Fix parallel JWKS fetches (#1695)

* fix parallel JWKS fetches * change spammy log output to debug level
SAP · Jan 14, 2025 · 9d9c869 · 9d9c869
1 parent e3ad38a
commit 9d9c869
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 9 deletions.
diff --git a/java-security/src/main/java/com/sap/cloud/security/servlet/AbstractTokenAuthenticator.java b/java-security/src/main/java/com/sap/cloud/security/servlet/AbstractTokenAuthenticator.java
@@ -188,7 +188,7 @@ TokenAuthenticationResult tokenValidationResult(Token token) {
 	String getClientCertificate(HttpServletRequest request) {
 		String clientCert = request.getHeader(FWD_CLIENT_CERT_HEADER);
 		if (clientCert == null) {
-			logger.info("There is no '{}' header provided", FWD_CLIENT_CERT_HEADER);
+			logger.debug("There is no '{}' header provided", FWD_CLIENT_CERT_HEADER);
 		}
 		return clientCert;
 	}

diff --git a/...va/com/sap/cloud/security/token/validation/validators/OAuth2TokenKeyServiceWithCache.java b/...va/com/sap/cloud/security/token/validation/validators/OAuth2TokenKeyServiceWithCache.java
@@ -151,10 +151,19 @@ public PublicKey getPublicKey(KeyParameters keyParameters, Map<String, String> r
 		assertHasText(keyParameters.keyId(), "keyId must not be null.");
 		assertNotNull(keyParameters.keyUri(), "keyUrl must not be null.");
 
-		JsonWebKeySet jwks = getCache().getIfPresent(cacheKey.toString());
+		// using an array to remember OAuth exceptions in lambda because variable needs to be effectively final
+		OAuth2ServiceException[] oAuthException = new OAuth2ServiceException[1];
+		JsonWebKeySet jwks = getCache().get(cacheKey.toString(), k -> {
+			try {
+				return retrieveTokenKeys(cacheKey, requestParameters);
+			} catch (OAuth2ServiceException e) {
+				oAuthException[0] = e;
+				return null;
+			}
+		});
 
-		if (jwks == null) {
-			jwks = retrieveTokenKeysAndUpdateCache(cacheKey, requestParameters);
+		if(oAuthException[0] != null) {
+			throw oAuthException[0];
 		}
 
 		if (jwks.getAll().isEmpty()) {
@@ -172,14 +181,11 @@ public PublicKey getPublicKey(KeyParameters keyParameters, Map<String, String> r
 		throw new IllegalArgumentException("Key with kid " + keyParameters.keyId + " not found in JWKS.");
 	}
 
-	private JsonWebKeySet retrieveTokenKeysAndUpdateCache(CacheKey cacheKey, Map<String, String> params)
+	private JsonWebKeySet retrieveTokenKeys(CacheKey cacheKey, Map<String, String> params)
 			throws OAuth2ServiceException {
 		String jwksJson = getTokenKeyService().retrieveTokenKeys(cacheKey.keyUri(), params);
 
-		JsonWebKeySet keySet = JsonWebKeySetFactory.createFromJson(jwksJson);
-		getCache().put(cacheKey.toString(), keySet);
-
-		return keySet;
+		return JsonWebKeySetFactory.createFromJson(jwksJson);
 	}
 
 	private TokenKeyCacheConfiguration getCheckedConfiguration(CacheConfiguration cacheConfiguration) {