Sharang Parnerkar
f474699279
CI / Check (pull_request) Successful in 8m17s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Without this, every Keycloak signing-key rotation produces a silent
401 storm against every request until the agent restarts — the cached
JWKS is held forever and never reconciled against KC.
Now: when `kid` isn't in the cached JWKS or the matching key fails
signature verification, we classify the failure as Stale, force a JWKS
refresh, and retry once. Anything else (expired, malformed, missing
tenant_id) is Permanent and short-circuits straight to 401.
* Splits the path into a pure `try_validate(token, header, kid, jwks)`
helper returning a `ValidationError { Stale | Permanent }` enum.
* `fetch_or_get_jwks(state, force)` takes a force flag and holds the
write lock across the network fetch so concurrent refreshers don't
all hammer Keycloak when keys rotate (the second writer reuses what
the first put in cache).
* Adds a unit test for the kid-not-found Stale classification.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>