Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Make jwks-rsa resilient in the face of inability to access the underlying JWKS #385

Open
4 tasks done
neoeinstein opened this issue Oct 31, 2023 · 1 comment
Open
4 tasks done

Comments

@neoeinstein
Copy link

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In light of the recent Auth0/Cloudflare outage, we discovered that this library hard evicts the underlying JWKS after the maxCacheAge expires. Unfortunately, if this occurs at the same time as, say, Auth0 and its JWKS are unavailable, then there is no graceful degradation of service. Instead, the service immediately begins rejecting tokens. This results in total service unavailability even if the clients accessing the service have tokens that would continue to be valid for many hours.

With the default 10 minute max cache age, that means services can, on average, only tolerate 5 minutes of downtime before becoming unavailable in the current state.

Describe the ideal solution

In the face of errors attempting to refresh a JWKS, the library should be able to gracefully continue and use a stale JWKS during the unavailability of the remote source.

Alternatives and current workarounds

We're looking at writing a wrapper around this library to be able to provide this graceful fallback, but it would be ideal if this mechanism were done inside the library instead.

Additional context

Notably, some libraries in other languages already work to provide a graceful fallback mechanism in the face of a network partition or unavailability of the source.

One such example is neoeinstein/aliri, which ensures that JWKS source unavailability does not result in total service unavailability.

@adamjmcgrath
Copy link
Contributor

Thanks for raising this @neoeinstein - I don't know when we might be able to look at this, but will leave it open as an enhancement.

Also, happy to look at a PR if anybody wants to offer one

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants