Add Details to JWT Authentication Document About JWKS Background Reloading #3703
Conversation
🔍 Preview links for changed docs |
jfreden
left a comment
jfreden
left a comment
There was a problem hiding this comment.
This is the Elasticsearch PR for anyone on the docs team that is reviewing: elastic/elasticsearch#136996
LGTM but probably good to have someone from the docs team review too.
We should also wait for the ES PR to be merged before merging this.
| : The file name or URL to a JSON Web Key Set (JWKS) with the public key material that the JWT Realm uses for verifying token signatures. A value is considered a file name if it does not begin with `https`. The file name is resolved relative to the {{es}} configuration directory. If a URL is provided, then it must begin with `https://` (`http://` is not supported). {{es}} automatically caches the JWK set and will attempt to refresh the JWK set upon signature verification failure, as this might indicate that the JWT Provider has rotated the signing keys. | ||
| : The file name or URL to a JSON Web Key Set (JWKS) with the public key material that the JWT Realm uses for verifying token signatures. A value is considered a file name if it does not begin with `https`. The file name is resolved relative to the {{es}} configuration directory. If a URL is provided, then it must begin with `https://` (`http://` is not supported). {{es}} automatically caches the JWK set and will attempt to refresh the JWK set upon signature verification failure, as this might indicate that the JWT Provider has rotated the signing keys. Background JWKS reloading can also be configured with the setting `pkc_jwkset_reload.enabled`. | ||
|
|
||
| `pkc_jwkset_reload.enabled` |
There was a problem hiding this comment.
Would be good with a sentence on why this is useful. Something like:
When your JWT provider regularly rotates signing keys, JWKS background reloading can be enabled to proactively fetch updated keys rather than waiting for a signature verification failure.
|
@ebarlas, @shainaraskas pointed out to me that these settings should also be added to the Elasticsearch reference docs, I think on this page (docs source is here). These should probably be included in your associated code PR. We'll also need "applies to" tags for each setting. I've added comment for that. |
|
Looks perfect now @ebarlas! 🙏 |
…KS) background reloading feature.
Co-authored-by: David Kilfoyle <[email protected]>
Co-authored-by: David Kilfoyle <[email protected]>
Co-authored-by: David Kilfoyle <[email protected]>
Co-authored-by: David Kilfoyle <[email protected]>
Co-authored-by: David Kilfoyle <[email protected]>
ebarlas
force-pushed
the
jwt-jwks-reloading
branch
from
9156e13 to
8831a42
Compare
4 participants
A new JSON Web Key Set (JWKS) background reloading feature is being added to the JWT Realm in Elasticsearch.
This documentation change briefly outlines the capability and the four new settings for configuring it.
pkc_jwkset_reload.enabled- Enable/disable automatic reloading (default: false)pkc_jwkset_reload.file_interval- File check interval (default: 5 minutes)pkc_jwkset_reload.url_interval_min- Minimum URL reload interval (default: 60 minutes)pkc_jwkset_reload.url_interval_max- Maximum URL reload interval (default: 5 days)