Refresh public keys on lookup failure.

config.go

@@ -42,7 +42,8 @@ func initConfig() error {
 		return err
 	}
 	initDomains(*domains)
-	if err := initPublicKeys(*publicKeysPath); err != nil {
+	cfg.PublicKeyPath = *publicKeysPath
+	if err := cfg.RefreshPublicKeys(); err != nil {
 		return err
 	}
 	return nil
@@ -116,25 +117,3 @@ func initDomains(domains string) {
 		}
 	}
 }
-
-func initPublicKeys(filePath string) error {
-	var err error
-	if len(filePath) != 0 {
-		cfg.PublicKeys, err = loadPublicKeysFromFile(filePath)
-	} else {
-		cfg.PublicKeys, err = jwt.FetchPublicKeys()
-	}
-	if err != nil {
-		return err
-	}
-	return cfg.Validate()
-}
-
-func loadPublicKeysFromFile(filePath string) (map[string]jwt.PublicKey, error) {
-	f, err := os.Open(filePath)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	return jwt.DecodePublicKeys(f)
-}

jwt/config.go

@@ -2,17 +2,53 @@ package jwt
 
 import (
 	"errors"
+	"fmt"
+	"os"
 	"regexp"
+
+	jwt "github.com/dgrijalva/jwt-go"
 )
 
 // Config specifies the parameters for which to perform validation of JWT
 // tokens in requests against.
 type Config struct {
+	PublicKeyPath  string
 	PublicKeys     map[string]PublicKey
 	MatchAudiences *regexp.Regexp
 	MatchDomains   map[string]bool
 }
 
+func (cfg *Config) RefreshPublicKeys() error {
+	var err error
+	if len(cfg.PublicKeyPath) != 0 {
+		cfg.PublicKeys, err = loadPublicKeysFromFile(cfg.PublicKeyPath)
+	} else {
+		cfg.PublicKeys, err = FetchPublicKeys()
+	}
+	return err
+}
+
+func (cfg *Config) GetPublicKey(keyID string) (interface{}, error) {
+	key, ok := cfg.PublicKeys[keyID]
+	// Refresh public keys on lookup failure. For details, see
+	// https://github.com/imkira/gcp-iap-auth/issues/10 and
+	// https://stackoverflow.com/questions/44828856/google-iap-public-keys-expiry.
+	if !ok {
+		if err := cfg.RefreshPublicKeys(); err != nil {
+			return nil, err
+		}
+		key, ok = cfg.PublicKeys[keyID]
+		if !ok {
+			return nil, fmt.Errorf("No public key for %q", keyID)
+		}
+	}
+	parsedKey, err := jwt.ParseECPublicKeyFromPEM(key)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to parse key: %v", err)
+	}
+	return parsedKey, nil
+}
+
 // Validate validates the Configuration.
 func (cfg *Config) Validate() error {
 	if cfg.MatchAudiences == nil {
@@ -31,3 +67,12 @@ func (cfg *Config) matchesAudience(aud *Audience) bool {
 func (cfg *Config) matchesDomain(hd string) bool {
 	return len(cfg.MatchDomains) == 0 || cfg.MatchDomains[hd]
 }
+
+func loadPublicKeysFromFile(filePath string) (map[string]PublicKey, error) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return DecodePublicKeys(f)
+}

jwt/token.go

@@ -19,15 +19,8 @@ func tokenKey(token *jwt.Token) (interface{}, error) {
 		return nil, fmt.Errorf("Invalid algorithm: %v", token.Header[algorithmClaim])
 	}
 	keyID, _ := token.Header[keyIDClaim].(string)
-	key := token.Claims.(*Claims).cfg.PublicKeys[keyID]
-	if len(key) == 0 {
-		return nil, fmt.Errorf("No public key for %q", keyID)
-	}
-	parsedKey, err := jwt.ParseECPublicKeyFromPEM(key)
-	if err != nil {
-		return nil, fmt.Errorf("Failed to parse key: %v", err)
-	}
-	return parsedKey, nil
+	cfg := token.Claims.(*Claims).cfg
+	return cfg.GetPublicKey(keyID)
 }
 
 func tokenMethod(token *jwt.Token) (jwt.SigningMethod, bool) {