Description
Hi, I'm trying to configure two providers using JWKS in parallel, but ran into a problem with the documented parameters for validation caches.
It looks to me like the cache parameter for custom validation caches that is documented in the sample oauth2.conf config in this repo does not work, and that verify.cache must be used instead.
Could you confirm that this is indeed the case, and update the documentation in oauth2.conf accordingly?
It would also be nice if the possible values of * in options like *.cache could be documented there as well.
Background
One of my oauth providers supports RFC8705 certificate bound tokens, but the other doesn't.
To configure them in parallel, I tried this:
OAuth2TokenVerify jwks_uri https://has-cnf.example.com/oauth/discovery/keys type=mtls&mtls.policy=required
OAuth2TokenVerify jwks_uri https://no-cnf.example.com/oauth/discovery/keys
This does not work when using tokens from the non-mtls provider more than once. This is because the validation cache is shared between the two verifiers by default. Thus, the first (mtls) verifier will successfully fetch the cache entry set by the second one, and then reject it because client certificates are not available. It'll never continue to the second (non-mtls) verifier in the linked list of verifiers, because the valid validation result obtained from the cache.
To fix this, I tried to configure separate caches for the two verifiers:
OAuth2Cache shm name=has-cnf
OAuth2Cache shm name=no-cnf
OAuth2TokenVerify jwks_uri https://has-cnf.example.com/oauth/discovery/keys type=mtls&mtls.policy=required&cache=has-cnf
OAuth2TokenVerify jwks_uri https://no-cnf.example.com/oauth/discovery/keys cache=no-cnf
The sample config documents this cache parameter as
cache backend name for access token validation results, default is "default",
otherwise must refer to a named cache defined with OAuth2Cache.
However, this does not work. After reading through liboauth2, it seems like the cache parameter is never used by mod_oauth2's codepaths. Supplying arbitrary names here (= not previously configured by OAuth2Cache) does not result in any error, which seems to confirm this.
Instead, it looks like verify.cache is the correct name for custom validation caches. However, the sample config documents *.verify as
cache backend name for results resolved from a URI. default is "default",
otherwise must refer to a named cache defined with OAuth2Cache
Using verify.cache instead results in auth working as expected:
OAuth2Cache shm name=has-cnf
OAuth2Cache shm name=no-cnf
OAuth2TokenVerify jwks_uri https://has-cnf.example.com/oauth/discovery/keys type=mtls&mtls.policy=required&verify.cache=has-cnf
OAuth2TokenVerify jwks_uri https://no-cnf.example.com/oauth/discovery/keys verify.cache=no-cnf