omniauth_openid_connect icon indicating copy to clipboard operation
omniauth_openid_connect copied to clipboard
verified publisher icon omniauth

use jwks caching feature of openid_connect gem

Open nov opened this issue 3 years ago • 1 comments

OpenIDConnect::ResponseObject::IdToken.decode now accepts OpenIDConnect::Discovery::Provider::Config::Response instead of key. https://github.com/nov/openid_connect/blob/master/spec/openid_connect/response_object/id_token_spec.rb#L254-L300

then fetch JWK specified by the ID Token kid header from jwks_uri using JSON::JWK::Set::Fetcher. https://github.com/nov/openid_connect/blob/master/lib/openid_connect/response_object/id_token.rb#L70-L73 https://github.com/nov/openid_connect/blob/master/lib/openid_connect/discovery/provider/config/response.rb#L90-L93

and JSON::JWK::Set::Fetcher has JWKS caching feature. https://github.com/nov/json-jwt/wiki/JWK-Set#fetching

so, once omniauth_openid_connect gem users specify like this, this gem start caching JWKS by kid.

JSON::JWK::Set::Fetcher.cache = Rails.cache

ps. you might want to support caching option via omniauth config?

config.omniauth :openid_connect, {
  issuer: 'https://idp.example.com',
  discovery: true,
  jwks_cacher: Rails.cache,
  client_options: {..}
}

nov avatar Sep 23 '22 04:09 nov

I wanted to check on the status of this. I know the PR is a bit out of date. Is there a plan to incorporate something like this? Caching the public keys with a configurable cache so we don't hit our jwks_uri on every verification would be very helpful for a project I am working on.

paulh-bb avatar Jan 25 '24 20:01 paulh-bb