Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This pull request addresses the issue of unnecessary OIDC discovery calls when token validation fails due to common errors like expired tokens or malformed tokens. The previous implementation triggered an OIDC request to Keycloak under various error conditions, which may not always be necessary.
Previous Implementation
The middleware previously made OIDC requests for the following error conditions:
Error Conditions
InvalidToken: Token doesn't have a valid JWT shape.
InvalidSignature: Signature doesn't match.
InvalidEcdsaKey: Secret is not a valid ECDSA key.
InvalidRsaKey: Secret is not a valid RSA key.
RsaFailedSigning: Failed signing with the given key.
InvalidAlgorithmName: Algorithm name mismatch.
InvalidKeyFormat: Key provided in an invalid format.
MissingRequiredClaim: Required claim not present.
ExpiredSignature: Token's exp claim indicates expiration.
InvalidIssuer: Token’s iss claim does not match the expected issuer.
InvalidAudience: Token’s aud claim does not match expected values.
InvalidSubject: Token’s sub claim does not match expected values.
ImmatureSignature: Token’s nbf claim is in the future.
InvalidAlgorithm: Algorithm mismatch in header or key.
MissingAlgorithm: Validation struct lacks algorithms.
Base64: Error decoding base64 text.
Json: Serialization/deserialization error.
Utf8: Invalid UTF-8 text.
Crypto: Unspecified crypto error.
Proposed Changes
The OIDC discovery should only occur for error conditions where it can potentially resolve the issue:
By refining these conditions, we reduce unnecessary load on both our system and the Keycloak server.