vault: refresh jwks in background

prashantkumar1982 · prashantkumar1982 · commit 72f03839ae96 · 2026-04-02T09:20:44.000-07:00
diff --git a/core/capabilities/vault/gw_handler.go b/core/capabilities/vault/gw_handler.go
@@ -80,6 +80,7 @@ type GatewayHandler struct {
 	secretsService   vaulttypes.SecretsService
 	gatewayConnector gatewayConnector
 	authorizer       Authorizer
+	jwtAuthService   services.Service
 	lggr             logger.Logger
 	metrics          *metrics
 }
@@ -97,11 +98,12 @@ func NewGatewayHandler(secretsService vaulttypes.SecretsService, connector gatew
 			return nil, fmt.Errorf("failed to create JWTBasedAuth: %w", err)
 		}
 		cfg.authorizer = NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)
+		return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, jwtBasedAuth, lggr)
 	}
-	return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, lggr)
+	return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, nil, lggr)
 }
 
-func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, connector gatewayConnector, authorizer Authorizer, lggr logger.Logger) (*GatewayHandler, error) {
+func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, connector gatewayConnector, authorizer Authorizer, jwtAuthService services.Service, lggr logger.Logger) (*GatewayHandler, error) {
 	metrics, err := newMetrics()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create metrics: %w", err)
@@ -111,6 +113,7 @@ func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, c
 		secretsService:   secretsService,
 		gatewayConnector: connector,
 		authorizer:       authorizer,
+		jwtAuthService:   jwtAuthService,
 		lggr:             lggr.Named(HandlerName),
 		metrics:          metrics,
 	}
@@ -123,17 +126,26 @@ func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, c
 }
 
 func (h *GatewayHandler) start(ctx context.Context) error {
+	if h.jwtAuthService != nil {
+		if err := h.jwtAuthService.Start(ctx); err != nil {
+			return fmt.Errorf("failed to start JWTBasedAuth: %w", err)
+		}
+	}
 	if gwerr := h.gatewayConnector.AddHandler(ctx, h.Methods(), h); gwerr != nil {
 		return fmt.Errorf("failed to add vault handler to connector: %w", gwerr)
 	}
 	return nil
 }
 
 func (h *GatewayHandler) close() error {
+	var jwtAuthErr error
+	if h.jwtAuthService != nil {
+		jwtAuthErr = h.jwtAuthService.Close()
+	}
 	if gwerr := h.gatewayConnector.RemoveHandler(context.Background(), h.Methods()); gwerr != nil {
-		return fmt.Errorf("failed to remove vault handler from connector: %w", gwerr)
+		return errors.Join(fmt.Errorf("failed to remove vault handler from connector: %w", gwerr), jwtAuthErr)
 	}
-	return nil
+	return jwtAuthErr
 }
 
 func (h *GatewayHandler) ID(ctx context.Context) (string, error) {
diff --git a/core/capabilities/vault/jwt_based_auth.go b/core/capabilities/vault/jwt_based_auth.go
@@ -18,6 +18,7 @@ import (
 
 	jsonrpc "github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
+	"github.com/smartcontractkit/chainlink-common/pkg/services"
 	"github.com/smartcontractkit/chainlink-common/pkg/settings/cresettings"
 	"github.com/smartcontractkit/chainlink-common/pkg/settings/limits"
 )
@@ -75,11 +76,15 @@ type jsonWebKeySet struct {
 //
 // Reference: cre-platform-graphql/internal/auth/jwt_auth0.go
 type jwtBasedAuth struct {
+	services.Service
+	eng *services.Engine
+
 	issuerURL       string
 	audience        string
 	jwksURL         string
 	refreshInterval time.Duration
 	authEnabledGate limits.GateLimiter
+	refreshEnabled  bool
 
 	mu            sync.RWMutex
 	keySet        *jsonWebKeySet
@@ -145,15 +150,23 @@ func NewJWTBasedAuth(cfg JWTBasedAuthConfig, limitsFactory limits.Factory, lggr
 		httpClient = &http.Client{Timeout: defaultHTTPTimeout}
 	}
 
-	return &jwtBasedAuth{
+	v := &jwtBasedAuth{
 		issuerURL:       cfg.IssuerURL,
 		audience:        cfg.Audience,
 		jwksURL:         jwksURL,
 		refreshInterval: refreshInterval,
 		authEnabledGate: options.authEnabledGate,
+		refreshEnabled:  !options.skipConfigChecks,
 		httpClient:      httpClient,
 		lggr:            logger.Named(lggr, "VaultJWTBasedAuth"),
-	}, nil
+	}
+	v.Service, v.eng = services.Config{
+		Name:  "VaultJWTBasedAuth",
+		Start: v.start,
+		Close: v.close,
+	}.NewServiceEngine(v.lggr)
+
+	return v, nil
 }
 
 func newVaultJWTAuthEnabledGateLimiter(limitsFactory limits.Factory, lggr logger.Logger) limits.GateLimiter {
@@ -166,6 +179,24 @@ func newVaultJWTAuthEnabledGateLimiter(limitsFactory limits.Factory, lggr logger
 	return limiter
 }
 
+func (v *jwtBasedAuth) start(context.Context) error {
+	if !v.refreshEnabled {
+		v.lggr.Debug("JWTBasedAuth periodic JWKS refresh disabled")
+		return nil
+	}
+
+	v.eng.GoTick(services.NewTicker(v.refreshInterval), func(ctx context.Context) {
+		if err := v.refreshJWKS(ctx); err != nil {
+			v.lggr.Warnw("periodic JWKS refresh failed", "error", err)
+		}
+	})
+	return nil
+}
+
+func (v *jwtBasedAuth) close() error {
+	return v.authEnabledGate.Close()
+}
+
 // AuthorizeRequest verifies JWTBasedAuth state and token claims, and returns a common AuthResult.
 func (v *jwtBasedAuth) AuthorizeRequest(ctx context.Context, req jsonrpc.Request[json.RawMessage]) (*AuthResult, error) {
 	isEnabled, err := v.authEnabledGate.Limit(ctx)
diff --git a/core/capabilities/vault/jwt_based_auth_test.go b/core/capabilities/vault/jwt_based_auth_test.go
@@ -36,16 +36,21 @@ type testJWKSServer struct {
 	server *httptest.Server
 	mu     sync.Mutex
 	keys   []testRSAKey
+	hits   chan struct{}
 }
 
 func newTestJWKSServer(t *testing.T, keys ...testRSAKey) *testJWKSServer {
 	t.Helper()
-	s := &testJWKSServer{keys: keys}
+	s := &testJWKSServer{keys: keys, hits: make(chan struct{}, 32)}
 	mux := http.NewServeMux()
 	mux.HandleFunc("/.well-known/jwks.json", func(w http.ResponseWriter, r *http.Request) {
 		s.mu.Lock()
 		currentKeys := s.keys
 		s.mu.Unlock()
+		select {
+		case s.hits <- struct{}{}:
+		default:
+		}
 
 		ks := jsonWebKeySet{}
 		for _, k := range currentKeys {
@@ -62,6 +67,21 @@ func newTestJWKSServer(t *testing.T, keys ...testRSAKey) *testJWKSServer {
 
 func (s *testJWKSServer) URL() string { return s.server.URL }
 
+func (s *testJWKSServer) waitForHits(t *testing.T, count int, timeout time.Duration) {
+	t.Helper()
+
+	deadline := time.NewTimer(timeout)
+	defer deadline.Stop()
+
+	for range count {
+		select {
+		case <-s.hits:
+		case <-deadline.C:
+			t.Fatalf("timed out waiting for %d JWKS hits", count)
+		}
+	}
+}
+
 func (s *testJWKSServer) setKeys(keys ...testRSAKey) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -413,6 +433,34 @@ func TestJWTBasedAuth_JWKSServerUnavailable(t *testing.T) {
 	assert.ErrorIs(t, err, ErrJWKSKeyNotFound)
 }
 
+func TestJWTBasedAuth_StartRefreshesJWKSPeriodically(t *testing.T) {
+	rsaKey := generateTestRSAKey(t, "key-1")
+	jwksServer := newTestJWKSServer(t, rsaKey)
+
+	v, err := NewJWTBasedAuth(JWTBasedAuthConfig{
+		IssuerURL:           jwksServer.URL() + "/",
+		Audience:            "https://api.test.chain.link",
+		JWKSRefreshInterval: 10 * time.Millisecond,
+	}, limits.Factory{Settings: cresettings.DefaultGetter}, logger.TestLogger(t), WithJWTBasedAuthGateLimiter(limits.NewGateLimiter(true)))
+	require.NoError(t, err)
+
+	require.NoError(t, v.Start(t.Context()))
+	jwksServer.waitForHits(t, 2, time.Second)
+	require.NoError(t, v.Close())
+}
+
+func TestJWTBasedAuth_DisabledStartSkipsPeriodicRefresh(t *testing.T) {
+	v, err := NewJWTBasedAuth(
+		JWTBasedAuthConfig{},
+		limits.Factory{Settings: cresettings.DefaultGetter},
+		logger.TestLogger(t),
+		WithDisabledJWTBasedAuth(),
+	)
+	require.NoError(t, err)
+	require.NoError(t, v.Start(t.Context()))
+	require.NoError(t, v.Close())
+}
+
 func TestNewJWTBasedAuth_InvalidConfig(t *testing.T) {
 	lggr := logger.TestLogger(t)
 
diff --git a/core/services/gateway/handlers/vault/handler.go b/core/services/gateway/handlers/vault/handler.go
@@ -138,6 +138,7 @@ type handler struct {
 	mu           sync.RWMutex
 	stopCh       services.StopChan
 	authorizer   vaultcap.Authorizer
+	jwtAuth      services.Service
 	*vaultcap.RequestValidator
 
 	nodeRateLimiter *ratelimit.RateLimiter
@@ -184,10 +185,14 @@ func NewHandler(methodConfig json.RawMessage, donConfig *config.DONConfig, don g
 		return nil, fmt.Errorf("failed to create JWTBasedAuth: %w", err)
 	}
 	authorizer := vaultcap.NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)
-	return newHandlerWithAuthorizer(methodConfig, donConfig, don, capabilitiesRegistry, authorizer, lggr, clock, limitsFactory)
+	return newHandlerWithJWTAuth(methodConfig, donConfig, don, capabilitiesRegistry, authorizer, jwtBasedAuth, lggr, clock, limitsFactory)
 }
 
 func newHandlerWithAuthorizer(methodConfig json.RawMessage, donConfig *config.DONConfig, don gwhandlers.DON, capabilitiesRegistry capabilitiesRegistry, authorizer vaultcap.Authorizer, lggr logger.Logger, clock clockwork.Clock, limitsFactory limits.Factory) (*handler, error) {
+	return newHandlerWithJWTAuth(methodConfig, donConfig, don, capabilitiesRegistry, authorizer, nil, lggr, clock, limitsFactory)
+}
+
+func newHandlerWithJWTAuth(methodConfig json.RawMessage, donConfig *config.DONConfig, don gwhandlers.DON, capabilitiesRegistry capabilitiesRegistry, authorizer vaultcap.Authorizer, jwtAuth services.Service, lggr logger.Logger, clock clockwork.Clock, limitsFactory limits.Factory) (*handler, error) {
 	var cfg Config
 	if err := json.Unmarshal(methodConfig, &cfg); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal method config: %w", err)
@@ -232,6 +237,7 @@ func newHandlerWithAuthorizer(methodConfig json.RawMessage, donConfig *config.DO
 		activeRequests:      make(map[string]*activeRequest),
 		mu:                  sync.RWMutex{},
 		authorizer:          authorizer,
+		jwtAuth:             jwtAuth,
 		stopCh:              make(services.StopChan),
 		metrics:             metrics,
 		aggregator:          &baseAggregator{capabilitiesRegistry: capabilitiesRegistry},
@@ -243,6 +249,11 @@ func newHandlerWithAuthorizer(methodConfig json.RawMessage, donConfig *config.DO
 func (h *handler) Start(_ context.Context) error {
 	return h.StartOnce("VaultHandler", func() error {
 		h.lggr.Debug("starting vault handler")
+		if h.jwtAuth != nil {
+			if err := h.jwtAuth.Start(context.Background()); err != nil {
+				return fmt.Errorf("failed to start JWTBasedAuth: %w", err)
+			}
+		}
 		go func() {
 			ctx, cancel := h.stopCh.NewCtx()
 			defer cancel()
@@ -270,7 +281,12 @@ func (h *handler) Close() error {
 	return h.StopOnce("VaultHandler", func() error {
 		h.lggr.Debug("closing vault handler")
 		close(h.stopCh)
+		var jwtAuthErr error
+		if h.jwtAuth != nil {
+			jwtAuthErr = h.jwtAuth.Close()
+		}
 		return errors.Join(
+			jwtAuthErr,
 			h.writeMethodsEnabled.Close(),
 			h.MaxRequestBatchSizeLimiter.Close(),
 		)

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ type GatewayHandler struct {`
`80`	`80`	`secretsService vaulttypes.SecretsService`
`81`	`81`	`gatewayConnector gatewayConnector`
`82`	`82`	`authorizer Authorizer`
	`83`	`+ jwtAuthService services.Service`
`83`	`84`	`lggr logger.Logger`
`84`	`85`	`metrics *metrics`
`85`	`86`	`}`
`@@ -97,11 +98,12 @@ func NewGatewayHandler(secretsService vaulttypes.SecretsService, connector gatew`
`97`	`98`	`return nil, fmt.Errorf("failed to create JWTBasedAuth: %w", err)`
`98`	`99`	`}`
`99`	`100`	`cfg.authorizer = NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)`
	`101`	`+ return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, jwtBasedAuth, lggr)`
`100`	`102`	`}`
`101`		`- return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, lggr)`
	`103`	`+ return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, nil, lggr)`
`102`	`104`	`}`
`103`	`105`
`104`		`-func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, connector gatewayConnector, authorizer Authorizer, lggr logger.Logger) (*GatewayHandler, error) {`
	`106`	`+func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, connector gatewayConnector, authorizer Authorizer, jwtAuthService services.Service, lggr logger.Logger) (*GatewayHandler, error) {`
`105`	`107`	`metrics, err := newMetrics()`
`106`	`108`	`if err != nil {`
`107`	`109`	`return nil, fmt.Errorf("failed to create metrics: %w", err)`
`@@ -111,6 +113,7 @@ func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, c`
`111`	`113`	`secretsService: secretsService,`
`112`	`114`	`gatewayConnector: connector,`
`113`	`115`	`authorizer: authorizer,`
	`116`	`+ jwtAuthService: jwtAuthService,`
`114`	`117`	`lggr: lggr.Named(HandlerName),`
`115`	`118`	`metrics: metrics,`
`116`	`119`	`}`
`@@ -123,17 +126,26 @@ func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, c`
`123`	`126`	`}`
`124`	`127`
`125`	`128`	`func (h *GatewayHandler) start(ctx context.Context) error {`
	`129`	`+ if h.jwtAuthService != nil {`
	`130`	`+ if err := h.jwtAuthService.Start(ctx); err != nil {`
	`131`	`+ return fmt.Errorf("failed to start JWTBasedAuth: %w", err)`
	`132`	`+ }`
	`133`	`+ }`
`126`	`134`	`if gwerr := h.gatewayConnector.AddHandler(ctx, h.Methods(), h); gwerr != nil {`
`127`	`135`	`return fmt.Errorf("failed to add vault handler to connector: %w", gwerr)`
`128`	`136`	`}`
`129`	`137`	`return nil`
`130`	`138`	`}`
`131`	`139`
`132`	`140`	`func (h *GatewayHandler) close() error {`
	`141`	`+ var jwtAuthErr error`
	`142`	`+ if h.jwtAuthService != nil {`
	`143`	`+ jwtAuthErr = h.jwtAuthService.Close()`
	`144`	`+ }`
`133`	`145`	`if gwerr := h.gatewayConnector.RemoveHandler(context.Background(), h.Methods()); gwerr != nil {`
`134`		`- return fmt.Errorf("failed to remove vault handler from connector: %w", gwerr)`
	`146`	`+ return errors.Join(fmt.Errorf("failed to remove vault handler from connector: %w", gwerr), jwtAuthErr)`
`135`	`147`	`}`
`136`		`- return nil`
	`148`	`+ return jwtAuthErr`
`137`	`149`	`}`
`138`	`150`
`139`	`151`	`func (h *GatewayHandler) ID(ctx context.Context) (string, error) {`