Skip to content

New caching mechanism in UrlJwkProvider bypasses/breaks cache config #239

Open
Open
New caching mechanism in UrlJwkProvider bypasses/breaks cache config#239
Labels
bugThis points to a verified bug in the code
@josh-e

Description

@josh-e
josh-e
opened on Sep 8, 2025

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

This PR introduces caching outside of the configurable JWK cache, causing unexpected (potentially insecure) behavior.

Example JWK removed from JWKS endpoint.

Reproduction

  1. Build provider using jwks endpoint where keyid "a" is listed
    a. var provider = new JwkProviderBuilder(new URL("jwks url")).cached(false).build()
  2. Get the key
    a. provider.get("a");
  3. Remove the key from the jwks endpoint
  4. Get the key
    a. provider.get("a");
    b. This shouldn't return the key but does
    c. The key will never stop being found, until a different key id (that wasn't there during step 3.a) is requested from the provider.

Additional context

No response

jwks-rsa version

0.23.0

Java version

17

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis points to a verified bug in the code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions