Comments (10)
@navinpai Yup, that is the issue, reuse that instance to reuse the same cache!
from okta-jwt-verifier-java.
Hi @navinpai !
Thanks for checkout out this project.
The keys are cached so the only time a remote request is made is if the key is not cached yet. Depending on key rotation this might only be a couple times per year.
Is there a specific condition you are testing?
from okta-jwt-verifier-java.
I'm unsure if that is the case, since it looks like for every token decode we are doing, the external URL (/default/v1/keys
) is hit. It's a fairly simply REST API for token validation, and is similar to the code below:
public String verifyToken(String accessToken) {
AccessTokenVerifier jwtVerifier = JwtVerifiers.accessTokenVerifierBuilder()
.setIssuer(ISSUER_URL)
.setAudience(AUDIENCE)
.setConnectionTimeout(Duration.ofSeconds(1))
.setReadTimeout(Duration.ofSeconds(1))
.build();
try {
// This takes 1.5 seconds or more since it makes a call to Okta everytime
Jwt jwt = jwtVerifier.decode(accessToken);
return (String) jwt.getClaims().get("uid");
} catch (JwtVerificationException e) {
logger.error("local introspect error", e);
return ERROR;
}
}
I'm unsure why the caching isn't working but every call to the API ends up taking a second or 2 since it makes an external URL call.
Any help with this would be appreciated.
Edit: Also, if it matters, we're running Java 1.8
with v0.4.0
of okta-jwt-verifier-impl
and okta-jwt-verifier
from okta-jwt-verifier-java.
I’ll take a look!
from okta-jwt-verifier-java.
I’ll take a look!
@bdemers Could you also take a look if this keyMap
caching works for multiple threads? Thanks.
from okta-jwt-verifier-java.
reading from multiple threads shouldn't be an issue, but the rare updates may cause additional requests (the current cache mechanism is a bit naive). Key rotation happens ~4 times a year.
That said the plan is to grab the caching logic from our SDK (and then you could drop in any type of cache you wanted to)
from okta-jwt-verifier-java.
reading from multiple threads shouldn't be an issue, but the rare updates may cause additional requests (the current cache mechanism is a bit naive). Key rotation happens ~4 times a year.
That said the plan is to grab the caching logic from our SDK (and then you could drop in any type of cache you wanted to)
okay, so back to the original question that @navinpai posted, did you find out what causes the rare updates and the solution(manually doing the key rotation own self may not be a good choice if you already had a better solution)?
from okta-jwt-verifier-java.
@bdemers is this issue still being looked at? We have started running into rate limit warnings and violations from Okta for the /keys endpoint because the keys are not caching and requests are being made for every token validation.
from okta-jwt-verifier-java.
@asherzog and @navinpai can you confirm you are using the same instance of AccessTokenVerifier
/IdTokenVerifier
each time you are validating a token?
from okta-jwt-verifier-java.
Is that the issue? I've posted the code I'm testing with above: #49 (comment)
I create a new AccessTokenVerifier
for every call to the verifyToken
method. Should I unstead just use AccessTokenVerifier
as a class level instance?
from okta-jwt-verifier-java.
Related Issues (20)
- Feature Request : Method for introspect token. HOT 2
- Allow specifying a java.time.Clock to better write unit tests. HOT 3
- Publish new library version HOT 2
- NoClassDefFoundError after upgrade HOT 5
- com.okta.jwt.JwtVerificationException: Failed to parse token HOT 14
- Issuer verification failed (Okta + Ktor + SwaggerUI) HOT 1
- Access Token Verifier Builder fails to initialize HOT 7
- Failed to parse token HOT 3
- HTTP request to issuer URL exposes system information
- Provide a function in AccessTokenVerifier that loads JWKS signing keys HOT 2
- java.lang.IllegalArgumentException: A signing key must be specified if the specified JWT is digitally signed. HOT 3
- NoClassDefFoundError after upgrade HOT 5
- Please consider publishing the com.okta.jwt.it testing classes with the okta-jwt-verifier-integration-tests jar.
- Expose SSLFactory and TrustStore as configuration parameters for the HTTP client
- Support for org authorization servers HOT 4
- this is not working with reactive webflux restapi HOT 6
- java.lang.NoSuchMethodError: 'io.jsonwebtoken.JwtParserBuilder io.jsonwebtoken.Jwts.parserBuilder()' HOT 6
- Convert integration tests to java HOT 3
- Feature Request: Stronger typing in Jwt Claims HOT 5
- Async API HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okta-jwt-verifier-java.