- 
                Notifications
    You must be signed in to change notification settings 
- Fork 816
Cache loading of JWK object from OIDC private key #1273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache loading of JWK object from OIDC private key #1273
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cakemanny thanks for contributing this PR. This is a valuable performance feature. Please add a test that confirms that jwk_from_pem is caching. It'll save us from a mistake where someone accidentally removes the @functools.lru_cache() decorator.
| Codecov Report
 @@           Coverage Diff           @@
##           master    #1273   +/-   ##
=======================================
  Coverage   97.29%   97.30%           
=======================================
  Files          31       32    +1     
  Lines        1996     2003    +7     
=======================================
+ Hits         1942     1949    +7     
  Misses         54       54           
 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more | 
8be7daf    to
    5dc58b5      
    Compare
  
    | Good suggestion. Added in 5dc58b5 @pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RW)
def test_jwk_from_pem_caches_jwk(oauth2_settings):
    # For the same private key we expect the same object to be returned
    jwk1 = utils.jwk_from_pem(oauth2_settings.OIDC_RSA_PRIVATE_KEY)
    jwk2 = utils.jwk_from_pem(oauth2_settings.OIDC_RSA_PRIVATE_KEY)
    assert jwk1 is jwk2
    # But for a different key, a different object
    jwk3 = utils.jwk_from_pem(oauth2_settings.OIDC_RSA_PRIVATE_KEYS_INACTIVE[0])
    assert jwk3 is not jwk1So I decided to change it to use its own little keys | 
5dc58b5    to
    c31bd1e      
    Compare
  
    | Hi @dopry, did you have any further feedback following the adding of the tests? | 
| Hi @cakemanny . | 
| 
 @tonial It would be great to have you join! | 
| @cakemanny Did you add this test? It's still listed as an open review item. It looks like you did. I'll work on approving this: 
 | 
Fixes #1263
Description of the Change
This adds caching so that the OIDC private key is only loaded once.
Testing via the repro instructions in the referenced issue, on my machine the request time for the code-for-token exchange reduces from 1.5s to 150ms from the second request onwards (the first request take 820ms due to needing to load from the PEM the first time).
I'm not super happy with adding a
utilsmodule but I was unable to determine a good place to put the cached function.The implementation uses
functools.lru_cache- which seems like a good option with the limitation of being restricted to what is available in python 3.7.Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORSSince there is no functional change, I feel the existing unit tests already cover the changes sufficiently but I'm happy to hear suggestions.now tested