Skip to content
This repository has been archived by the owner on Dec 20, 2019. It is now read-only.

zalando-stups/planb-tokeninfo

Repository files navigation

Plan B Token Info Service

image

image

image

Documentation Status

Lightweight service providing an OAuth 2 token info HTTP endpoint to validate JWT tokens issued by the Plan B OpenID Connect Provider.

Current features:

  • Download public keys (set of JWKs) from OpenID provider
  • Verify signed JWT tokens using the right public key (identified by "kid" JOSE header)
  • Proxy to upstream tokeninfo for non-JWT tokens and cache the response
  • Download revocation lists from Plan B Revocation Service
  • Deny JWT tokens matching any revocation list

More information is available in our Plan B Documentation.

Building

Requires Go 1.5 or higher.

Running

Now we can test our token info endpoint with a valid JWT access token:

Running with Docker:

Configuration

The following environment variables are supported:

OPENID_PROVIDER_CONFIGURATION_URL

URL of the OpenID Connect configuration discovery document containing the jwks_uri which points to a set of JWKs.

OPENID_PROVIDER_REFRESH_INTERVAL

The OpenID Connect configuration refresh interval. See Time based settings

UPSTREAM_TOKENINFO_URL

URL of upstream OAuth 2 token info for non-JWT Bearer tokens. Optional.

UPSTREAM_CACHE_MAX_SIZE

Maximum number of entries for upstream token cache. It defaults to 10000.

UPSTREAM_CACHE_TTL

The TTL for upstream token cache entries. It defaults to 60 seconds. Zero will disable the cache. See also Time based settings

REVOCATION_PROVIDER_URL

URL of of the Revocation service.

REVOCATION_PROVIDER_REFRESH_INTERVAL

Refresh interval for polling the Revocation service. See Time based settings

REVOCATION_REFRESH_TOLERANCE

Amount of time to account for network latencies when polling the revocation service. Default is 60 seconds. See Time based settings

REVOCATION_CACHE_TTL

The TTL for Revocation cache entries. Default is 30 days. See Time based settings

REVOCATION_HASHING_SALT

Shared salt with Revocation service. Used for comparing hashed tokens from the Revocation service.

LISTEN_ADDRESS

The address for the application listener. It defaults to ':9021'

METRICS_LISTEN_ADDRESS

The address for the metrics listener. Should be different from the application listener. It defaults to ':9020'

HTTP_CLIENT_TIMEOUT

The timeout for the default HTTP client. See Time based settings

HTTP_CLIENT_TLS_TIMEOUT

The timeout for the default HTTP client when using TLS. See Time based settings

Time based settings

Some of the above settings accept time based definitions. Those definitions can be specified as a string that can be understood by time.ParseDuration(). For ex., '10s' for 10 seconds, '1h10m' for 1 hour and 10 minutes, '100ms' for 100 milliseconds. A simple numeric value is interpreted as Seconds. For ex., '30' is interpreted as 30 seconds.

Metrics

Metrics are exposed by default on port 9020 "/metrics". They include:

planb.openidprovider.numkeys

Number of public keys in memory.

planb.tokeninfo.proxy

Timer for the proxy handler (includes cached results and upstream calls).

planb.tokeninfo.proxy.cache.hits

Number of upstream cache hits.

planb.tokeninfo.proxy.cache.misses

Number of upstream cache misses.

planb.tokeninfo.proxy.cache.expirations

Number of upstream cache misses because of expiration.

planb.tokeninfo.proxy.upstream

Timer for calls to the upstream tokeninfo. Cached responses are not measured here.

Releases

No releases published

Packages

No packages published