fix(secrethub): align cache headers for OIDC well-known endpoints (#705)

dexyk · web-flow · commit 22b57bf2b66a · 2025-11-10T14:24:04.000+01:00
## 📝 Description We now set a 15‑minute cache window for the JWKS well‑known endpoints and mark their responses as publicly cacheable, so clients can reuse the key set instead of re-fetching on every request. Related [task](renderedtext/tasks#8900). ## ✅ Checklist - [x] I have tested this change - [x] ~This change requires documentation update~ N/A
diff --git a/secrethub/lib/secrethub/open_id_connect/http_server.ex b/secrethub/lib/secrethub/open_id_connect/http_server.ex
@@ -55,10 +55,7 @@ defmodule Secrethub.OpenIDConnect.HTTPServer do
       configuration = openid_configuration(issuer, jwks_uri, org_id)
 
       conn
-      |> put_resp_header(
-        "cache-control",
-        "public, max-age=#{@openid_configuration_cache_max_age}, must-revalidate"
-      )
+      |> put_well_known_cache_control_header()
       |> json(200, configuration)
     end)
   end
@@ -89,15 +86,8 @@ defmodule Secrethub.OpenIDConnect.HTTPServer do
     public_keys = Secrethub.OpenIDConnect.KeyManager.public_keys(:openid_keys)
     Secrethub.OpenIDConnect.Utilization.submit_usage(conn.host)
 
-    if Secrethub.on_prem?() do
-      max_age = Secrethub.OpenIDConnect.KeyManager.cache_max_age_in_seconds()
-      cache_control_header = "max-age=#{max_age}, private, must-revalidate"
-
-      conn
-      |> put_resp_header("cache-control", cache_control_header)
-    else
-      conn
-    end
+    conn
+    |> put_well_known_cache_control_header()
     |> json(200, %{"keys" => public_keys})
   end
 
@@ -119,4 +109,16 @@ defmodule Secrethub.OpenIDConnect.HTTPServer do
 
     assign(conn, :org_username, username)
   end
+
+  defp put_well_known_cache_control_header(conn) do
+    put_resp_header(conn, "cache-control", well_known_cache_control_header())
+  end
+
+  defp well_known_cache_control_header do
+    max_age =
+      Secrethub.OpenIDConnect.KeyManager.cache_max_age_in_seconds()
+      |> max(@openid_configuration_cache_max_age)
+
+    "max-age=#{max_age}, public, must-revalidate"
+  end
 end
diff --git a/secrethub/test/secrethub/open_id_connect/http_server_test.exs b/secrethub/test/secrethub/open_id_connect/http_server_test.exs
@@ -34,7 +34,8 @@ defmodule Secrethub.OpenIDConnect.HTTPServerTest do
       {:ok, response} = request("/.well-known/openid-configuration")
 
       assert response.status_code == 200
-      assert {"cache-control", "public, max-age=900, must-revalidate"} in response.headers
+
+      assert {"cache-control", "max-age=900, public, must-revalidate"} in response.headers
 
       {:ok, body} = Poison.decode(response.body)
 
@@ -49,6 +50,8 @@ defmodule Secrethub.OpenIDConnect.HTTPServerTest do
 
       assert response.status_code == 200
 
+      assert {"cache-control", "max-age=900, public, must-revalidate"} in response.headers
+
       {:ok, body} = Poison.decode(response.body)
 
       assert body == %{"keys" => Secrethub.OpenIDConnect.KeyManager.public_keys(:openid_keys)}
@@ -59,6 +62,8 @@ defmodule Secrethub.OpenIDConnect.HTTPServerTest do
 
       assert response.status_code == 200
 
+      assert {"cache-control", "max-age=900, public, must-revalidate"} in response.headers
+
       {:ok, body} = Poison.decode(response.body)
 
       assert body == %{"keys" => Secrethub.OpenIDConnect.KeyManager.public_keys(:openid_keys)}
@@ -76,14 +81,24 @@ defmodule Secrethub.OpenIDConnect.HTTPServerTest do
       end)
     end
 
+    test "GET /.well-known/openid-configuration" do
+      {:ok, response} = request("/.well-known/openid-configuration")
+
+      assert response.status_code == 200
+
+      cache_max_age = Application.fetch_env!(:secrethub, :openid_keys_cache_max_age_in_s)
+
+      assert {"cache-control", "max-age=#{cache_max_age}, public, must-revalidate"} in response.headers
+    end
+
     test "GET /.well-known/jwks" do
       {:ok, response} = HTTPoison.get("#{@host}/.well-known/jwks")
 
       assert response.status_code == 200
 
       cache_max_age = Application.fetch_env!(:secrethub, :openid_keys_cache_max_age_in_s)
 
-      assert {"cache-control", "max-age=#{cache_max_age}, private, must-revalidate"} in response.headers
+      assert {"cache-control", "max-age=#{cache_max_age}, public, must-revalidate"} in response.headers
 
       {:ok, body} = Poison.decode(response.body)
 
@@ -97,7 +112,7 @@ defmodule Secrethub.OpenIDConnect.HTTPServerTest do
 
       cache_max_age = Application.fetch_env!(:secrethub, :openid_keys_cache_max_age_in_s)
 
-      assert {"cache-control", "max-age=#{cache_max_age}, private, must-revalidate"} in response.headers
+      assert {"cache-control", "max-age=#{cache_max_age}, public, must-revalidate"} in response.headers
 
       {:ok, body} = Poison.decode(response.body)
 
