in a heap environment.

Method Summary

Modifier and Type	Method	Description
Promise<JwkSetSecretStore,FailedToLoadJWKException>	getJwkSetSecretStore(URI jwkSetUri)	Retrieves a JwkSetSecretStore for the specified uri.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

getJwkSetSecretStore

public Promise<JwkSetSecretStore,FailedToLoadJWKException> getJwkSetSecretStore(URI jwkSetUri)

Retrieves a JwkSetSecretStore for the specified uri.

Specified by:

getJwkSetSecretStore in interface JwkSetService

Parameters:

jwkSetUri - uri used to locate the JWK Set.

Returns:

Promise which either returns a JwkSetSecretStore or fails with a FailedToLoadJWKException.