Package org.forgerock.secrets.jwkset

Class JwkSetSecretStore

java.lang.Object
org.forgerock.secrets.jwkset.JwkSetSecretStore
All Implemented Interfaces:
SecretStore<CryptoKey>
public class JwkSetSecretStore extends Object implements SecretStore<CryptoKey>
A secret store that loads cryptographic keys from a local or remote JWKSet. The active key for a given purpose is chosen as the first JWK in the set that satisfies the requirements of that purpose. Named keys are determined by "kid" value, while valid keys are found by filtering the JWK Set by purpose. A JWK is considered valid for a given purpose if its key operations and/or use constraints are compatible with the intended key usage.

  • Constructor Details

    • JwkSetSecretStore

      public JwkSetSecretStore(JWKSet jwkSet, Options options)
      Creates a secret store directly from the given JWK Set.
      Parameters:
      jwkSet - the JWK Set to use for the secret store.
      options - configuration options.

    • JwkSetSecretStore

      public JwkSetSecretStore(JwksStore jwksStore)
      Creates a secret store from a JwksStore. The remote JWK Set will be periodically refreshed allowing for key rotation. It is up to the JWK Set provider to ensure that valid keys remain in the JWK Set for any overlap period.
      Parameters:
      jwksStore - the JWK Store to load JWK Sets from.

    • JwkSetSecretStore

      public JwkSetSecretStore(JwksStore jwksStore, Options options)
      Creates a secret store from a JwksStore.
      Parameters:
      jwksStore - the JWK Store to load JWK Sets from.
      options - configuration options.

  • Method Details

    • getNamed

      public <S extends CryptoKey> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose, String name)
      Description copied from interface: SecretStore
      Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.
      Specified by:
      getNamed in interface SecretStore<CryptoKey>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the secret purpose.
      name - the name (stable id) of the secret.
      Returns:
      a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

    • getStoredType

      public Class<CryptoKey> getStoredType()
      Description copied from interface: SecretStore
      The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.
      Specified by:
      getStoredType in interface SecretStore<CryptoKey>
      Returns:
      the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

    • getValid

      public <S extends CryptoKey> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)
      Description copied from interface: SecretStore
      Returns all valid secrets for the given purpose from this store.
      Specified by:
      getValid in interface SecretStore<CryptoKey>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose.
      Returns:
      a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

    • refresh

      public void refresh()
      Description copied from interface: SecretStore
      Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.
      Specified by:
      refresh in interface SecretStore<CryptoKey>

    • toString

      public String toString()
      Overrides:
      toString in class Object