Keyclock public key rotation support Closes #2

Author: augi

keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/DefaultKeycloakPublicKeyProvider.java

@@ -0,0 +1,79 @@
+package com.avast.grpc.jwt.keycloak.server;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.net.URL;
+import java.security.PublicKey;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.keycloak.constants.ServiceUrlConstants;
+import org.keycloak.jose.jwk.JSONWebKeySet;
+import org.keycloak.jose.jwk.JWK;
+import org.keycloak.util.JWKSUtils;
+
+public class DefaultKeycloakPublicKeyProvider implements KeycloakPublicKeyProvider {
+
+  private final String serverUrl;
+  private final String realm;
+  private final Duration minTimeBetweenJwksRequests;
+  private final Duration publicKeyCacheTtl;
+  private final Clock clock;
+
+  private Map<String, PublicKey> currentKeys = new ConcurrentHashMap<>();
+  private volatile Instant lastRequestTime = Instant.MIN;
+
+  public DefaultKeycloakPublicKeyProvider(
+      String serverUrl,
+      String realm,
+      Duration minTimeBetweenJwksRequests,
+      Duration publicKeyCacheTtl,
+      Clock clock) {
+    this.serverUrl = serverUrl;
+    this.realm = realm;
+    this.minTimeBetweenJwksRequests = minTimeBetweenJwksRequests;
+    this.publicKeyCacheTtl = publicKeyCacheTtl;
+    this.clock = clock;
+  }
+
+  @Override
+  public PublicKey get(String keyId) {
+    if (lastRequestTime.plus(publicKeyCacheTtl).isBefore(clock.instant())) {
+      updateKeys();
+    }
+    PublicKey fromCache = currentKeys.get(keyId);
+    if (fromCache != null) {
+      return fromCache;
+    }
+    updateKeys();
+    PublicKey res = currentKeys.get(keyId);
+    if (res == null) {
+      throw new RuntimeException("Key with following ID not found: " + keyId);
+    }
+    return res;
+  }
+
+  protected void updateKeys() {
+    synchronized (this) {
+      if (clock.instant().isAfter(lastRequestTime.plus(minTimeBetweenJwksRequests))) {
+        Map<String, PublicKey> newKeys = fetchNewKeys();
+        currentKeys.clear();
+        currentKeys.putAll(newKeys);
+        lastRequestTime = clock.instant();
+      }
+    }
+  }
+
+  protected Map<String, PublicKey> fetchNewKeys() {
+    try {
+      ObjectMapper om = new ObjectMapper();
+      String jwksUrl = serverUrl + ServiceUrlConstants.JWKS_URL.replace("{realm-name}", realm);
+      JSONWebKeySet jwks = om.readValue(new URL(jwksUrl).openStream(), JSONWebKeySet.class);
+      return JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
+    } catch (IOException e) {
+      throw new RuntimeException("Cannot fetch key from Keycloak server", e);
+    }
+  }
+}

keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtServerInterceptor.java

@@ -5,6 +5,7 @@
 import com.avast.grpc.jwt.server.JwtServerInterceptor;
 import com.avast.grpc.jwt.server.JwtTokenParser;
 import com.typesafe.config.Config;
+import java.time.Clock;
 import org.keycloak.representations.AccessToken;
 
 public class KeycloakJwtServerInterceptor extends JwtServerInterceptor<AccessToken> {
@@ -14,8 +15,16 @@ public KeycloakJwtServerInterceptor(JwtTokenParser<AccessToken> tokenParser) {
 
   public static KeycloakJwtServerInterceptor fromConfig(Config config) {
     Config fc = config.withFallback(DefaultConfig);
+    KeycloakPublicKeyProvider publicKeyProvider =
+        new DefaultKeycloakPublicKeyProvider(
+            fc.getString("serverUrl"),
+            fc.getString("realm"),
+            fc.getDuration("minTimeBetweenJwksRequests"),
+            fc.getDuration("publicKeyCacheTtl"),
+            Clock.systemUTC());
     KeycloakJwtTokenParser tokenParser =
-        KeycloakJwtTokenParser.create(fc.getString("serverUrl"), fc.getString("realm"));
+        new KeycloakJwtTokenParser(
+            fc.getString("serverUrl"), fc.getString("realm"), publicKeyProvider);
     tokenParser = tokenParser.withExpectedAudience(fc.getString("expectedAudience"));
     tokenParser = tokenParser.withExpectedIssuedFor(fc.getString("expectedIssuedFor"));
     return new KeycloakJwtServerInterceptor(tokenParser);

keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtTokenParser.java

@@ -1,30 +1,25 @@
 package com.avast.grpc.jwt.keycloak.server;
 
 import com.avast.grpc.jwt.server.JwtTokenParser;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
-import java.net.URL;
-import java.security.PublicKey;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
 import org.keycloak.TokenVerifier;
 import org.keycloak.common.VerificationException;
 import org.keycloak.constants.ServiceUrlConstants;
-import org.keycloak.jose.jwk.JSONWebKeySet;
-import org.keycloak.jose.jwk.JWK;
-import org.keycloak.jose.jwk.JWKParser;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.util.TokenUtil;
 
 public class KeycloakJwtTokenParser implements JwtTokenParser<AccessToken> {
 
-  protected final PublicKey publicKey;
+  protected final KeycloakPublicKeyProvider publicKeyProvider;
   protected final TokenVerifier.Predicate<AccessToken>[] checks;
   protected String expectedAudience;
   protected String expectedIssuedFor;
 
-  protected KeycloakJwtTokenParser(String serverUrl, String realm, PublicKey publicKey) {
-    this.publicKey = publicKey;
+  public KeycloakJwtTokenParser(
+      String serverUrl, String realm, KeycloakPublicKeyProvider publicKeyProvider) {
+    this.publicKeyProvider = publicKeyProvider;
     String realmUrl =
         serverUrl + ServiceUrlConstants.REALM_INFO_PATH.replace("{realm-name}", realm);
     this.checks =
@@ -38,7 +33,14 @@ protected KeycloakJwtTokenParser(String serverUrl, String realm, PublicKey publi
 
   @Override
   public CompletableFuture<AccessToken> parseToValid(String jwtToken) {
-    TokenVerifier<AccessToken> verifier = createTokenVerifier(jwtToken);
+    TokenVerifier<AccessToken> verifier;
+    try {
+      verifier = createTokenVerifier(jwtToken);
+    } catch (VerificationException e) {
+      CompletableFuture<AccessToken> r = new CompletableFuture<>();
+      r.completeExceptionally(e);
+      return r;
+    }
     return CompletableFuture.supplyAsync(
         () -> {
           try {
@@ -49,15 +51,17 @@ public CompletableFuture<AccessToken> parseToValid(String jwtToken) {
         });
   }
 
-  protected TokenVerifier<AccessToken> createTokenVerifier(String jwtToken) {
+  protected TokenVerifier<AccessToken> createTokenVerifier(String jwtToken)
+      throws VerificationException {
     TokenVerifier<AccessToken> verifier =
-        TokenVerifier.create(jwtToken, AccessToken.class).withChecks(checks).publicKey(publicKey);
+        TokenVerifier.create(jwtToken, AccessToken.class).withChecks(checks);
     if (!Strings.isNullOrEmpty(expectedAudience)) {
       verifier = verifier.audience(expectedAudience);
     }
     if (!Strings.isNullOrEmpty(expectedIssuedFor)) {
       verifier = verifier.issuedFor(expectedIssuedFor);
     }
+    verifier.publicKey(publicKeyProvider.get(verifier.getHeader().getKeyId()));
     return verifier;
   }
 
@@ -70,20 +74,4 @@ public KeycloakJwtTokenParser withExpectedIssuedFor(String expectedIssuedFor) {
     this.expectedIssuedFor = expectedIssuedFor;
     return this;
   }
-
-  public static KeycloakJwtTokenParser create(String serverUrl, String realm) {
-    try {
-      ObjectMapper om = new ObjectMapper();
-      String jwksUrl = serverUrl + ServiceUrlConstants.JWKS_URL.replace("{realm-name}", realm);
-      JSONWebKeySet jwks = om.readValue(new URL(jwksUrl).openStream(), JSONWebKeySet.class);
-      if (jwks.getKeys().length == 0) {
-        throw new RuntimeException("No keys found");
-      }
-      JWK jwk = jwks.getKeys()[0];
-      PublicKey publicKey = JWKParser.create(jwk).toPublicKey();
-      return new KeycloakJwtTokenParser(serverUrl, realm, publicKey);
-    } catch (Exception e) {
-      throw new RuntimeException("Exception when obtaining public key from " + serverUrl, e);
-    }
-  }
 }

keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakPublicKeyProvider.java

@@ -0,0 +1,7 @@
+package com.avast.grpc.jwt.keycloak.server;
+
+import java.security.PublicKey;
+
+public interface KeycloakPublicKeyProvider {
+  PublicKey get(String keyId);
+}

keycloak/src/main/resources/reference.conf

@@ -10,4 +10,6 @@ keycloakDefaults {
   // for server
   expectedAudience = ""
   expectedIssuedFor = ""
+  minTimeBetweenJwksRequests = 10 seconds
+  publicKeyCacheTtl = 1 day
 }