Comments (4)
AugustusKling
commented on September 24, 2024
1
@adamjmcgrath, I could test your change in the meantime with express-oauth2-jwt-bearer 1.4.1 and can confirm that the isssue is solved. Thanks very much for your support.
from node-oauth2-jwt-bearer.
adamjmcgrath
commented on September 24, 2024
Hi @AugustusKling - thanks for raising this
Yep, you're right - we should retry the discovery after failures (and a discovery cache max age would be a good idea too)
from node-oauth2-jwt-bearer.
AugustusKling
commented on September 24, 2024
Hi Adam,
thanks for the prompt response. The max age seems like a good idea and it can maybe even be derived from the cache headers.
To me it would also make sense to check the retrieved discovery document for completeness before accepting it as cachable. Whilst not having a jwks_uri or similar is clearly not something a server should do, a few checks would help to make the code more resilient against unforseen network issues or server misconfigurations.
from node-oauth2-jwt-bearer.
AugustusKling
commented on September 24, 2024
@adamjmcgrath, the attached PR allows the library to recover from unavailable discovery documents. It does not address anything cache related.
I probably won't have time to reply the next days. Feel to modify and use the code in any way you want.
from node-oauth2-jwt-bearer.
Related Issues (20)
- Proxy Configuraton Broken/HTTP(S) Agent not being passed on JWKSet Creation HOT 2
- [docs] 404 error in the GitHub Pages documentation when clicking on a class or an interface HOT 1
- "nbf" claim timestamp check failed HOT 1
- 500 Error thrown when deployed to GCP App Engine HOT 3
- Getting AssertionError You must provide a 'tokenSigningAlg' for validating symmetric algorithms despite not providing a secret key value pair. HOT 6
- Node 21.5 support HOT 4
- InvalidTokenError: Failed to fetch authorization server metadata HOT 5
- publicKey without discovery HOT 2
- Crashed my express server. HOT 2
- Is it possible to use this with JWE encrypted access token?
- Audience Checking shouldn't be forced
- Allow to specify the location of the token.
- Cloudflare/Workerd support
- Create a separate method to validate a jwt
- Allow better control for discovery endpoints to use HOT 1
- Node 22 support
- [example] How to write unit tests for our Express APIs with canned JWTs? HOT 1
- [express-oauth2-jwt-bearer] What is the best practice to allow request to go through despite token being unauthorized? HOT 4
- [docs] API documentation of auth middleware should mention "req.auth"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-oauth2-jwt-bearer.