jwt_authn: adjust remote_jwks.async_fetch refetch timer (#24035)

This is just an improvement to async_fetch feature of remote jwks.

*  For a successful fetch,  adjust its re_fetch time to be the jwks_cache_duration - 5s.   This is to avoid of triggering on-demand fetching.   During authentication,  if jwks is not fetched, or is expired,  it will trigger an on-demand fetching.  If async_fetch can refetch the jwks a little bit earlier, it will avoid the on-demand fetch.

* For a failed fetch,  trigger a re_fetch after 1 second.  Getting jwks is important.  We should keep retrying.  This retrying is after [remote_jwks.retry_policy](https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto#L366).

Risk Level: Low, added more frequence refetch for a failed remote jwks uri.
Testing:  unit-tested
Docs Changes: None
Release Notes: Yes

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 4e40d6ad5f98cd3c86f1398bb8990b1d88bdfe92
pull/626/head
data-plane-api(Azure Pipelines) 2 years ago
parent cefb3cfe66
commit 538afbe766
  1. 5
      envoy/extensions/filters/http/jwt_authn/v3/config.proto

@ -314,7 +314,7 @@ message RemoteJwks {
config.core.v3.HttpUri http_uri = 1;
// Duration after which the cached JWKS should be expired. If not specified, default cache
// duration is 5 minutes.
// duration is 10 minutes.
google.protobuf.Duration cache_duration = 2;
// Fetch Jwks asynchronously in the main thread before the listener is activated.
@ -376,6 +376,9 @@ message JwksAsyncFetch {
// If true, it is activated without waiting for the initial fetch to complete.
// Default is false.
bool fast_listener = 1;
// The duration to refetch after a failed fetch. If not specified, default is 1 second.
google.protobuf.Duration failed_refetch_duration = 2;
}
// This message specifies a header location to extract JWT token.

Loading…
Cancel
Save