> On Sep 9, 2022, at 8:29 PM, David Blevins <[email protected]> wrote: > >> On Aug 30, 2022, at 3:10 PM, David Blevins <[email protected]> wrote: >> >> I'm digging through the test failures in the MP JWT TCK and one of them is a >> test verifying support for downloading the keys for verifying JWTs via an >> http call. >> >> The trick is the test is deploying an application that makes an HTTP request >> to itself to get the public key and expects that to work. Since we validate >> the configuration before the application is started, this does not work -- >> the application can't call itself to make an HTTP request because it hasn't >> been deployed yet. Chicken and egg. > > Alrighty, we're down to just two failures in the MP JWT 2.0 TCK and both are > due to the above.
Hacking away on this. As it's taking me a while I figured I'd put up this draft PR so people can take a peek if they like: - https://github.com/apache/tomee/pull/926 The logic behind the design is that I'll have the code that needs to verify JWTs hold a java.util.function.Supplier that will supply the keys used for verification. Behind that `java.util.function.Supplier` interface we can do all the fancy work of: - dynamically fetching keys from the HTTP server - handling retries if the server is down - blocking threads (up to a point) until we get a response - refreshing keys on some kind of schedule, without blocking threads That fancy supplier logic is in a new class `CachedSupplier` and does all of the difficult threading in a way that's safe and optimal. Or at least I hope -- I'm still writing the tests for it. CachedSupplier is generic and doesn't have any actual HTTP or key parsing logic. Instead you construct `CachedSupplier` by passing in another `java.util.function.Supplier` that does the HTTP call, or disk read, or pulls from anywhere we'd like to support. Basically `CachedSupplier` is a wrapper around a `java.util.function.Supplier` that is presumably doing something very expensive and we don't want to execute that operation very often. I threw it in the org.apache.openejb.util package as it's a cool tool and we could easily use it for other things in the future. -David
smime.p7s
Description: S/MIME cryptographic signature
