MoneyHub.Auth.JWKS (MoneyHub v1.0.0)

Copy Markdown View Source

Fetches and caches Moneyhub's public JSON Web Key Set (JWKS).

Moneyhub publishes its signing keys at {identity_url}/oidc/certs. These keys are used to verify the id_token returned from the token endpoint (see MoneyHub.Auth.IdToken) and to verify webhook payloads signed as JWTs (see MoneyHub.Webhooks).

Fetched key sets are cached in-process (an :persistent_term per identity_url) for :ttl (default 1 hour) to avoid a network round trip on every verification. Call refresh/1 to force a re-fetch, for example after a kid-not-found verification failure (key rotation).

Summary

Functions

fetch(identity_url, opts \\ [])

Returns the JWKS for the given identity_url, fetching and caching it on first use or after expiry.

find_key(map, kid)

Finds the JWK matching kid within a JWKS map, as returned by fetch/2.

refresh(identity_url, opts \\ [])

Forces a re-fetch of the JWKS for identity_url, updating the cache.

Functions

fetch(identity_url, opts \\ [])

@spec fetch(
  String.t(),
  keyword()
) :: {:ok, map()} | {:error, MoneyHub.Error.t()}

Returns the JWKS for the given identity_url, fetching and caching it on first use or after expiry.

Options

  • :ttl - cache lifetime in milliseconds. Defaults to 1 hour.
  • :finch_pool - the Finch pool to issue the fetch through.
  • :http_options - extra options merged into the Req call (e.g. a test :adapter).

find_key(map, kid)

@spec find_key(map(), String.t()) :: {:ok, map()} | {:error, MoneyHub.Error.t()}

Finds the JWK matching kid within a JWKS map, as returned by fetch/2.

refresh(identity_url, opts \\ [])

@spec refresh(
  String.t(),
  keyword()
) :: {:ok, map()} | {:error, MoneyHub.Error.t()}

Forces a re-fetch of the JWKS for identity_url, updating the cache.

Accepts the same :ttl, :finch_pool, and :http_options as fetch/2.