jwk_uri property is now mandatory in v1.12.1, breaking backward compatibility

[ysknkd]

It appears that since version v1.12.1, the jwk_uri property has become a mandatory requirement. As a result, AuthZpeClient can no longer be used if this property is not configured.

To the best of my knowledge, in v1.11.x, this property was not required for AuthZpeClient to function. This change in behavior introduces a backward compatibility issue.

athenz/clients/java/zpe/src/main/java/com/yahoo/athenz/zpe/AuthZpeClient.java

Lines 202 to 205 in 346e225

	String serverUrl = System.getProperty(ZpeConsts.ZPE_PROP_JWK_URI);
	if (serverUrl == null || serverUrl.isEmpty()) {
	throw new IllegalArgumentException("Missing required property: " + ZpeConsts.ZPE_PROP_JWK_URI);
	}

Would it be possible to consider modifying the logic? For instance, with a change like the following:

    public static void initializeAccessTokenSignKeyResolver() {
        final String keyPath = System.getProperty(ZpeConsts.ZPE_PROP_JWK_PRIVATE_KEY_PATH);
        final String certPath = System.getProperty(ZpeConsts.ZPE_PROP_JWK_X509_CERT_PATH);
        SSLContext sslContext = null;
        if (keyPath != null && !keyPath.isEmpty() && certPath != null && !certPath.isEmpty()) {
            try {
                KeyRefresher keyRefresher = Utils.generateKeyRefresher(null, certPath, keyPath);
                keyRefresher.startup();
                sslContext = Utils.buildSSLContext(keyRefresher.getKeyManagerProxy(),
                        keyRefresher.getTrustManagerProxy());
            } catch (Exception ex) {
                LOG.error("Unable to initialize key refresher: {}", ex.getMessage());
            }
        }

        // 
        // setAccessTokenSignKeyResolver should only be executed when jwk_uri is configured.
        // 
        String serverUrl = System.getProperty(ZpeConsts.ZPE_PROP_JWK_URI);
        if (serverUrl != null && !serverUrl.isEmpty()) {
            setAccessTokenSignKeyResolver(serverUrl, sslContext);
            setMillisBetweenZtsCalls(Long.parseLong(System.getProperty(ZPE_PROP_MILLIS_BETWEEN_ZTS_CALLS, Long.toString(30 * 1000 * 60))));
        }
    }

[havetisyan]

Yes, that's part of the 1.12.x release which is a major release and as such there will be breaking changes. We also removed quite a few deprecated methods as well part of that part major release. For jjwt processing, we moved from jjwt to nimbus.

The problem with jwt validation without the jwk-uri is that whenever you rotate the key used to sign token, all clients break unless they have access to the corresponding public key and with the use of jwk uri, the library can just automatically fetch the key from ZTS and not fail.

What is your use case that you don't want this? Don't you guys periodically rotate your keys?

[ysknkd]

We do not think this feature is unnecessary. On the contrary, we believe the functionality to set a JWK URI for periodic key rotation is essential when using Access Tokens. We are in complete agreement on that point.

The challenges we are facing are as follows:

• There are still many users who rely on Role Token. This change has become an obstacle for them to simply upgrade the library.
• Because the jwk_uri check and the call to setAccessTokenSignKeyResolver are performed within a static initializer, it is difficult to set the system property from a wrapper class before that logic executes.