Closed w-mj closed 2 months ago
When generating id token, jwt.encode() calls jws.serialize_compact() to serialize id token. Then jws.serialize_compact() calls _prepare_algorithm_key to get the key.
jwt.encode()
jws.serialize_compact()
_prepare_algorithm_key
https://github.com/lepture/authlib/blob/610622e54b6cbc810ad9fda97569f13401614348/authlib/jose/rfc7515/jws.py#L62
But _prepare_algorithm_key() always construct a new key object, if the type of key is RSA, then when signing id token, get_private_key() will be called, RSA_check_key() will also be called. https://github.com/lepture/authlib/blob/610622e54b6cbc810ad9fda97569f13401614348/authlib/jose/rfc7515/jws.py#L257
_prepare_algorithm_key()
get_private_key()
RSA_check_key()
Unfortunately, in OpenSSL 3.0.0, RSA_check_key() become too slow. In my system, this procedure may consume 300ms in every request, it is unacceptable.
I wonder if the key should be cached in jwt object instead of build and check RSA key in every request, or any method to close RSA key checking?
Make OpenIDConnect.get_jwt_config() return a Key object instead of KeySet can solve the problem.
When generating id token,
jwt.encode()
callsjws.serialize_compact()
to serialize id token. Thenjws.serialize_compact()
calls_prepare_algorithm_key
to get the key.https://github.com/lepture/authlib/blob/610622e54b6cbc810ad9fda97569f13401614348/authlib/jose/rfc7515/jws.py#L62
But
_prepare_algorithm_key()
always construct a new key object, if the type of key is RSA, then when signing id token,get_private_key()
will be called,RSA_check_key()
will also be called. https://github.com/lepture/authlib/blob/610622e54b6cbc810ad9fda97569f13401614348/authlib/jose/rfc7515/jws.py#L257Unfortunately, in OpenSSL 3.0.0,
RSA_check_key()
become too slow. In my system, this procedure may consume 300ms in every request, it is unacceptable.I wonder if the key should be cached in jwt object instead of build and check RSA key in every request, or any method to close RSA key checking?