JWK Auth Middleware (built-in) - Documentation, caching, and usage with Cloudflare Workers

[joshkitt]

The JWK Auth Middleware looks really useful. Is there more detailed documentation somewhere? In Cloudflare Workers, at least, It looks like it doesn't cache the JWKS and fetches the JWKS URL on every request. Does it support caching the JWKS keys and calling the URL if it handles a request with a JWT that uses a key not found in the cache? Is is meant to work in Cloudflare Workers? Thanks.
https://hono.dev/docs/middleware/builtin/jwk

[johnbaro]

@joshkitt, while I'm not an expert I'll add what I can.

I don't believe it caches the JWKS keys in any way out of the box.

I've enabled caching in my environment by providing function to read the keys from KV (could be durable objects, R2 or any other storage), see end.

This has the downside of not proactively detecting key errors and getting a new version though, it would be better to detect the key is missing and then cache a new one.

I have control over key rotation though, so can coordinate that on my end.

app.use('*', async (c, next) => {

    const mw = jwk({
        keys: () => getJwks(c)
    })

    return mw(c, next)
});

async function getJwks(c: Context<{ Bindings: Bindings }>): Promise<HonoJsonWebKey[]> {
    const jKey = 'jwks';
    const jUrlKey = 'jwks_url';

    console.info(`Fetching JWKS from cache. url: ${c.env.JWKS_URL}`);
    
    const existingUrl = await c.env.KV.get(jUrlKey);
    let jwks = existingUrl === c.env.JWKS_URL ? await c.env.KV.get(jKey) : null;
    if (!jwks) {
        const fetchUrl = c.env.JWKS_URL;
        console.info(`Fetching JWKS from ${fetchUrl}`);
        const response = await fetch(fetchUrl);
        if (!response.ok) {
            throw new Error(`Failed to fetch JWKS from ${fetchUrl}. error: ${response.statusText}`);
        }
        jwks = await response.text();
        await c.env.KV.put(jKey, jwks);
        await c.env.KV.put(jUrlKey, c.env.JWKS_URL);
    }
    const keys = JSON.parse(jwks).keys;
    console.debug(`JWKS result. keys: ${JSON.stringify(keys)}`);
    return keys;
}