...

The module prefix strategies allow to adjust sidecar for different discovery URLs in the deployment

...

It can be defined using the environment variable: SIDECAR_MODULE_PATH_PREFIX_STRATEGY with the following values: PROXY, STRIP, and NONE

1. PROXY is used when routing between Kong, Sidecar, and Module requires a path prefix in the location URL:

   Code Block
   ## Module sidecar location https://sidecar-foo.module-subnet.example.com/sc-foo ## Folio module location https://mod-foo.module-subnet.example.com/mod-foo

2. Proxy STRIP is used when routing between Kong, Sidecar requires a path prefix in the location URL, but Sidecar and Module can be routed to each other using a private subnet:

   Code Block
   ## Module sidecar location https://sidecar-foo.module-subnet.example.com/sc-foo ## Folio module location https://mod-foo:8081/

3. None NONE is used when routing between Kong, Sidecar, and Module does not require a path prefix in the location URL

   Code Block
   ## Module sidecar location https://sidecar-foo.module-subnet.example.com ## Folio module location https://mod-foo.module-subnet.example.com

Module prefix is based on the environment variable: MODULE_NAME, which is necessary for sidecar

Signing Key Rotation

Sidecars must be aware of the new signing keys. This will be done automatically by calling “/protocol/openid-connect/certs“ once again if it receives a token with a new signing key id. But it will be done only once per hour, as currently there is a line: jwtAuthContextInfo.setForcedJwksRefreshInterval($KC_FORCED_JWKS_REFRESH_INTERVAL); which means that forced refresh (if the key is not found) will be performed only once per specified value in minutes (by default it is one hour).

This logic is provided with the following library: https://github.com/folio-org/applications-poc-tools/tree/master/folio-auth-openid

private final int jwksRefreshInterval = ${value from `KC_JWKS_REFRESH_INTERVAL`};
private final int forcedJwksRefreshInterval = ${value from `KC_FORCED_JWKS_REFRESH_INTERVAL`};

var jwtAuthContextInfo = new JWTAuthContextInfo(issuerUri + "/protocol/openid-connect/certs", issuerUri);
jwtAuthContextInfo.setForcedJwksRefreshInterval(this.jwksRefreshInterval);
jwtAuthContextInfo.setJwksRefreshInterval(this.forcedJwksRefreshInterval);
var jwtParser = new DefaultJWTParser(jwtAuthContextInfo);
tokenParsers.put(issuerUri, jwtParser);
return jwtParser;

 User: The user initiates the process by logging into Keycloak.

1. Keycloak (keycloak): Keycloak authenticates the user and returns a JWT token with a new signing key ID.

2. User to Sidecar: The user requests "Module A" via the sidecar, providing the JWT token.

3. Sidecar Processing:

   • The sidecar checks the signing key ID in the JWT token.

   • If the signing key ID is unknown and the last JWKS refresh was over an hour ago, the sidecar fetches the new signing keys from Keycloak and updates its local cache. It then forwards the user's request to "Module A".

   • If the signing key ID is known, or if a JWKS refresh occurred within the last hour, the sidecar forwards the user's request to "Module A" without fetching new keys.

   • If the signing key ID is unknown and a JWKS refresh occurred less than one hour ago, the sidecar rejects the user's request to avoid too frequent key updates.

4. Module A (moduleA): "Module A" receives and processes the request forwarded by the sidecar.