JwkSetSecretStore
Manages a secret store for JSON Web Keys (JWK) from a local or remote JWK Set.
Secrets from JwkSetSecretStore have a non-configurable lease duration, equal to the value of cacheTimeout. The secret can be used for that duration before it is refreshed or discarded.
For a description of how secrets are managed, see "Secrets".
For information about JWKs and JWK Sets, see RFC-7517, JSON Web Key (JWK).
Usage
{
"name": string,
"type": "JwkSetSecretStore",
"config": {
"jwkUrl": configuration expression<url>,
"handler": Handler reference or inline handler declaration,
"cacheTimeout": configuration expression<duration>,
"cacheMissCacheTime": configuration expression<duration>
}
}Properties
"jwkUrl": configuration expression<url>, requiredA URL that contains the client's public keys in JWK format.
"handler": Handler reference, optionalAn HTTP client handler to communicate with the
jwkUrl.Usually set this property to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.
Default: ClientHandler
"cacheTimeout": configuration expression<duration>, optionalDelay before the cache is reloaded. The cache contains the
jwkUrl.The cache cannot be deactivated. If a value lower than 10 seconds is configured, a warning is logged and the default value is used instead.
Default: 2 minutes
"cacheMissCacheTime": configuration expression<duration>, optionalIf the
jwkUrlis looked up in the cache and is not found, this is the delay before the cache is reloaded.Default: 2 minutes
Log Level
To facilitate debugging secrets for the JwkSetSecretStore, in logback.xml add a logger defined by the fully qualified package name of the JwkSetSecretStore. The following line in logback.xml sets the log level to ALL:
<logger name="org.forgerock.secrets.jwkset" level="ALL">
Example
For an example of how to set up and use JwkSetSecretStore to validate signed access_tokens, see "Validating Signed Access_Tokens With the StatelessAccessTokenResolver and JwkSetSecretStore".