Joken JWKS version 2.0 #43
Description
This library is around 5 years old currently and not only my understanding of the environment and language has hopefully evolved but also the uses of JWKS and the understanding of the spec itself is better nowadays. So, I think it is time we discuss a bit about a 2.0 version.
Current breaking issues are:
- We should support kid-less and duplicated kids in sets as per the discussion on Add support for kid-less jwks signature validation #37
- We are simply using process the wrong way and have caused unfortunate side-effects ets table not being cleaned up, causes application crash #40
- More and more people want to use a fixed set of JWKs sources and even a completely dynamic set of sources Allow dynamically starting strategies + expand GenServer-ness of the DefaultStrategyTemplate #39
- Manually re-fetching might help solve some issues to some people during emergencies Question about manually refetch the token from public API (e.g. google). #30
These have to be tackled either way (breaking or not).
Some others I think are important:
- JWKS claims like certificate thumbprints are increasingly important for security
- This has mainly
x5tandx5cclaims as targets
- This has mainly
- Better HTTP configuration would also have helped avoid needing to release new versions
- More observability would also help here (not only HTTP events per-se but also cache events for example)
- Better guides and documentation examples (many issues were open about that in the past)
- More options to re-trigger fetching (like cache expiration as mentioned on Have the default fetcher implementation respect caching headers #35
I will have time to work on these on May. If anybody has any other issues that would like to see added here please join the discussion :)