Add expiration to JWT/OpenID keys caching

Refactor cache invalidation for JWT keys and tests

---------

Co-authored-by: Tim Hess <tim.hess@broadcom.com>

Author: bart-vmware

src/Security/src/Authentication.JwtBearer/JwtBearerAuthenticationBuilderExtensions.cs

@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 
 namespace Steeltoe.Security.Authentication.JwtBearer;
@@ -24,6 +25,8 @@ public static AuthenticationBuilder ConfigureJwtBearerForCloudFoundry(this Authe
     {
         ArgumentNullException.ThrowIfNull(builder);
 
+        builder.Services.TryAddSingleton(TimeProvider.System);
+        builder.Services.TryAddSingleton<TokenKeyResolver>();
         builder.Services.AddSingleton<IPostConfigureOptions<JwtBearerOptions>, PostConfigureJwtBearerOptions>();
         return builder;
     }

src/Security/src/Authentication.JwtBearer/PostConfigureJwtBearerOptions.cs

@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
 using Steeltoe.Common;
 
 namespace Steeltoe.Security.Authentication.JwtBearer;
@@ -13,12 +14,15 @@ internal sealed class PostConfigureJwtBearerOptions : IPostConfigureOptions<JwtB
 {
     private const string BearerConfigurationKeyPrefix = "Authentication:Schemes:Bearer";
     private readonly IConfiguration _configuration;
+    private readonly TokenKeyResolver _tokenKeyResolver;
 
-    public PostConfigureJwtBearerOptions(IConfiguration configuration)
+    public PostConfigureJwtBearerOptions(IConfiguration configuration, TokenKeyResolver tokenKeyResolver)
     {
         ArgumentNullException.ThrowIfNull(configuration);
+        ArgumentNullException.ThrowIfNull(tokenKeyResolver);
 
         _configuration = configuration;
+        _tokenKeyResolver = tokenKeyResolver;
     }
 
     public void PostConfigure(string? name, JwtBearerOptions options)
@@ -56,7 +60,10 @@ public void PostConfigure(string? name, JwtBearerOptions options)
             options.TokenValidationParameters.ValidIssuer = $"{options.Authority}/oauth/token";
         }
 
-        var keyResolver = new TokenKeyResolver(options.Authority, options.Backchannel);
-        options.TokenValidationParameters.IssuerSigningKeyResolver = (_, _, keyId, _) => keyResolver.ResolveSigningKey(keyId);
+        options.TokenValidationParameters.IssuerSigningKeyResolver = (_, _, keyId, _) =>
+        {
+            JsonWebKey? key = _tokenKeyResolver.ResolveSigningKey(options.Authority, keyId, options.Backchannel);
+            return key != null ? [key] : [];
+        };
     }
 }

src/Security/src/Authentication.JwtBearer/Steeltoe.Security.Authentication.JwtBearer.csproj

@@ -10,6 +10,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="$(MatchTargetFrameworkVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="$(FoundationalVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="$(MicrosoftIdentityModelVersion)" />
   </ItemGroup>

src/Security/src/Authentication.JwtBearer/TokenKeyResolver.cs

@@ -2,76 +2,181 @@
 // The .NET Foundation licenses this file to you under the Apache 2.0 License.
 // See the LICENSE file in the project root for more information.
 
-using System.Collections.Concurrent;
 using System.Net.Http.Headers;
+using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.Tokens;
+using Steeltoe.Common.Extensions;
 
 namespace Steeltoe.Security.Authentication.JwtBearer;
 
-internal sealed class TokenKeyResolver
+internal sealed partial class TokenKeyResolver : IDisposable
 {
     private static readonly MediaTypeWithQualityHeaderValue AcceptHeader = new("application/json");
-    private readonly HttpClient _httpClient;
-    private readonly Uri _authorityUri;
+    private static readonly TimeSpan CacheTimeToLiveForKeyFound = TimeSpan.FromHours(12);
+    private static readonly TimeSpan CacheMinTimeToLiveForKeyNotFound = TimeSpan.FromSeconds(30);
+    private static readonly TimeSpan CacheMaxTimeToLiveForKeyNotFound = TimeSpan.FromSeconds(60);
+    private readonly MemoryCache _cache;
+    private readonly ILogger<TokenKeyResolver> _logger;
 
-    internal static ConcurrentDictionary<string, SecurityKey> ResolvedSecurityKeysById { get; } = new();
+    public TokenKeyResolver(TimeProvider timeProvider, ILoggerFactory loggerFactory)
+    {
+        ArgumentNullException.ThrowIfNull(timeProvider);
+        ArgumentNullException.ThrowIfNull(loggerFactory);
+
+        _cache = new MemoryCache(new MemoryCacheOptions
+        {
+            Clock = new TimeProviderSystemClock(timeProvider)
+        }, loggerFactory);
 
-    public TokenKeyResolver(string authority, HttpClient httpClient)
+        _logger = loggerFactory.CreateLogger<TokenKeyResolver>();
+    }
+
+    internal JsonWebKey? ResolveSigningKey(string authority, string keyId, HttpClient httpClient)
     {
         ArgumentException.ThrowIfNullOrWhiteSpace(authority);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyId);
         ArgumentNullException.ThrowIfNull(httpClient);
 
+        Uri tokenKeysUri = GetTokenKeysUri(authority);
+        return CachingResolveSigningKey(tokenKeysUri, keyId, httpClient);
+    }
+
+    private static Uri GetTokenKeysUri(string authority)
+    {
         if (!authority.EndsWith('/'))
         {
             authority += '/';
         }
 
-        _authorityUri = new Uri($"{authority}token_keys");
-        _httpClient = httpClient;
+        var authorityUri = new Uri(authority);
+        return new Uri(authorityUri, "token_keys");
     }
 
-    internal SecurityKey[] ResolveSigningKey(string keyId)
+    private JsonWebKey? CachingResolveSigningKey(Uri tokenKeysUri, string keyId, HttpClient httpClient)
     {
-        if (ResolvedSecurityKeysById.TryGetValue(keyId, out SecurityKey? resolved))
+        string cacheKey = GetCacheKey(tokenKeysUri, keyId);
+
+        if (!_cache.TryGetValue<JsonWebKey?>(cacheKey, out JsonWebKey? matchingWebKey))
         {
-            return [resolved];
+            JsonWebKeySet? webKeySet = FetchKeySet(tokenKeysUri, httpClient);
+
+            foreach (JsonWebKey nextWebKey in webKeySet?.Keys ?? [])
+            {
+                string nextCacheKey = GetCacheKey(tokenKeysUri, nextWebKey.Kid);
+                _cache.Set(nextCacheKey, nextWebKey, CacheTimeToLiveForKeyFound);
+
+                if (nextWebKey.Kid == keyId)
+                {
+                    matchingWebKey = nextWebKey;
+                }
+            }
+
+            if (matchingWebKey == null)
+            {
+                TimeSpan timeToLive = GetTimeToLiveForNotFound();
+                _cache.Set<JsonWebKey?>(cacheKey, null, timeToLive);
+
+                if (webKeySet == null)
+                {
+                    LogDisableFetchAfterServerError(keyId, (int)timeToLive.TotalSeconds);
+                }
+                else
+                {
+                    LogDisableFetchAfterKeyNotFound(keyId, (int)timeToLive.TotalSeconds);
+                }
+            }
         }
 
+        return matchingWebKey;
+    }
+
+    private static string GetCacheKey(Uri tokenKeysUri, string keyId)
+    {
+        return $"{tokenKeysUri}:{keyId}";
+    }
+
+    private static TimeSpan GetTimeToLiveForNotFound()
+    {
+        double jitterSeconds = Random.Shared.NextDouble() * (CacheMaxTimeToLiveForKeyNotFound - CacheMinTimeToLiveForKeyNotFound).TotalSeconds;
+        return CacheMinTimeToLiveForKeyNotFound + TimeSpan.FromSeconds(jitterSeconds);
+    }
+
+    private JsonWebKeySet? FetchKeySet(Uri tokenKeysUri, HttpClient httpClient)
+    {
 #pragma warning disable S4462 // Calls to "async" methods should not be blocking
         // Justification: can't be async all the way until updates are complete in Microsoft libraries
         // https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/468
-        JsonWebKeySet? keySet = FetchKeySetAsync(CancellationToken.None).GetAwaiter().GetResult();
+        return FetchKeySetAsync(tokenKeysUri, httpClient, CancellationToken.None).GetAwaiter().GetResult();
 #pragma warning restore S4462 // Calls to "async" methods should not be blocking
+    }
+
+    private async Task<JsonWebKeySet?> FetchKeySetAsync(Uri tokenKeysUri, HttpClient httpClient, CancellationToken cancellationToken)
+    {
+        using var requestMessage = new HttpRequestMessage(HttpMethod.Get, tokenKeysUri);
+        requestMessage.Headers.Accept.Add(AcceptHeader);
 
-        if (keySet != null)
+        HttpResponseMessage response;
+
+        try
         {
-            foreach (JsonWebKey key in keySet.Keys)
-            {
-                ResolvedSecurityKeysById[key.Kid] = key;
-            }
+            response = await httpClient.SendAsync(requestMessage, cancellationToken);
+        }
+        catch (Exception exception) when (exception is HttpRequestException || exception.IsHttpClientTimeout())
+        {
+            LogTokenKeysEndpointUnreachable(exception, tokenKeysUri);
+            return null;
         }
 
-        if (ResolvedSecurityKeysById.TryGetValue(keyId, out resolved))
+        if (!response.IsSuccessStatusCode)
         {
-            return [resolved];
+            LogFetchTokenKeysStatusFailed(tokenKeysUri, (int)response.StatusCode);
+            return null;
         }
 
-        return [];
+        try
+        {
+            string result = await response.Content.ReadAsStringAsync(cancellationToken);
+            return JsonWebKeySet.Create(result);
+        }
+        catch (ArgumentException exception)
+        {
+            LogFetchTokenKeysParseFailed(exception, tokenKeysUri);
+            return null;
+        }
     }
 
-    internal async Task<JsonWebKeySet?> FetchKeySetAsync(CancellationToken cancellationToken)
+    public void Dispose()
     {
-        using var requestMessage = new HttpRequestMessage(HttpMethod.Get, _authorityUri);
-        requestMessage.Headers.Accept.Add(AcceptHeader);
+        _cache.Dispose();
+    }
 
-        HttpResponseMessage response = await _httpClient.SendAsync(requestMessage, cancellationToken);
+    [LoggerMessage(LogLevel.Warning, "Fetch keys from '{TokenKeysUri}' failed.")]
+    private partial void LogTokenKeysEndpointUnreachable(Exception exception, MaskedUri tokenKeysUri);
 
-        if (!response.IsSuccessStatusCode)
+    [LoggerMessage(LogLevel.Warning, "Fetch keys from '{TokenKeysUri}' failed with HTTP status {StatusCode}.")]
+    private partial void LogFetchTokenKeysStatusFailed(MaskedUri tokenKeysUri, int statusCode);
+
+    [LoggerMessage(LogLevel.Warning, "Fetch keys from '{TokenKeysUri}' failed because the returned JSON is invalid.")]
+    private partial void LogFetchTokenKeysParseFailed(Exception exception, MaskedUri tokenKeysUri);
+
+    [LoggerMessage(LogLevel.Information, "Disabled fetch for key '{KeyId}' for {RetryAfterSeconds}s because the HTTP request failed.")]
+    private partial void LogDisableFetchAfterServerError(string keyId, int retryAfterSeconds);
+
+    [LoggerMessage(LogLevel.Information, "Disabled fetch for key '{KeyId}' for {RetryAfterSeconds}s because the key was not found in the HTTP response.")]
+    private partial void LogDisableFetchAfterKeyNotFound(string keyId, int retryAfterSeconds);
+
+    private sealed class TimeProviderSystemClock : ISystemClock
+    {
+        private readonly TimeProvider _timeProvider;
+
+        public DateTimeOffset UtcNow => _timeProvider.GetUtcNow();
+
+        public TimeProviderSystemClock(TimeProvider timeProvider)
         {
-            return null;
+            ArgumentNullException.ThrowIfNull(timeProvider);
+            _timeProvider = timeProvider;
         }
-
-        string result = await response.Content.ReadAsStringAsync(cancellationToken);
-        return JsonWebKeySet.Create(result);
     }
 }

src/Security/src/Authentication.OpenIdConnect/OpenIdConnectAuthenticationBuilderExtensions.cs

@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 
 namespace Steeltoe.Security.Authentication.OpenIdConnect;
@@ -24,6 +25,8 @@ public static AuthenticationBuilder ConfigureOpenIdConnectForCloudFoundry(this A
     {
         ArgumentNullException.ThrowIfNull(builder);
 
+        builder.Services.TryAddSingleton(TimeProvider.System);
+        builder.Services.TryAddSingleton<TokenKeyResolver>();
         builder.Services.AddSingleton<IPostConfigureOptions<OpenIdConnectOptions>, PostConfigureOpenIdConnectOptions>();
         return builder;
     }

src/Security/src/Authentication.OpenIdConnect/PostConfigureOpenIdConnectOptions.cs

@@ -7,15 +7,28 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Steeltoe.Security.Authentication.OpenIdConnect;
 
 internal sealed class PostConfigureOpenIdConnectOptions : IPostConfigureOptions<OpenIdConnectOptions>
 {
-    // The ClaimsIdentity is built off the id_token, but scopes are returned in the access_token.
-    // Identify scopes not already present as claims and add them to the ClaimsIdentity
+    private readonly TokenKeyResolver _tokenKeyResolver;
+
+    public PostConfigureOpenIdConnectOptions(TokenKeyResolver tokenKeyResolver)
+    {
+        ArgumentNullException.ThrowIfNull(tokenKeyResolver);
+
+        _tokenKeyResolver = tokenKeyResolver;
+    }
+
     private static Task MapScopesToClaimsAsync(TokenValidatedContext context)
     {
+        ArgumentNullException.ThrowIfNull(context);
+
+        // The ClaimsIdentity is built off the id_token, but scopes are returned in the access_token.
+        // Identify scopes not already present as claims and add them to the ClaimsIdentity.
+
         if (context.Principal?.Identity is not ClaimsIdentity claimsIdentity)
         {
             return Task.CompletedTask;
@@ -54,7 +67,10 @@ public void PostConfigure(string? name, OpenIdConnectOptions options)
 
         options.TokenValidationParameters.ValidIssuer = $"{options.Authority}/oauth/token";
 
-        var keyResolver = new TokenKeyResolver(options.Authority, options.Backchannel);
-        options.TokenValidationParameters.IssuerSigningKeyResolver = (_, _, keyId, _) => keyResolver.ResolveSigningKey(keyId);
+        options.TokenValidationParameters.IssuerSigningKeyResolver = (_, _, keyId, _) =>
+        {
+            JsonWebKey? key = _tokenKeyResolver.ResolveSigningKey(options.Authority, keyId, options.Backchannel);
+            return key != null ? [key] : [];
+        };
     }
 }

src/Security/src/Authentication.OpenIdConnect/Steeltoe.Security.Authentication.OpenIdConnect.csproj

@@ -10,6 +10,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MatchTargetFrameworkVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="$(FoundationalVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(MicrosoftIdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="$(MicrosoftIdentityModelVersion)" />
   </ItemGroup>