Description
Summary
There is a bug in JwtIssuerValidator because it uses URL.equals which is bad for two reasons:
- URL.equals is slow because it resolves the hostname From the Javadoc
Compares this URL for equality with another object.
If the given object is not a URL then this method immediately returns false.Two URL objects are equal if they have the same protocol, reference equivalent hosts, have the same port number on the host, and the same file and fragment of the file.
Two hosts are considered equivalent if both host names can be resolved into the same IP addresses; else if either host name can't be resolved, the host names must be equal without regard to case; or both host names equal to null.
Since hosts comparison requires name resolution, this operation is a blocking operation.
Note: The defined behavior for equals is known to be inconsistent with virtual hosting in HTTP
- URL.equals is inconsistent because the hostname may resolve to different IP addresses when the host can resolve to multiple ipaddresses. For example, the following test will fail:
@Test
public void urls() throws Exception {
URL issuer = new URL("https://dev-816256.oktapreview.com/oauth2/default");
while(true) {
assertThat(issuer).isEqualTo(new URL("https://dev-816256.oktapreview.com/oauth2/default"));
Thread.sleep(TimeUnit.SECONDS.toMillis(1));
}
}