Optimize JWK fetching using the KeyId.

wparad · wparad · commit 714285acefb3 · 2024-09-27T09:58:16.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@ This is the changelog for [Authress SDK](readme.md).
 
 ## 3.1 ##
 * [Breaking] Throw validation error on setting a property that doesn't exist in any of the Authress DTO Models.
+* Optimize JWKs fetching using the keyId
 
 ## 3.0 ##
 * [Breaking] Added type checking everywhere - This means most models have breaking changes.
diff --git a/authress/__init__.py b/authress/__init__.py
@@ -9,6 +9,7 @@
 from authress.authress_client import AuthressClient
 from authress.http_client import HttpClient
 from authress.rest import ApiException
+from authress.utils.service_client_token_provider import ServiceClientTokenProvider
  
 # import apis into sdk package
 from authress.api.access_records_api import AccessRecordsApi
diff --git a/authress/api/token_verifier.py b/authress/api/token_verifier.py
@@ -81,7 +81,7 @@ def get_key_uncached(self, jwkKeyListUrl, kid):
     headers = {
       'User-Agent': f'Authress SDK; Python; {version};'
     }
-    result = self.http_client.get_request_with_retries(jwkKeyListUrl, headers=headers)
+    result = self.http_client.request_with_retries('GET', jwkKeyListUrl, headers=headers)
 
     for index, key in enumerate(json.loads(result.data)['keys']):
       if key['kid'] == kid:
diff --git a/authress/authress_client.py b/authress/authress_client.py
@@ -28,7 +28,7 @@ def __init__(self, authress_api_url=None, service_client_access_key=None, user_a
         self._host = re.sub(r'/+$', '', self._host)
         
         self._http_client = HttpClient(host=self._host, access_key=service_client_access_key, user_agent=user_agent)
-        self._token_verifier = token_verifier.TokenVerifier(http_client=_http_client)
+        self._token_verifier = token_verifier.TokenVerifier(http_client=self._http_client)
 
     def set_token(self, token: str):
         self._http_client.set_token(token)
diff --git a/test/test_service_client_token_provider.py b/test/test_service_client_token_provider.py
@@ -6,7 +6,6 @@
 from authress.models import *
 from authress.utils import ServiceClientTokenProvider, JwtManager
 from authress import AuthressClient
-from authress.http_client import HttpClient
 
 import unittest
 from unittest.mock import patch
@@ -27,10 +26,10 @@ def test_get_token(self):
 
     access_key = 'eyJrZXlJZCI6ImNjYjFjZGJmLTM0NzYtNGNiNy05Njc1LTVlMzNmYjI5NTNjMyIsInByaXZhdGVLZXkiOiItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFFidWFBd0V6VkJHZnZcbjBEL2JKSjRHa2JoV2oyRy9lYTF3UUZNeWxiK0ZzTDM1dGJvVHNIUGdvbUtGMDNNQkphWmRBVHhwcnhYa2xvYWNcblFhYkE4eXcyQ2lFbitHNjlMcUFnUVlLSmZzL1psWEo4MVJ0TkR0TkZRUTdPS0xpSGJrU1I1cFU3R0lKNENQZTZcbkxHM3UzUkVUbFFndmlhV2M2bzVOUkRMWTBIbzhya2w0Yk8rZjMycXg2SGV6dzBsUnZOK1I4L24vZUxLbCtGVlpcbk1yYzFkcmh5NDdtVU80ZnJKWW1LSzg2ZGZacVk4RVh2aGpjaFZzdHhSTXdtMlRDbUtWT2xsQWUrandmNTR5Q2NcbnUzcTNsRUxzcnhXTlRsVC9mRHBQQSt6MDh2MFdDa2ozdWo5SEh3REE1VjhZaUtJOEFheWRLSG9nYnA5eHp1amdcbnZwQmVacnRuQWdNQkFBRUNnZ0VBZnRpL0Z1UHcza0tNTG5vQ0lvK3FURDBxZmlOTVRZYnpjamp6YVBtUlVQODZcbjNsa21JUTFsdC9PYkdlNlJNc1dDOVY3bk1Ub0lqTkMrb3lHaEpoUFhlQnU2Q2VVN0g0N2NqRVRSK0hOZ2N2NXNcbmFtUVc5VkpzYU4wcThYUCt1UXoyVmdTS0ZTalpYY3UzVjJucWpVK2tNTktsNUtoVVRhYkJhMnh4dFZsS3l0bjlcbld6QnIzZExLVXBwYzdoZXFaa2diSHE2amZXd3h2Vk56cmhkNUZ1Tm5EeWI2R3QrUXhzYi83dmdhdnRsNmtXM0hcbnU5ZUtGcjJhdER4VHhaTDArRVIxWjVyV21MNzdUK3owQitYVkZJZ05ia2FlSURBZjEzRjBPSzE3YjJ4NmlSSjVcbnJCRTdCc0ZhMGVuOXBjSWN2UUxhbGFMREVOL1d2YWd4dnowSWZ4M1R3UUtCZ1FEbjVMSGhFczBzeWxYVUdrVlFcbmhFU1ZacGh5QzdFRHBZYm44UW5DNkI3ZDFtWkR1d1JuSkMyZXVxT1lNMFlVcWlGT3Q5RW9UMllNQy9jT2pUVTFcbndnMm9GQ0hqWUI4cGptNHVkb3B3MHRHcGRyb1piQVNkOHkzR1RuNitMK25tVGVzNjYxTGN6ekhSekhrTnh5OUJcbkNVNTRzWXhnK1M5bnhSTjdEVERxeTE2M1dRS0JnUURtR2Q1Snl4VnNyS3ZVSmFVbDM5ekZRcTh3cnpTZ0xZVVBcbjF0a1dHYWhIanFvRjYvSnM2YUZnZlYraXl5THk1dm03WEN0dUw2RGtEQW93NnVpS1NiRlhicnVCYW5GSDBnWktcbkRaVmVQcU9mbTVIYWJWalB1VmdPdW5HWHBOMnZ4QTdwNkg0SkMxOVkvUkg0MkY5bHE4aUtkejZXWHJYMjNPRHFcbjQrcHZtdzF3dndLQmdRQ0YyajlHNExobjR6OFptRFJzWG56TUZCVm90eER0UHUyWkVrd0ZJa0UyNFp2VCtxNTJcbjdxNGFramIrRXBLZ09QZlMzVTJ3eSt2bWhqMk1PN3Y4Rk5BWE5jKzkxRzBJYXJ0MHZGMzY4K1dyd09sNDVSM2hcbklrNUl5bVJrV1huVXd5TkZ0akgxWE8rdjN5djg1UDJFdDkrQTBWTnJZa3FYeG0wUk9UTUVSSEdldVFLQmdEZmdcbnNrMkRSc21rU1BuMHhsMGpOdTZrV2Z6ZG4wOENudHlRMVJqNzFCVEVmVitBdzlkVkNQNXdrOGZwd3F2d0VWZEJcbmM3NkhURy8weUlqR2t2LzZFMW5qSngrdlpLRUhUTVd3OU1QMVBERG5TNDBhbnNXYkFkcFp4bm9IN0ZuaHA2bC9cbjd4TnRNcE5lcVgyZnRkTHYyM3hjcHROSFhyTDdRcGRvRDZkWXBQUHJBb0dCQU5CN2QyME5kY1EzaTBmWGJ6dGhcbk1RUFIwK3NEVkViMUZjSUdXbDdPeXNvYy9UZ2prT3NhVDRTL2hXODg1RGR5ZnZHbjdpRmpyMDBPQVVyVjE5NlRcbmFwdDJNS0EvWVdWeG9Ud2kwZCs0UHZ5Mnk3SXBnMk9tcEE0bVliYnBXQ0NPS3dtczlEQ0E4MVVGeEJiMHdUbTdcbjlXVStVbGZMWDAvcGNkSFNEZkExbXVjZVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwiYXVkaWVuY2UiOiIyMmJiYzUwMi0zYjdhLTRjNTQtOGE2ZS1jMDRhM2NhNGRmNWYuYWNjb3VudHMuYXV0aHJlc3MuaW8iLCJjbGllbnRJZCI6IjIzYjRiY2Q1LWMwYzEtNDYwMi05NGU1LThkYTgyNzNkMGRiMCJ9'
 
-    http_client = HttpClient("", access_key)
-    token1 = http_client._get_client_token()
+    service_client_token_provider = ServiceClientTokenProvider(access_key, "")
+    token1 = service_client_token_provider.get_client_token()
     time.sleep(2)
-    token2 = http_client._get_client_token()
+    token2 = service_client_token_provider.get_client_token()
     assert token1 == token2
     pass
 
@@ -42,10 +41,10 @@ def test_get_token_for_eddsa(self):
 
     access_key = 'CLIENT.KEY.ACCOUNT.MC4CAQAwBQYDK2VwBCIEIIM7npIckfT431rYzEeF+hCqvHogpOllmVSgINwqQv+g'
 
-    http_client = HttpClient("", access_key)
-    token1 = http_client._get_client_token()
+    service_client_token_provider = ServiceClientTokenProvider(access_key, "")
+    token1 = service_client_token_provider.get_client_token()
     time.sleep(2)
-    token2 = http_client._get_client_token()
+    token2 = service_client_token_provider.get_client_token()
     assert token1 == token2
     pass
 
@@ -55,8 +54,8 @@ def test_get_token_without_access_key(self):
     Ignores access keys that are None
     """
 
-    http_client = HttpClient("")
-    token1 = http_client._get_client_token()
+    service_client_token_provider = ServiceClientTokenProvider("")
+    token1 = service_client_token_provider.get_client_token()
     assert token1 == None
     pass
 
diff --git a/test/test_token_verifier.py b/test/test_token_verifier.py
@@ -29,7 +29,7 @@ def test_get_token_for_eddsa(self):
     token_verifier_instance.get_key_uncached = mock_get_key_uncached
     identity = token_verifier_instance.verify_token(authressCustomDomain=f"https://{customDomain}", token=access_key)
 
-    mock_get_key_uncached.assert_called_once_with(f"https://{customDomain}/v1/clients/CLIENT/.well-known/openid-configuration/jwks", "KEY")
+    mock_get_key_uncached.assert_called_once_with(f"https://{customDomain}/v1/clients/CLIENT/.well-known/openid-configuration/jwks?kid=KEY", "KEY")
     assert identity['iss'] == f'https://{customDomain}/v1/clients/CLIENT'
     assert identity['sub'] == "CLIENT"
 

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ def get_key_uncached(self, jwkKeyListUrl, kid):`
`81`	`81`	`headers = {`
`82`	`82`	`'User-Agent': f'Authress SDK; Python; {version};'`
`83`	`83`	`}`
`84`		`- result = self.http_client.get_request_with_retries(jwkKeyListUrl, headers=headers)`
	`84`	`+ result = self.http_client.request_with_retries('GET', jwkKeyListUrl, headers=headers)`
`85`	`85`
`86`	`86`	`for index, key in enumerate(json.loads(result.data)['keys']):`
`87`	`87`	`if key['kid'] == kid:`