Allow overriding the JWKURL expireTime in GraphQL Authorization schema

Report a GraphQL Bug

The JWKURL refresh is driven by a response header:

Cache-Control: max-age=$SOME_VALUE

code pointer - dgraph/auth.go at c04ce807f9399cc9d00159d54333d7a6a1de18fe · dgraph-io/dgraph · GitHub

In my case the header was returning a dynamic value that was unrelated to the TTL of the key at the JWKURL. I was able to fix the issue on my end since I owned the server in question, but I think it would be wise to add an override so it can be configured from the client side how often Dgraph refreshes the JWK

What edition and version of Dgraph are you using?

Edition:

  • SlashGraphQL
  • [x ] Dgraph (community edition/Dgraph Cloud)

If you are using the community edition or enterprise edition of Dgraph, please list the version:

Dgraph Version

v22.0.0

Have you tried reproducing the issue with the latest release?

No

Steps to reproduce the issue (paste the query/schema if possible)

  1. Spin up a Vault server
  2. Enable the Identity engine
  3. Use the JWK url of the Vault server in your Authorization config on a GraphQl schema
  4. Wait until the JWK url expires.
  5. JWT auth won’t work and will return a JWT unverified error from Dgraph

Expected behaviour and actual result.

Using the max-age of the Cache-Control seems like an arbitrary decision. I saw that Auth0 uses max-age=15 but I’m not sure where the value is coming from. I also don’t see it as part of the OIDC standard (but I only searched briefly).

2 Likes