Support Cache Vary By JWT Claim Value #119
Description
Extend cache-control to support caching responses to requests with header
authorization: Bearer <JWT>
such that responses can be cached and safely shared with the same or other users.
For example, a response including
status: 200
cache-control: private, protected=bearer+jwt, max-age=30
can safely be cached with semantics equivalent to private, max-age=30 but also made shareable to other requests presenting a JWT token with matching kid, issuer and audience.
For example, a response including
status: 200
cache-control: private, protected=bearer+jwt, max-age=30
vary-jwt: sub
can safely be cached with semantics equivalent to private, max-age=30 but also made shareable to other requests presenting a JWT token with matching kid, issuer and audience, and varying by sub. Given that sub resolves to subject, this amounts to secure caching of personalized responses.
For example, a response including
status: 200
cache-control: private, protected=bearer+jwt, max-age=30
vary-jwt: scope=read:document
can safely be cached with semantics equivalent to private, max-age=30 but also made shareable to other requests presenting a JWT token with matching kid, issuer and audience, and scope including read:document. This amounts to secure caching of responses for users in the same privilege group.
It is recommended to always include private along with protected=bearer+jwt such that intermediaries not understanding protected cache control extension will then default to private which prevents leaking cached responses to unauthorized requests.
note: http-cache nukleus can only verify integrity of JWT token if internal authorization is non-zero, populated by oauth nukleus using public key for JWT kid.