jbasney
commented
2 years ago Agreed. CILogon will block or rate limit excessive requests to our endpoints, including our public key endpoint.
https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#token-lifetime-guidance sets a minimum lifetime of 1 hour for the public key cache. I think that's why the python library sets it to 60 minutes.
I haven't tested it, but according to the code it appears that if reading of the public keys fail, this library will re-try reading those keys with every validation attempt. Instead, there should be a "negative cache" recorded so the keys are only attempted to be read every 5 minutes. Otherwise it could end up with a much higher load on the server when it is already having problems, plus it could cause unnecessary delays on validation.
(As a side note, reading public keys every 10 minutes after a success seems excessive. 30 minutes sounds more reasonable to me. I would still leave re-tries every 5 minutes though. These numbers are based on my experience with cvmfs and frontier caching. The scitokens python library sets it to 60 minutes, which is also reasonable.)