Report a GraphQL Bug
The JWKURL refresh is driven by a response header:
Cache-Control: max-age=$SOME_VALUE
code pointer - dgraph/auth.go at c04ce807f9399cc9d00159d54333d7a6a1de18fe · dgraph-io/dgraph · GitHub
In my case the header was returning a dynamic value that was unrelated to the TTL of the key at the JWKURL. I was able to fix the issue on my end since I owned the server in question, but I think it would be wise to add an override so it can be configured from the client side how often Dgraph refreshes the JWK
What edition and version of Dgraph are you using?
Edition:
- SlashGraphQL
- [x ] Dgraph (community edition/Dgraph Cloud)
If you are using the community edition or enterprise edition of Dgraph, please list the version:
Dgraph Version
v22.0.0
Have you tried reproducing the issue with the latest release?
No
Steps to reproduce the issue (paste the query/schema if possible)
- Spin up a Vault server
- Enable the Identity engine
- Use the JWK url of the Vault server in your
Authorization
config on a GraphQl schema - Wait until the JWK url expires.
- JWT auth won’t work and will return a JWT unverified error from Dgraph
Expected behaviour and actual result.
Using the max-age of the Cache-Control seems like an arbitrary decision. I saw that Auth0 uses max-age=15
but I’m not sure where the value is coming from. I also don’t see it as part of the OIDC standard (but I only searched briefly).