Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15682

AM jwks_uri doesn't reflect changes to secret mappings

    Details

    • Needs backport:
      Yes
    • Needs QA verification:
      Yes
    • Functional tests:
      No

      Description

      Bug description

      When you change the secret mappings for a KeyStoreSecretStore (including the default), the OAuth2Provider fails to detect this change and continues to serve the JWKSet calculated the last time the jwks_uri was called.

      How to reproduce the issue

      1. Configure an OAuth2 provider
      2. Call the /oauth2/connect/jwk_uri endpoint
      3. Go to Configure > Secret Stores > default keystore > mappings and delete all secret store mappings
      4. Call the /oauth2/connect/jwk_uri again
      Expected behaviour

      An empty set of keys is returned.

      Current behaviour

      The original (large) set of keys is returned

      Work around

      Restart AM to pickup the changes.

      Code analysis

      The RealmOAuth2ProviderSettings class caches the JWKSet. It registers a service listener to detect changes in the OAuth2 settings, but fails to detect changes made to the Secrets API.

      An immediate fix would be to also add a listener for changes to KeyStoreSecretStore configurations in the realm and globally, but in general the Secrets API may be configured to pull in keys and certs from remote sources (e.g. Google/AWS KMS), so the cache should ideally be refreshed every 5 minutes or so anyway.

        Attachments

          Activity

            People

            • Assignee:
              dipu.seminlal Dipu Seminlal
              Reporter:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: