Merge branch 'master' into Remove-Semgrep-GHA-non-EMU

Author: tanya732

.github/actions/maven-publish/action.yml

@@ -35,7 +35,7 @@ runs:
 
     - name: Publish Java Packages to Maven
       shell: bash
-      run: ./gradlew publish -PisSnapshot=false --stacktrace
+      run: ./gradlew publishToSonatype closeSonatypeStagingRepository -PisSnapshot=false --stacktrace
       env:
         JAVA_HOME: ${{ env.JAVA_HOME }}
         MAVEN_USERNAME: ${{ inputs.ossr-username }}

.version

@@ -1 +1 @@
-0.22.2
+0.23.0

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## [0.23.0](https://github.com/auth0/jwks-rsa-java/tree/0.23.0) (2025-08-11)
+[Full Changelog](https://github.com/auth0/jwks-rsa-java/compare/0.22.2...0.23.0)
+
+**Added**
+- Feat: Added Cache Implementation [\#221](https://github.com/auth0/jwks-rsa-java/pull/221) ([tanya732](https://github.com/tanya732))
+
 ## [0.22.2](https://github.com/auth0/jwks-rsa-java/tree/0.22.2) (2025-06-17)
 [Full Changelog](https://github.com/auth0/jwks-rsa-java/compare/0.22.1...0.22.2)
 

README.md

@@ -31,14 +31,14 @@ Add the dependency via Maven:
 <dependency>
   <groupId>com.auth0</groupId>
   <artifactId>jwks-rsa</artifactId>
-  <version>0.22.2</version>
+  <version>0.23.0</version>
 </dependency>
 ```
 
 or Gradle:
 
 ```gradle
-implementation 'com.auth0:jwks-rsa:0.22.2'
+implementation 'com.auth0:jwks-rsa:0.23.0'
 ```
 
 ### Usage

build.gradle

@@ -13,6 +13,7 @@ plugins {
     id 'java'
     id 'jacoco'
     id 'me.champeau.gradle.japicmp' version '0.2.9'
+    id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
 }
 
 jacoco {

gradle/maven-publish.gradle

@@ -26,21 +26,18 @@ artifacts {
 }
 
 
-final releaseRepositoryUrl = "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
-final snapshotRepositoryUrl = "https://oss.sonatype.org/content/repositories/snapshots/"
-
 publishing {
     publications {
         mavenJava(MavenPublication) {
+            from components.java
+
+            artifact sourcesJar
+            artifact javadocJar
 
             groupId = GROUP
             artifactId = POM_ARTIFACT_ID
             version = getVersionName()
 
-            artifact("$buildDir/libs/${project.name}-${version}.jar")
-            artifact sourcesJar
-            artifact javadocJar
-
             pom {
                 name = POM_NAME
                 packaging = POM_PACKAGING
@@ -68,28 +65,18 @@ publishing {
                     connection = POM_SCM_CONNECTION
                     developerConnection = POM_SCM_DEV_CONNECTION
                 }
-
-                pom.withXml {
-                    def dependenciesNode = asNode().appendNode('dependencies')
-
-                    project.configurations.implementation.allDependencies.each {
-                        def dependencyNode = dependenciesNode.appendNode('dependency')
-                        dependencyNode.appendNode('groupId', it.group)
-                        dependencyNode.appendNode('artifactId', it.name)
-                        dependencyNode.appendNode('version', it.version)
-                    }
-                }
             }
         }
     }
+}
+
+nexusPublishing {
     repositories {
-        maven {
-            name = "sonatype"
-            url = version.endsWith('SNAPSHOT') ? snapshotRepositoryUrl : releaseRepositoryUrl
-            credentials {
-                username = System.getenv("MAVEN_USERNAME")
-                password = System.getenv("MAVEN_PASSWORD")
-            }
+        sonatype {
+            nexusUrl.set(uri('https://ossrh-staging-api.central.sonatype.com/service/local/'))
+            snapshotRepositoryUrl.set(uri('https://central.sonatype.com/repository/maven-snapshots/'))
+            username.set(System.getenv("MAVEN_USERNAME"))
+            password.set(System.getenv("MAVEN_PASSWORD"))
         }
     }
 }

src/main/java/com/auth0/jwk/UrlJwkProvider.java

@@ -6,10 +6,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.*;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+import java.util.concurrent.atomic.AtomicReference;
 
 /**
  * Jwk provider that loads them from a {@link URL}
@@ -20,6 +18,8 @@ public class UrlJwkProvider implements JwkProvider {
     @VisibleForTesting
     static final String WELL_KNOWN_JWKS_PATH = "/.well-known/jwks.json";
 
+    private final AtomicReference<List<Jwk>> cachedJwks = new AtomicReference<>();
+
     final URL url;
     final Proxy proxy;
     final Map<String, String> headers;
@@ -103,6 +103,11 @@ public UrlJwkProvider(String domain) {
         this(urlForDomain(domain));
     }
 
+    @VisibleForTesting
+    void setCachedJwks(List<Jwk> jwks) {
+        this.cachedJwks.set(jwks);
+    }
+
     static URL urlForDomain(String domain) {
         Util.checkArgument(!Util.isNullOrEmpty(domain), "A domain is required");
 
@@ -158,19 +163,56 @@ public List<Jwk> getAll() throws SigningKeyNotFoundException {
         return jwks;
     }
 
-    @Override
-    public Jwk get(String keyId) throws JwkException {
-        final List<Jwk> jwks = getAll();
+    private List<Jwk> getCachedJwks() throws JwkException {
+        List<Jwk> jwks = cachedJwks.get();
+        if (jwks == null) {
+            synchronized (this) {
+                jwks = cachedJwks.get();
+                if (jwks == null) {
+                    jwks = getAll();
+                    cachedJwks.set(jwks);
+                }
+            }
+        }
+        return jwks;
+    }
+
+    private Optional<Jwk> findKey(String keyId) throws JwkException {
+        List<Jwk> jwks = getCachedJwks();
+        Optional<Jwk> foundKey = searchKey(jwks, keyId);
+        if (foundKey.isPresent()) {
+            return foundKey;
+        }
+
+        // Key not found — refreshing JWKS from remote
+        synchronized (this) {
+            List<Jwk> freshJwks = getAll();
+            cachedJwks.set(freshJwks);
+
+            return searchKey(freshJwks, keyId);
+        }
+    }
+
+    private Optional<Jwk> searchKey(List<Jwk> jwks, String keyId) {
         if (keyId == null && jwks.size() == 1) {
-            return jwks.get(0);
+            return Optional.of(jwks.get(0));
         }
         if (keyId != null) {
             for (Jwk jwk : jwks) {
                 if (keyId.equals(jwk.getId())) {
-                    return jwk;
+                    return Optional.of(jwk);
                 }
             }
         }
-        throw new SigningKeyNotFoundException("No key found in " + url.toString() + " with kid " + keyId, null);
+        return Optional.empty();
+    }
+
+    @Override
+    public Jwk get(String keyId) throws JwkException {
+
+        return findKey(keyId).orElseThrow(() ->
+                new SigningKeyNotFoundException("No key found in " + url.toString() + " with kid " + keyId, null)
+        );
+
     }
 }

src/test/java/com/auth0/jwk/UrlJwkProviderTest.java

@@ -12,7 +12,9 @@
 import java.lang.ref.WeakReference;
 import java.net.*;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import static com.auth0.jwk.UrlJwkProvider.WELL_KNOWN_JWKS_PATH;
 import static org.hamcrest.Matchers.*;
@@ -272,6 +274,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         UrlJwkProvider urlJwkProvider = new UrlJwkProvider(url, connectTimeout, readTimeout);
         assertThat(urlJwkProvider.proxy, is(nullValue()));
 
+        urlJwkProvider.setCachedJwks(null);
         Jwk jwk = urlJwkProvider.get("NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg");
         assertNotNull(jwk);
         assertThat(mockFactory.urlUsed.get(), is(url));
@@ -280,6 +283,8 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         // Test creation: custom headers
         UrlJwkProvider urlJwkProviderWithHeaders = new UrlJwkProvider(url, connectTimeout, readTimeout, null,
             Collections.singletonMap("Accept", "application/jwks-set+json"));
+
+        urlJwkProvider.setCachedJwks(null); // <-- force fetch
         Jwk hJwk = urlJwkProviderWithHeaders.get("NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg");
         assertNotNull(hJwk);
         assertThat(mockFactory.urlUsed.get(), is(url));
@@ -291,6 +296,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         UrlJwkProvider pUrlJwkProvider = new UrlJwkProvider(pUrl, connectTimeout, readTimeout, proxy);
         assertThat(pUrlJwkProvider.proxy, is(proxy));
 
+        urlJwkProvider.setCachedJwks(null); // <-- force fetch
         Jwk pJwk = pUrlJwkProvider.get("NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg");
         assertNotNull(pJwk);
         assertThat(mockFactory.urlUsed.get(), is(pUrl));
@@ -317,6 +323,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         try {
             IOException exception = mock(IOException.class);
             when(urlConnection.getInputStream()).thenThrow(exception);
+            urlJwkProvider.setCachedJwks(null); // <-- force fetch
             urlJwkProvider.get("NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg");
         } catch (Exception e) {
             capturedException = e;
@@ -328,4 +335,73 @@ public Object answer(InvocationOnMock invocation) throws Throwable {
         //release
         mockFactory.clear();
     }
+
+    @Test
+    public void shouldCacheJwksAfterFirstFetch() throws Exception {
+        URL url = getClass().getResource("/jwks.json");
+        UrlJwkProvider provider = spy(new UrlJwkProvider(url));
+
+        Jwk firstJwk = provider.get(KID);
+        assertNotNull(firstJwk);
+
+        Jwk secondJwk = provider.get(KID);
+        assertNotNull(secondJwk);
+
+        verify(provider, times(1)).getAll();
+    }
+
+    @Test
+    public void shouldRefreshCacheIfKeyNotFound() throws Exception {
+        URL url = getClass().getResource("/jwks.json");
+        UrlJwkProvider provider = spy(new UrlJwkProvider(url));
+
+        // Pre-load a cache with an invalid key (simulate wrong cache)
+        Map<String, Object> jwkValues = new HashMap<>();
+        jwkValues.put("kid", "wrong-kid");
+        jwkValues.put("kty", "RSA");
+        jwkValues.put("alg", "RS256");
+        jwkValues.put("use", "sig");
+        jwkValues.put("n", "test-modulus");
+        jwkValues.put("e", "AQAB");
+
+        List<Jwk> wrongJwks = Collections.singletonList(Jwk.fromValues(jwkValues));
+
+        provider.setCachedJwks(wrongJwks);
+
+        // Call with correct key - should miss cache, then refresh
+        Jwk actualJwk = provider.get(KID);
+        assertNotNull(actualJwk);
+
+        verify(provider, times(1)).getAll();
+    }
+
+    @Test
+    public void shouldFailIfKeyNotFoundEvenAfterRefresh() throws Exception {
+        expectedException.expect(SigningKeyNotFoundException.class);
+
+        URL url = getClass().getResource("/jwks.json");
+        UrlJwkProvider provider = spy(new UrlJwkProvider(url));
+
+        // Set empty cache
+        provider.setCachedJwks(Collections.emptyList());
+
+        // Call with missing key — should refresh, but still fail
+        provider.get("wrong-kid");
+
+        verify(provider, times(1)).getAll(); // Only one refresh
+    }
+
+    @Test
+    public void shouldFetchIfCacheIsNull() throws Exception {
+        UrlJwkProvider provider = spy(new UrlJwkProvider(getClass().getResource("/jwks.json")));
+
+        // Ensure cache is unset (null)
+        provider.setCachedJwks(null);
+
+        Jwk jwk = provider.get(KID);
+        assertNotNull(jwk);
+
+        verify(provider, atLeastOnce()).getAll(); // Should definitely be called
+    }
+
 }