jwt validation is very slow

okta / okta-jwt-verifier-golang

okta-jwt-verifier-golang

https://github.com/okta/okta-jwt-verifier-golang

Apache License 2.0

98 stars 48 forks source link

jwt validation is very slow #104

Open roee-hersh opened 1 year ago

roee-hersh commented 1 year ago

adding the following code:

tv := map[string]string{}
    tv["aud"] = "api://default"
    tv["cid"] = utils.Config.OktaClientID

    jv := verifier.JwtVerifier{
        Issuer:           utils.Config.OktaIssuer,
        ClaimsToValidate: tv,
    }

    result, err := jv.New().VerifyAccessToken(t)

cause every requests which normally takes less then 100MS to take over 1-2 seconds. is this normal? is there a way to improve it?

Sovietaced commented 11 months ago

I've been seeing similar behavior where P50 for token validation is very low (sub ms) but the P99 for token validation is 5-10 seconds. I believe this has to do with the default behavior of the cache mechanism which blocks the verification inline while it retrieves the latest trusted signature keys (via HTTP request to Okta).

Sovietaced commented 3 months ago

I ended up writing my own Okta JWT verifier with support for fetching OIDC metadata and JWK sets asynchronously in the background as to not block and slowdown the verification calls: https://github.com/Sovietaced/okta-jwt-verifier