feat: AccessToken respecting certificate expiration #463
Comments
ynikitin-etsy
changed the title
|
Hello! Thank you for submitting this issue. You are correct that the |
|
@bshaffer Thank you, this is amazing! I will review asap! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
I am using AccessToken to validate Google Service Account JWTs and that's it. When given the cache, AccessToken caches the public certificates so not to fetch them from Google very time. Currently, AccessToken.php expires the fetched public certificates after one hour. However, Google and other providers often rotate their keys. Thus, it might be possible to cache public certs that are stale for almost an hour (~59min, if fetched right before rotation) given specific timing requirements.
Describe the solution you'd like
Google recommends respecting the Cache-Control header, which it seems this library currently doesn't.
https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
Describe alternatives you've considered
It might be possible to catch the UnexpectedValueException with message
"kid" invalid, unable to lookup correct keyand clear the cache so to force a refetch on revalidation. But, this would happen if you are given a JWT that's signed by another provider public keys' and you would refetch certs all the time.Additional context
Not sure if my understanding is correct here, or there is a better way to make sure certs are always fresh and fetched at appropriate times. Are PR's welcomed for this?
The text was updated successfully, but these errors were encountered: