Affects Version/s: 184.108.40.206, 220.127.116.11, 7.0.0
Fix Version/s: 7.0.0
When you change the secret mappings for a KeyStoreSecretStore (including the default), the OAuth2Provider fails to detect this change and continues to serve the JWKSet calculated the last time the jwks_uri was called.
- Configure an OAuth2 provider
- Call the /oauth2/connect/jwk_uri endpoint
- Go to Configure > Secret Stores > default keystore > mappings and delete all secret store mappings
- Call the /oauth2/connect/jwk_uri again
An empty set of keys is returned.
The original (large) set of keys is returned
Restart AM to pickup the changes.
The RealmOAuth2ProviderSettings class caches the JWKSet. It registers a service listener to detect changes in the OAuth2 settings, but fails to detect changes made to the Secrets API.
An immediate fix would be to also add a listener for changes to KeyStoreSecretStore configurations in the realm and globally, but in general the Secrets API may be configured to pull in keys and certs from remote sources (e.g. Google/AWS KMS), so the cache should ideally be refreshed every 5 minutes or so anyway.