Cache state
Motivation and Benefits
Cache some data that can be reused later.
- Cache issuer public keys for ditial signature verification
- Cache issued tokens for later reuse, refresh, history and usage stats
Principles
- KISS - keep it simple, stupid
- do not cache stuff, which will be hard to maintain later
- Cache keys, certificates and JWTs
- File based
- no need for DBMS or management tools
- easy backup/restore
- human and machine readable
- third party consumable
- Unique deterministic selectable file paths
- No need to scan and search in directories (for most use cases)
- Keep it performant and scalable for a very large amount of cached files
Implementation
- Directory:
~/.cache/actl
- IDs
- The
${issuer}
uniquely identifies an OpenID Connect Provider - The
${kid}
uniquely identifies a JWK (JSON Web Key) - The
${jti}
uniquely identifies a JWT (JSON Web Token - JWS and JWE)
- The
- Use the
:
character for delimiting segments in filenames-
:
is allowed in filenames (both Unix and Windows) -
:
will not be present after percent-encoding (URL encoding) an issuer URL - No need to escape
:
for arbitrary commands
-
- Maybe also add the JWT type (
jws
orjwe
) to the latest filename symlinks - Filesystem structure:
.
└── issuer
└── ${issuer} # The issuer url percent encoded
├── certs
│ └── ${kid} # Each JWK has a unique kid (Key ID)
├── jwt
│ └── ${jti} # Each issued JWT has a unique jti (JWT ID)
└── latest
└── ${issuer}:${client}:${sub} -> ../jwt/${jti} # Symlink to a JWT matching issuer/client/sub combination
# There could be more symlinks to maintain other user states in the future (e.g. default issuer).
Edited by Simon Schürg