JwkSetSecretStore
Manages a secret store for JSON Web Keys (JWK) from a local or remote JWK Set.
For a description of how secrets are managed, see Secrets.
For information about JWKs and JWK Sets, see RFC-7517, JSON Web Key (JWK).
Usage
{
"name": string,
"type": "JwkSetSecretStore",
"config": {
"jwkUrl": configuration expression<url>,
"handler": Handler reference or inline handler declaration,
"cacheTimeout": configuration expression<duration>,
"cacheMissCacheTime": configuration expression<duration>,
"leaseExpiry": configuration expression<duration>
}
}
Properties
"jwkUrl"
: configuration expression<url>, required-
A URL that contains the client’s public keys in JWK format.
"handler"
: Handler reference, optional-
An HTTP client handler to communicate with the
jwkUrl
.Usually set this property to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.
Default: ClientHandler
"cacheTimeout"
: configuration expression<duration>, optional-
Delay before the cache is reloaded. The cache contains the
jwkUrl
.The cache cannot be deactivated. If a value lower than 10 seconds is configured, a warning is logged and the default value is used instead.
Default: 2 minutes
"cacheMissCacheTime"
: configuration expression<duration>, optional-
If the
jwkUrl
is looked up in the cache and is not found, this is the delay before the cache is reloaded.Default: 2 minutes
"leaseExpiry"
: configuration expression<duration>, optional-
The amount of time that secrets produced by this store can be cached before they must be refreshed.
If the duration is
zero
orunlimited
, IG issues a warning, and uses the default value.Default: 5 minutes
Log Level
To facilitate debugging secrets for the JwkSetSecretStore, in
logback.xml
add a logger defined by the fully qualified package name of the
JwkSetSecretStore. The following line in logback.xml
sets the log level to ALL
:
<logger name="org.forgerock.secrets.jwkset" level="ALL">
Example
For an example of how to set up and use JwkSetSecretStore to validate signed access_tokens, see Validate Signed Access_Tokens With the StatelessAccessTokenResolver and JwkSetSecretStore.