bharos commented on code in PR #10723:
URL: https://github.com/apache/gravitino/pull/10723#discussion_r3066316199
##########
server-common/src/main/java/org/apache/gravitino/server/authentication/JwksTokenValidator.java:
##########
@@ -63,6 +63,7 @@ public class JwksTokenValidator implements
OAuthTokenValidator {
private long allowSkewSeconds;
private PrincipalMapper principalMapper;
private GroupMapper groupMapper;
+ private JWKSource<SecurityContext> jwkSource;
Review Comment:
The Nimbus JWKSourceBuilder.create(url).build() enables caching with
refresh-ahead by default:
Cache TTL: 5 minutes (DEFAULT_CACHE_TIME_TO_LIVE)
Refresh-ahead: 30 seconds before expiration, on a background thread
Rate limiting: min 30 seconds between URL fetches (safety net for key
rotation / unknown key IDs)
Under normal operation the JWKS URL is only hit once at startup; the
background refresh keeps the cache warm. The rate limiter never blocks — it
returns the last-known keys instead of re-fetching, so validateToken() always
proceeds without waiting on I/O.
Added a code comment documenting these defaults.
https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/jwk/source/JWKSourceBuilder.html#DEFAULT_CACHE_TIME_TO_LIVE
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
