Insecure service configuration In dev.dsf:dsf-bpe-process-api-v2
Description
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
Affected Components
DSF FHIR Server with enabled bearer-token authentication or back-channel logout.
DSF BPE Server with enabled bearer-token authentication or back-channel logout.
DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication.
Summary
The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider.
The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired.
Impact
Performance: Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency
Reliability: Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys
Load: Unnecessary load on the OIDC provider, potentially causing rate limiting
Fix (commits 31c2e974d, d3ca59b4d)
Fixed cache timeout comparison from isBefore to isAfter in BaseOidcClientWithCache (configuration and JWKS caches) and OidcClientWithCache (configuration, JWKS, and access token caches)
Added configurable cache timeouts via dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource and dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource (default: PT1H)
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 2.1.0 | ||
maven | - |
Aliases
References