michaeljmarshall opened a new pull request, #20338: URL: https://github.com/apache/pulsar/pull/20338
### Motivation When the `AuthenticationProviderOpenID` encounters an unknown Key ID (known as the `kid` in the JWT) the token is rejected with the following error `java.lang.IllegalArgumentException: No JWK found for Key ID <kid>`. This behavior is technically valid, but it isn't ideal because it is possible that the Identity Provider has issued new signing keys and started using them before the Pulsar authentication provider has refreshed its cache. This PR introduces a behavior to retrieve This PR adds a configuration called `openIDKeyIdCacheMissRefreshSeconds` that represents the length of time that must pass before the provider will reload the JWKS from the Identity Provider. The `openIDKeyIdCacheMissRefreshSeconds` setting limits the impact of an attacker invalidating the JWKS cache. When `openIDKeyIdCacheMissRefreshSeconds <= 0`, the JWKS will be refreshed for any missing key id when the issuer is trusted. This is only meant for testing. ### Modifications * Add `openIDKeyIdCacheMissRefreshSeconds` setting and default it to 5 minutes. * Add functionality to invalidate and refresh the cache when a token has an unknown `kid` for a trusted issuer. ### Verifying this change New tests are added. ### Does this pull request potentially affect one of the following parts: This adds a new configuration, but it is very minor. ### Documentation - [x] `doc-required` ### Matching PR in forked repository PR in forked repository: Skipping since tests passed already on my local machine -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
