Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't attempt to read public keys more than once every 5 minutes #80

Open
DrDaveD opened this issue Feb 21, 2022 · 1 comment
Open

Don't attempt to read public keys more than once every 5 minutes #80

DrDaveD opened this issue Feb 21, 2022 · 1 comment

Comments

@DrDaveD
Copy link
Contributor

DrDaveD commented Feb 21, 2022

I haven't tested it, but according to the code it appears that if reading of the public keys fail, this library will re-try reading those keys with every validation attempt. Instead, there should be a "negative cache" recorded so the keys are only attempted to be read every 5 minutes. Otherwise it could end up with a much higher load on the server when it is already having problems, plus it could cause unnecessary delays on validation.

(As a side note, reading public keys every 10 minutes after a success seems excessive. 30 minutes sounds more reasonable to me. I would still leave re-tries every 5 minutes though. These numbers are based on my experience with cvmfs and frontier caching. The scitokens python library sets it to 60 minutes, which is also reasonable.)

@jbasney
Copy link
Member

jbasney commented Feb 21, 2022

Agreed. CILogon will block or rate limit excessive requests to our endpoints, including our public key endpoint.

https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#token-lifetime-guidance sets a minimum lifetime of 1 hour for the public key cache. I think that's why the python library sets it to 60 minutes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants