axum_jwt_auth/
remote.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
use std::sync::{Arc, RwLock};

use jsonwebtoken::{jwk::JwkSet, DecodingKey, TokenData, Validation};
use serde::de::DeserializeOwned;

use crate::{Decoder, Error, JwtDecoder};

/// Remote JWKS decoder.
/// It fetches the JWKS from the given URL and caches it for the given duration.
/// It uses the cached JWKS to decode the JWT tokens.
pub struct RemoteJwksDecoder {
    jwks_url: String,
    cache_duration: std::time::Duration,
    keys_cache: RwLock<Vec<(Option<String>, DecodingKey)>>,
    validation: Validation,
    client: reqwest::Client,
    retry_count: usize,
    backoff: std::time::Duration,
}

impl From<RemoteJwksDecoder> for Decoder {
    fn from(decoder: RemoteJwksDecoder) -> Self {
        Self::Remote(Arc::new(decoder))
    }
}

impl RemoteJwksDecoder {
    pub fn new(jwks_url: String) -> Self {
        Self {
            jwks_url,
            cache_duration: std::time::Duration::from_secs(60 * 60),
            keys_cache: RwLock::new(Vec::new()),
            validation: Validation::default(),
            client: reqwest::Client::new(),
            retry_count: 3,
            backoff: std::time::Duration::from_secs(1),
        }
    }

    async fn refresh_keys(&self) -> Result<(), Error> {
        let max_attempts = self.retry_count;
        let mut attempt = 0;
        let mut err = None;

        while attempt < max_attempts {
            match self.refresh_keys_once().await {
                Ok(_) => return Ok(()),
                Err(e) => {
                    err = Some(e);
                    attempt += 1;
                    tokio::time::sleep(self.backoff).await;
                }
            }
        }

        // Last attempt failed, return the error
        Err(err.unwrap())
    }

    async fn refresh_keys_once(&self) -> Result<(), Error> {
        let jwks = self
            .client
            .get(&self.jwks_url)
            .send()
            .await?
            .json::<JwkSet>()
            .await?;

        let mut jwks_cache = self.keys_cache.write().unwrap();
        *jwks_cache = jwks
            .keys
            .iter()
            .flat_map(|jwk| -> Result<(Option<String>, DecodingKey), Error> {
                let key_id = jwk.common.key_id.to_owned();
                let key = DecodingKey::from_jwk(jwk).map_err(Error::Jwt)?;

                Ok((key_id, key))
            })
            .collect();

        Ok(())
    }

    /// Refreshes the JWKS cache periodically.
    /// It runs in a loop and never returns, so it should be run in a separate tokio task
    /// using [`tokio::spawn`]. If the JWKS refresh fails after multiple attemps,
    /// it logs the error and continues. The decoder will use the stale keys until the next refresh
    /// succeeds or the universe ends, whichever comes first.
    pub async fn refresh_keys_periodically(&self) {
        loop {
            match self.refresh_keys().await {
                Ok(_) => {}
                Err(err) => {
                    // log the error and continue with stale keys
                    eprintln!(
                        "Failed to refresh JWKS after {} attempts: {:?}",
                        self.retry_count, err
                    );
                }
            }
            tokio::time::sleep(self.cache_duration).await;
        }
    }
}

impl<T> JwtDecoder<T> for RemoteJwksDecoder
where
    T: for<'de> DeserializeOwned,
{
    fn decode(&self, token: &str) -> Result<TokenData<T>, Error> {
        let header = jsonwebtoken::decode_header(token)?;
        let target_kid = header.kid;

        let jwks_cache = self.keys_cache.read().unwrap();

        // Try to find the key in the cache by kid
        let jwk = jwks_cache.iter().find(|(kid, _)| kid == &target_kid);
        if let Some((_, key)) = jwk {
            return Ok(jsonwebtoken::decode::<T>(token, key, &self.validation)?);
        }

        // Otherwise, try all the keys in the cache, returning the first one that works
        // If none of them work, return the error from the last one
        let mut err: Option<Error> = None;
        for (_, key) in jwks_cache.iter() {
            match jsonwebtoken::decode::<T>(token, key, &self.validation) {
                Ok(token_data) => return Ok(token_data),
                Err(e) => err = Some(e.into()),
            }
        }

        Err(err.unwrap())
    }
}

pub struct RemoteJwksDecoderBuilder {
    jwks_url: String,
    cache_duration: std::time::Duration,
    validation: Validation,
    client: reqwest::Client,
    retry_count: usize,
    backoff: std::time::Duration,
}

impl RemoteJwksDecoderBuilder {
    pub fn new(jwks_url: String) -> Self {
        Self {
            jwks_url,
            cache_duration: std::time::Duration::from_secs(60 * 60),
            validation: Validation::default(),
            client: reqwest::Client::new(),
            retry_count: 3,
            backoff: std::time::Duration::from_secs(1),
        }
    }

    pub fn with_jwks_cache_duration(mut self, jwks_cache_duration: std::time::Duration) -> Self {
        self.cache_duration = jwks_cache_duration;
        self
    }

    pub fn with_client(mut self, client: reqwest::Client) -> Self {
        self.client = client;
        self
    }

    pub fn with_validation(mut self, validation: Validation) -> Self {
        self.validation = validation;
        self
    }

    pub fn with_retry_count(mut self, retry_count: usize) -> Self {
        self.retry_count = retry_count;
        self
    }

    pub fn with_backoff(mut self, backoff: std::time::Duration) -> Self {
        self.backoff = backoff;
        self
    }

    pub fn build(self) -> RemoteJwksDecoder {
        RemoteJwksDecoder {
            jwks_url: self.jwks_url,
            cache_duration: self.cache_duration,
            keys_cache: RwLock::new(Vec::new()),
            validation: self.validation,
            client: self.client,
            retry_count: self.retry_count,
            backoff: self.backoff,
        }
    }
}