Bug fix: Avoid setting KeySet with an empty JWKS URL

adapter/authserver/authserver.go

@@ -81,10 +81,13 @@ func New(discoveryEndpoint string) AuthorizationServerService {
 	return s
 }
 
-// KeySet returns the instance's keyset
+// KeySet returns the instance's keyset or nil if none is available
 func (s *RemoteService) KeySet() keyset.KeySet {
 	_ = s.initialize()
-	if s.jwks == nil && s.JwksURL != "" {
+	// If s.JwksURL contains an URL, make sure we return a KeySet with that URL
+	// That fixes the problem when SetKeySet() is used to set a KeySet with
+	// an empty JWKS URL while we already know the proper JWKS URL from the discovery
+	if s.JwksURL != "" && (s.jwks == nil || s.jwks.PublicKeyURL() == "") {
 		s.jwks = keyset.New(s.JwksURL, s.httpclient)
 	}
 	return s.jwks
@@ -210,8 +213,8 @@ func (s *RemoteService) loadDiscoveryEndpoint() (interface{}, error) {
 		return nil, oa2Err
 	}
 
-	s.initialized = true
 	s.DiscoveryConfig = *config
+	s.initialized = true
 
 	return http.StatusOK, nil
 }

adapter/policy/handler/crdeventhandler/add_event.go

@@ -17,18 +17,18 @@ type AddUpdateEventHandler interface {
 }
 
 type JwtConfigAddEventHandler struct {
-	Obj *v1.JwtConfig
+	Obj   *v1.JwtConfig
 	Store storepolicy.PolicyStore
 }
 
 type OidcConfigAddEventHandler struct {
-	Obj *v1.OidcConfig
+	Obj        *v1.OidcConfig
 	KubeClient kubernetes.Interface
-	Store storepolicy.PolicyStore
+	Store      storepolicy.PolicyStore
 }
 
 type PolicyAddEventHandler struct {
-	Obj *v1.Policy
+	Obj   *v1.Policy
 	Store storepolicy.PolicyStore
 }
 
@@ -46,8 +46,11 @@ func (e *OidcConfigAddEventHandler) HandleAddUpdateEvent() {
 		e.Obj.Spec.AuthMethod = "client_secret_basic"
 	}
 	authorizationServer := authserver.New(e.Obj.Spec.DiscoveryURL)
-	keySets := keyset.New(authorizationServer.JwksEndpoint(), nil)
-	authorizationServer.SetKeySet(keySets)
+	jwksURL := authorizationServer.JwksEndpoint()
+	if jwksURL != "" {
+		keySets := keyset.New(authorizationServer.JwksEndpoint(), nil)
+		authorizationServer.SetKeySet(keySets)
+	}
 	e.Obj.Spec.ClientSecret = GetClientSecret(e.Obj, e.KubeClient)
 	// Create and store OIDC Client
 	oidcClient := client.New(e.Obj.Spec, authorizationServer)
@@ -57,11 +60,11 @@ func (e *OidcConfigAddEventHandler) HandleAddUpdateEvent() {
 
 func (e *PolicyAddEventHandler) HandleAddUpdateEvent() {
 	zap.L().Debug("Create/Update Policy", zap.String("ID", string(e.Obj.ObjectMeta.UID)), zap.String("name", e.Obj.ObjectMeta.Name), zap.String("namespace", e.Obj.ObjectMeta.Namespace))
-	mappingId := e.Obj.ObjectMeta.Namespace + "/" +e.Obj.ObjectMeta.Name
+	mappingId := e.Obj.ObjectMeta.Namespace + "/" + e.Obj.ObjectMeta.Name
 	parsedPolicies := ParseTarget(e.Obj.Spec.Target, e.Obj.ObjectMeta.Namespace)
 	for _, policies := range parsedPolicies {
 		zap.S().Debug("Adding policy for endpoint", policies.Endpoint)
-		e.Store.SetPolicies(policies.Endpoint, policy.RoutePolicy{ PolicyReference: mappingId, Actions: policies.Actions})
+		e.Store.SetPolicies(policies.Endpoint, policy.RoutePolicy{PolicyReference: mappingId, Actions: policies.Actions})
 	}
 	e.Store.AddPolicyMapping(mappingId, parsedPolicies)
 	zap.L().Info("Policy created/updated", zap.String("ID", string(e.Obj.ObjectMeta.UID)))

adapter/strategy/web/web.go

@@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/gogo/googleapis/google/rpc"
@@ -30,7 +30,7 @@ import (
 	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/policy/engine"
 	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/strategy"
 	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/validator"
-	"github.com/ibm-cloud-security/app-identity-and-access-adapter/config/template"
+	authnz "github.com/ibm-cloud-security/app-identity-and-access-adapter/config/template"
 )
 
 const (
@@ -158,6 +158,10 @@ func (w *WebStrategy) isAuthorized(cookies string, action *engine.Action) (*auth
 	// Validate session
 	userInfoEndpoint := action.Client.AuthorizationServer().UserInfoEndpoint()
 	keySet := action.Client.AuthorizationServer().KeySet()
+	if keySet == nil {
+		zap.L().Debug("Unable to validate session because KeySet is missing for the authorization server", zap.String("client_name", action.Client.Name()))
+		return nil, nil
+	}
 
 	handleTokenValidationError := func(validationErr *oAuthError.OAuthError) (*authnz.HandleAuthnZResponse, error) {
 		if validationErr.Msg == oAuthError.ExpiredTokenError().Msg {
@@ -197,6 +201,10 @@ func (w *WebStrategy) handleRefreshTokens(sessionID string, session *authserver.
 	}
 	userInfoEndpoint := c.AuthorizationServer().UserInfoEndpoint()
 	keySet := c.AuthorizationServer().KeySet()
+	if keySet == nil {
+		zap.L().Debug("Unable to refresh tokens because KeySet is missing for the authorization server", zap.String("client_name", c.Name()))
+		return nil, nil
+	}
 
 	if tokens, err := c.RefreshToken(session.RefreshToken); err != nil {
 		zap.L().Info("Could not retrieve tokens using the refresh token", zap.String("client_name", c.Name()), zap.Error(err))
@@ -297,6 +305,10 @@ func (w *WebStrategy) handleAuthorizationCodeCallback(code interface{}, request
 
 	userInfoEndpoint := action.Client.AuthorizationServer().UserInfoEndpoint()
 	keySet := action.Client.AuthorizationServer().KeySet()
+	if keySet == nil {
+		zap.L().Debug("Unable to handle IODC callback because KeySet is missing for the authorization server", zap.String("client_name", action.Client.Name()))
+		return nil, nil
+	}
 
 	validationErr := w.tokenUtil.Validate(response.AccessToken, validator.Access, keySet, action.Rules, userInfoEndpoint)
 	if validationErr != nil {