APPPOCTOOL-28 Make JWT parser refresh interval configurable

folio-org · Sep 11, 2024 · be74551 · be74551
1 parent 9f96c30
commit be74551
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 5 deletions.
diff --git a/folio-auth-openid/src/main/java/org/folio/jwt/openid/OpenidJwtParserProvider.java b/folio-auth-openid/src/main/java/org/folio/jwt/openid/OpenidJwtParserProvider.java
@@ -14,6 +14,8 @@
 public class OpenidJwtParserProvider {
 
   private final Map<String, JWTParser> tokenParsers = new ConcurrentHashMap<>();
+  private final int jwksRefreshInterval;
+  private final int forcedJwksRefreshInterval;
 
   /**
    * Provides JWT parser for given issuer URI.
@@ -28,8 +30,8 @@ public JWTParser getParser(String issuerUri) {
     }
 
     var jwtAuthContextInfo = new JWTAuthContextInfo(issuerUri + "/protocol/openid-connect/certs", issuerUri);
-    jwtAuthContextInfo.setForcedJwksRefreshInterval(60);
-    jwtAuthContextInfo.setJwksRefreshInterval(60);
+    jwtAuthContextInfo.setJwksRefreshInterval(jwksRefreshInterval);
+    jwtAuthContextInfo.setForcedJwksRefreshInterval(forcedJwksRefreshInterval);
     var jwtParser = new DefaultJWTParser(jwtAuthContextInfo);
     tokenParsers.put(issuerUri, jwtParser);
     return jwtParser;

diff --git a/folio-auth-openid/src/test/java/org/folio/jwt/openid/OpenidJwtParserProviderTest.java b/folio-auth-openid/src/test/java/org/folio/jwt/openid/OpenidJwtParserProviderTest.java
@@ -20,7 +20,7 @@ class OpenidJwtParserProviderTest {
 
   @BeforeEach
   void setUp() {
-    openidJwtParserProvider = new OpenidJwtParserProvider();
+    openidJwtParserProvider = new OpenidJwtParserProvider(60, 60);
   }
 
   @Test

diff --git a/.../org/folio/security/integration/keycloak/configuration/KeycloakSecurityConfiguration.java b/.../org/folio/security/integration/keycloak/configuration/KeycloakSecurityConfiguration.java
@@ -61,7 +61,7 @@ public JsonWebTokenParser jsonWebTokenParser(ObjectMapper objectMapper, Keycloak
     OpenidJwtParserProvider openidJwtParserProvider) {
 
     var jwtParserConfiguration = JwtParserConfiguration.builder()
-      .validateUri(false)
+      .validateUri(properties.getJwtCacheConfiguration().isValidateUri())
       .issuerRootUri(keycloakProperties.getUrl())
       .build();
 
@@ -70,7 +70,10 @@ public JsonWebTokenParser jsonWebTokenParser(ObjectMapper objectMapper, Keycloak
 
   @Bean
   public OpenidJwtParserProvider openidJwtParserProvider() {
-    return new OpenidJwtParserProvider();
+    var jwtCacheConfiguration = properties.getJwtCacheConfiguration();
+    return new OpenidJwtParserProvider(
+      jwtCacheConfiguration.getJwksRefreshInterval(),
+      jwtCacheConfiguration.getForcedJwksRefreshInterval());
   }
 
   @Bean

diff --git a/.../org/folio/security/integration/keycloak/configuration/properties/KeycloakProperties.java b/.../org/folio/security/integration/keycloak/configuration/properties/KeycloakProperties.java
@@ -1,6 +1,7 @@
 package org.folio.security.integration.keycloak.configuration.properties;
 
 import lombok.Data;
+import lombok.NoArgsConstructor;
 import org.folio.common.configuration.properties.TlsProperties;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.NestedConfigurationProperty;
@@ -11,12 +12,58 @@
 @ConfigurationProperties(prefix = "application.keycloak")
 public class KeycloakProperties {
 
+  /**
+   * Keycloak URL.
+   */
   private String url;
+
+  /**
+   * Authentication JWT parser configuration settings.
+   */
+  private KeycloakJwtCacheProperties jwtCacheConfiguration;
+
+  /**
+   * Impersonation client name.
+   */
   private String impersonationClient;
+
+  /**
+   * Keycloak admin client properties.
+   */
   @NestedConfigurationProperty
   private KeycloakAdminProperties admin;
+
+  /**
+   * Keycloak client properties.
+   */
   @NestedConfigurationProperty
   private KeycloakClientProperties client;
+
+  /**
+   * Keycloak TLS properties.
+   */
   @NestedConfigurationProperty
   private TlsProperties tls;
+
+  @Data
+  @NoArgsConstructor
+  public static class KeycloakJwtCacheProperties {
+
+    /**
+     * Defines if validation for JWT must be run to compare configuration URL and token issuer for keycloak.
+     */
+    private boolean validateUri = false;
+
+    /**
+     * Jwks refresh interval for realm JWT parser.
+     */
+    private int jwksRefreshInterval = 60;
+
+    /**
+     * Forced jwks refresh interval for realm JWT parser.
+     *
+     * <p>Applies for signing key rotation</p>
+     */
+    private int forcedJwksRefreshInterval = 60;
+  }
 }