Stream: inferno
Topic: JWKS Cache Control Testing
Cooper Thompson (Apr 16 2021 at 17:23):
There is a g10 test script entry for validating that the JWKS URL is not cached for longer than the provided Cache-Control header. Does Inferno have either a config option that defines what Cache-Control it uses on the jkws.json hosted by Inferno? Does that get rotated at all? Is there an easy way to monitor when the system under test hits that jkws.json URL (which would indicate a cache miss/expiration?
Robert Scanlon (Apr 16 2021 at 18:20):
Inferno's g10 tests do not have the capability of testing that right now in an automated way. It added enough complexity that we decided to push that off into the 'Other > Visual Inspection and Attestation' section, and have this text box in there: Screen-Shot-2021-04-16-at-2.07.52-PM.png
There are probably clever ways that we could test this automatically, and if there is concern that implementers will ignore the requirement or get it wrong without an Inferno test, then we could revisit this.
Robert Scanlon (Apr 16 2021 at 18:26):
We aim to have complete coverage of the test procedure though, and made sure that anything that wasn't automated is represented in the 'Visual Inspection and Attestation' step at the very end. You can see how our tests mapped to the TP in the matrix we provide in every release (e.g. https://github.com/onc-healthit/inferno-program/releases/download/v1.5.0P/onc_program_matrix_1_5_0.xlsx )
Robert Scanlon (Apr 16 2021 at 18:28):
That excel document also pulls out metadata from every test, and the text content of every test procedure step, which you may find helpful as you do your own reviews. See tabs 2 and 3. I'd love feedback on that file, too (useful, not useful, errors, etc).
Cooper Thompson (Apr 16 2021 at 21:23):
Yeah - we saw the visual inspection, I was just thinking that would involve visual inspection of the Inferno JWU. Though now that I look, you aren't actually returning a Cache-Control header, so I expect that means that we'll need to spin up our own JKU endpoint, specify Cache-Control, and demonstrate using that.
Cooper Thompson (Apr 16 2021 at 21:24):
Inferno is great because it does just about all the certification work for us. I won't complain if we have to do a little work ourselves to get certified :grinning_face_with_smiling_eyes: .
Cooper Thompson (Apr 16 2021 at 21:59):
Hmm... related question, though maybe more for ONC than Inferno, but the test procedure says this:
The health IT developer demonstrates that the Health IT Module does not cache a JWK Set received via a TLS-protected URL for longer than the “cache-control” header received by an application indicates.
I think this should say "for no longer than the "cache-control" header sent by the application"? Inferno re-worded that, and the Inferno wording seems right. The ONC test procedure wording seems backwards. The app isn't receiving the header, the app is sending it. It could either be "received from" or "sent by".
Robert Scanlon (Apr 19 2021 at 22:00):
Yes, it seems like this is an issue with the test procedure. Thanks for finding this discrepancy.
Robert Scanlon (May 14 2021 at 18:49):
@Cooper Thompson ONC put out an update to the test procedure, and changed the line to "sent by":
The health IT developer demonstrates that the Health IT Module does not cache a JWK Set received via a TLS-protected URL for longer than the “cache-control” header sent by an application indicates.
Last updated: Apr 12 2022 at 19:14 UTC
