JWKS key provider that fetches keys from an HTTP endpoint with ETS caching.
Fetches JSON Web Key Sets from the authorization server's JWKS URI, caches them in ETS, and auto-refreshes on cache miss or expiration.
Configuration
auth: [
strategy: :oauth,
key_provider: {ConduitMcp.OAuth.KeyProvider.JWKS,
jwks_uri: "https://auth.example.com/.well-known/jwks.json",
cache_ttl: :timer.hours(1)} # default: 1 hour
]The jwks_uri must use https. For local development against a
plain-HTTP authorization server, set allow_insecure_jwks: true in the
provider config.
Fetches use conservative HTTP settings: redirects are not followed,
requests time out (5s connect / 10s receive), and responses are capped
at 1MB. If a refresh fails and previously fetched keys are still cached,
those stale keys are served (with a logged warning) so a transient
authorization-server outage does not hard-fail all authentication —
bounded by :stale_max_age (default 24 hours), after which the provider
fails closed so revoked keys cannot validate tokens indefinitely.
Requirements
Requires the req package:
{:req, "~> 0.5"}