|
settings->path = "/gateway/api/v1/auth/keys/public/current"; |
This line is the URL used to get the JWK from APIML that validates its JWTs that come in on requests to ZSS.
I just found out that /current lists the currently used JWK, but /all can show others, and /current can change over time.
In the case of z/OSMF, I'm told the JWK is derived from z/OSMFs keyring, such that if there's multiple z/OSMFs with different keyrings, or if the keyring changes without restarting Zowe, it's possible for ZSS to not recognize a JWT as valid due to it not knowing the right JWK to do validation with.
It seems that we need to change JWK retrieval. 2 thoughts:
- get /all, and stash the result
- upon a JWT failing verification, this could be a signal that we're using the wrong JWK, and should query APIML again to get a new one. I think this turns a currently synchronous verification process into an async one, so I don't know how to go about this.
zss/c/zss.c
Line 1014 in 126535c
This line is the URL used to get the JWK from APIML that validates its JWTs that come in on requests to ZSS.
I just found out that /current lists the currently used JWK, but /all can show others, and /current can change over time.
In the case of z/OSMF, I'm told the JWK is derived from z/OSMFs keyring, such that if there's multiple z/OSMFs with different keyrings, or if the keyring changes without restarting Zowe, it's possible for ZSS to not recognize a JWT as valid due to it not knowing the right JWK to do validation with.
It seems that we need to change JWK retrieval. 2 thoughts: