Package org.apache.kafka.common.security.oauthbearer.secured

Class RefreshingHttpsJwks

java.lang.Object
org.apache.kafka.common.security.oauthbearer.secured.RefreshingHttpsJwks
All Implemented Interfaces:
Closeable, AutoCloseable, Initable
public final class RefreshingHttpsJwks extends Object implements Initable, Closeable
Implementation of HttpsJwks that will periodically refresh the JWKS cache to reduce or even prevent HTTP/HTTPS traffic in the hot path of validation. It is assumed that it's possible to receive a JWT that contains a kid that points to yet-unknown JWK, thus requiring a connection to the OAuth/OIDC provider to be made. Hopefully, in practice, keys are made available for some amount of time before they're used within JWTs. This instance is created and provided to the HttpsJwksVerificationKeyResolver that is used when using an HTTP-/HTTPS-based VerificationKeyResolver, which is then provided to the ValidatorAccessTokenValidator to use in validating the signature of a JWT.
See Also:

  • Constructor Summary

    Constructors
    Constructor
    Description
    RefreshingHttpsJwks(org.apache.kafka.common.utils.Time time, org.jose4j.jwk.HttpsJwks httpsJwks, long refreshMs, long refreshRetryBackoffMs, long refreshRetryBackoffMaxMs)
    Creates a RefreshingHttpsJwks that will be used by the RefreshingHttpsJwksVerificationKeyResolver to resolve new key IDs in JWTs.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    close()
     
    List<org.jose4j.jwk.JsonWebKey>
    getJsonWebKeys()
    Our implementation avoids the blocking call within HttpsJwks.refresh() that is sometimes called internal to HttpsJwks.getJsonWebKeys().
    String
    getLocation()
     
    void
    init()
    Lifecycle method to perform any one-time initialization of the retriever.
    boolean
    maybeExpediteRefresh(String keyId)
    maybeExpediteRefresh is a public method that will trigger a refresh of the JWKS cache if all of the following conditions are met: The given keyId parameter is <e; the MISSING_KEY_ID_MAX_KEY_LENGTH The key isn't in the process of being expedited already

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • RefreshingHttpsJwks

      public RefreshingHttpsJwks(org.apache.kafka.common.utils.Time time, org.jose4j.jwk.HttpsJwks httpsJwks, long refreshMs, long refreshRetryBackoffMs, long refreshRetryBackoffMaxMs)
      Creates a RefreshingHttpsJwks that will be used by the RefreshingHttpsJwksVerificationKeyResolver to resolve new key IDs in JWTs.
      Parameters:
      time - Time instance
      httpsJwks - HttpsJwks instance from which to retrieve the JWKS based on the OAuth/OIDC standard
      refreshMs - The number of milliseconds between refresh passes to connect to the OAuth/OIDC JWKS endpoint to retrieve the latest set
      refreshRetryBackoffMs - Time for delay after initial failed attempt to retrieve JWKS
      refreshRetryBackoffMaxMs - Maximum time to retrieve JWKS

  • Method Details

    • init

      public void init() throws IOException
      Description copied from interface: Initable
      Lifecycle method to perform any one-time initialization of the retriever. This must be performed by the caller to ensure the correct state before methods are invoked.
      Specified by:
      init in interface Initable
      Throws:
      IOException - Thrown on errors related to IO during initialization

    • close

      public void close()
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable

    • getJsonWebKeys

      public List<org.jose4j.jwk.JsonWebKey> getJsonWebKeys() throws org.jose4j.lang.JoseException, IOException
      Our implementation avoids the blocking call within HttpsJwks.refresh() that is sometimes called internal to HttpsJwks.getJsonWebKeys(). We want to avoid any blocking I/O as this code is running in the authentication path on the Kafka network thread. The list may be stale up to refreshMs.
      Returns:
      List of JsonWebKey instances
      Throws:
      org.jose4j.lang.JoseException - Thrown if a problem is encountered parsing the JSON content into JWKs
      IOException - Thrown f a problem is encountered making the HTTP request

    • getLocation

      public String getLocation()

    • maybeExpediteRefresh

      public boolean maybeExpediteRefresh(String keyId)

      maybeExpediteRefresh is a public method that will trigger a refresh of the JWKS cache if all of the following conditions are met:

      • The given keyId parameter is <e; the MISSING_KEY_ID_MAX_KEY_LENGTH
      • The key isn't in the process of being expedited already

      This expedited refresh is scheduled immediately.

      Parameters:
      keyId - JWT key ID
      Returns:
      true if an expedited refresh was scheduled, false otherwise