awslabs/aws-jwt-verify

[DOCS] Improve discoverability of the timeout parameter for fetch requests (in docs and/or code)

Closed this issue · 4 comments

DannyBoris commented

Describe the bug
Please provide a clear and concise description of what the bug is.
Trying to decode a token generated by Cognito results in Failed to fetch jwks.
I've double checked all credentials (AWS_COGNITO_USER_POOL_ID, AWS_COGNITO_CLIENT_ID)

fetch the raw URL of the jwks from amazon works well - The json is retrieved.

Versions
Which version of aws-jwt-verify are you using? 4.0.0
Are you using the library in Node.js or in the Web browser? Postman/Browser
If Node.js, which version of Node.js are you using? (Should be at least 14)
If Web browser, which web browser and which version of it are you using? 20.4.0
If using TypeScript, which version of TypeScript are you using? (Should be at least 4) 5.1.6

To Reproduce
If you can, please provide a minimal code example that reproduces the bug.
const decoded = await verifier.verify(token);

DannyBoris commented

Seems like the problem is a timeout after 1500 which is the default.
When increasing the timeout to 5000, the request process successfully.

    async getJwks(jwksUri) {
        const existingFetch = this.fetchingJwks.get(jwksUri);
        if (existingFetch) {
            return existingFetch;
        }
        **const jwksPromise = this.fetcher.fetch(jwksUri, { responseTimeout: 5000 }).then((res) => {**
            assertIsJwks(res);
            return res;
        });
        this.fetchingJwks.set(jwksUri, jwksPromise);
        let jwks;
        try {
            jwks = await jwksPromise;
        }
        finally {
            this.fetchingJwks.delete(jwksUri);
        }
        this.jwksCache.set(jwksUri, jwks);
        return jwks;
    }
DannyBoris commented

Seems like the problem is a timeout after 1500 which is the default.
When increasing the timeout to 5000, the request process successfully.

    async getJwks(jwksUri) {
        const existingFetch = this.fetchingJwks.get(jwksUri);
        if (existingFetch) {
            return existingFetch;
        }
        **const jwksPromise = this.fetcher.fetch(jwksUri, { responseTimeout: 5000 }).then((res) => {**
            assertIsJwks(res);
            return res;
        });
        this.fetchingJwks.set(jwksUri, jwksPromise);
        let jwks;
        try {
            jwks = await jwksPromise;
        }
        finally {
            this.fetchingJwks.delete(jwksUri);
        }
        this.jwksCache.set(jwksUri, jwks);
        return jwks;
    }

Is it possible to expose timeout setting to the user?

ottokruse commented

The timeout is user exposed: https://github.com/awslabs/aws-jwt-verify#configuring-the-jwks-response-timeout-and-other-http-options-with-jsonfetcher

See also this comment: #72 (comment)

Let's leave this issue open because you have convinced me we need to do a better job of making this setting more obvious.

  • 👍2
  • 🚀1
ottokruse commented

Will close this issue--we have raised the default value to a more resonable 3000 ms. timeout (from 1500 ms.) and hope/expect less users will need to specify a higher value. There is now enough material in our README; this actually turns up in internet searches, for people who would still run into this timeout error--and they will be likely to find the solution quickly.