Correct exception thrown when JWK not found

zvonand · zvonand · commit d7c8c372997e · 2025-12-04T16:33:05.000+01:00
diff --git a/src/Access/Common/JWKSProvider.cpp b/src/Access/Common/JWKSProvider.cpp
@@ -25,11 +25,8 @@ JWKSType JWKSClient::getJWKS()
     auto now = std::chrono::high_resolution_clock::now();
     auto diff = std::chrono::duration<double>(now - last_request_send).count();
 
-    if (diff < refresh_timeout)
-    {
-        jwt::jwks <jwt::traits::kazuho_picojson> result(cached_jwks);
-        return result;
-    }
+    if (diff < refresh_timeout && cached_jwks.has_value())
+        return cached_jwks.value();
 
     Poco::Net::HTTPResponse response;
     std::string response_string;
@@ -70,7 +67,7 @@ JWKSType JWKSClient::getJWKS()
     }
 
     cached_jwks = std::move(parsed_jwks);
-    return cached_jwks;
+    return cached_jwks.value();
 }
 
 StaticJWKSParams::StaticJWKSParams(const std::string & static_jwks_, const std::string & static_jwks_file_)
diff --git a/src/Access/Common/JWKSProvider.h b/src/Access/Common/JWKSProvider.h
@@ -43,7 +43,7 @@ class JWKSClient : public IJWKSProvider
     Poco::URI jwks_uri;
 
     std::shared_mutex mutex;
-    JWKSType cached_jwks;
+    std::optional<JWKSType> cached_jwks;
     std::chrono::time_point<std::chrono::high_resolution_clock> last_request_send;
 };
 
diff --git a/src/Access/TokenProcessorsJWT.cpp b/src/Access/TokenProcessorsJWT.cpp
@@ -334,6 +334,9 @@ bool JwksJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const
         return false;
     }
 
+    if (!provider->getJWKS().has_jwk(decoded_jwt.get_key_id()))
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "JWKS error: no JWK found for JWT");
+
     auto jwk = provider->getJWKS().get_jwk(decoded_jwt.get_key_id());
     auto username = decoded_jwt.get_payload_claim(username_claim).as_string();
 
diff --git a/src/Access/TokenProcessorsParse.cpp b/src/Access/TokenProcessorsParse.cpp
@@ -45,7 +45,7 @@ std::unique_ptr<DB::ITokenProcessor> ITokenProcessor::parseTokenProcessor(
         if (externally_configured && ! locally_configured)
         {
             return std::make_unique<OpenIdTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,
-                                                          config.getString(prefix + ".openid_config_endpoint"),
+                                                          config.getString(prefix + ".configuration_endpoint"),
                                                           verifier_leeway,
                                                           jwks_cache_lifetime);
         }

Original file line number	Diff line number	Diff line change
`@@ -334,6 +334,9 @@ bool JwksJwtProcessor::resolveAndValidate(TokenCredentials & credentials) const`
`334`	`334`	`return false;`
`335`	`335`	`}`
`336`	`336`
	`337`	`+ if (!provider->getJWKS().has_jwk(decoded_jwt.get_key_id()))`
	`338`	`+ throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "JWKS error: no JWK found for JWT");`
	`339`	`+`
`337`	`340`	`auto jwk = provider->getJWKS().get_jwk(decoded_jwt.get_key_id());`
`338`	`341`	`auto username = decoded_jwt.get_payload_claim(username_claim).as_string();`
`339`	`342`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ std::unique_ptr<DB::ITokenProcessor> ITokenProcessor::parseTokenProcessor(`
`45`	`45`	`if (externally_configured && ! locally_configured)`
`46`	`46`	`{`
`47`	`47`	`return std::make_unique<OpenIdTokenProcessor>(processor_name, token_cache_lifetime, username_claim, groups_claim,`
`48`		`- config.getString(prefix + ".openid_config_endpoint"),`
	`48`	`+ config.getString(prefix + ".configuration_endpoint"),`
`49`	`49`	`verifier_leeway,`
`50`	`50`	`jwks_cache_lifetime);`
`51`	`51`	`}`