James E. Blair ec6798678c Cache JWT client in zuul-web
The OIDC authenticator typically makes two outgoing web requests
in order to fetch keys.  The first is if the Zuul admin has not configured
a keys_url setting (which is the typical case); Zuul will fetch the
well-known configuration for the provider and get the keys_url from that
in order to configure the client.  Then the client will fetch the actual
keys on request.

To avoid performing these requests on every web request we receive with
a token, we will store the JWT client on the Authenticator instance.  The
JWT client has an internal cache for the key set, so in the typical case,
only the first authenticated request will trigger these requests.

The JWT cache manages its own expiration time, so it will update as
necessary.  The keys_url is not typically expected to change, so once we
initialize the client with it, we won't update it again.

Change-Id: Ibbce7c8c90f9ccbfdcf41d6635162681a8fe3319
2023-03-05 07:42:17 -08:00
__init__.py web: add tenant and project scoped, JWT-protected actions 2019-07-10 12:11:14 +02:00
jwt.py Cache JWT client in zuul-web 2023-03-05 07:42:17 -08:00