Skip to content

feat(auth): auto retry on jwks key not found #17410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sundy-li merged 10 commits into from
Feb 7, 2025
Merged

feat(auth): auto retry on jwks key not found #17410

sundy-li merged 10 commits into from
Feb 7, 2025

Conversation

@flaneur2020
Copy link
Member

@flaneur2020 flaneur2020 commented Feb 5, 2025
edited
Loading

I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/

Summary

currently, we maintain a cache for the jwks keys, and use the cache to validate the jwt authentications.

however, the jwks endpoint may rotate at any time. if the client rotated with the latest jwt, we may get a key not found 401 error on jwt authentication until the next jwks refresh (by default, it's 30s).

this error can be auto-recovered after 30s, but we want to go a step further about this to make it not noticeable for users with retry.

this pr added a retry for refreshing the jwks endpoint after a key not found error. and to avoid flooding the jwks endpoint, it limited a retry_interval.

there's also a risk that the server rotates the jwks first, but the client still uses the older jwt. to mitigate this risk, this pr also buffered the earlier jwks keys in memory.

Tests

  • Unit Test

Type of change

  • New Feature (non-breaking change which adds functionality)

This change is Reviewable

@github-actions github-actions bot added the pr-feature this PR introduces a new feature to the codebase label Feb 5, 2025
@flaneur2020 flaneur2020 marked this pull request as ready for review February 5, 2025 11:21
@sundy-li sundy-li added this pull request to the merge queue Feb 6, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 6, 2025
@sundy-li sundy-li merged commit b98ad71 into databendlabs:main Feb 7, 2025
70 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@everpcpc everpcpc everpcpc approved these changes

@youngsofun youngsofun youngsofun approved these changes

Assignees

No one assigned

Labels

pr-feature this PR introduces a new feature to the codebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@flaneur2020 @everpcpc @youngsofun @sundy-li