Add cache_ttl param to AsymmetricSignatureVerifier (#490)

auth0 · May 2, 2023 · c0f6fd4 · c0f6fd4
2 parents 43bc31f + 3afc472
commit c0f6fd4
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 16 deletions.
diff --git a/auth0/authentication/token_verifier.py b/auth0/authentication/token_verifier.py
@@ -126,22 +126,6 @@ def _fetch_key(self, key_id=None):
         return self._shared_secret
 
 
-class AsymmetricSignatureVerifier(SignatureVerifier):
-    """Verifier for RSA signatures, which rely on public key certificates.
-
-    Args:
-        jwks_url (str): The url where the JWK set is located.
-        algorithm (str, optional): The expected signing algorithm. Defaults to "RS256".
-    """
-
-    def __init__(self, jwks_url, algorithm="RS256"):
-        super().__init__(algorithm)
-        self._fetcher = JwksFetcher(jwks_url)
-
-    def _fetch_key(self, key_id=None):
-        return self._fetcher.get_key(key_id)
-
-
 class JwksFetcher:
     """Class that fetches and holds a JSON web key set.
     This class makes use of an in-memory cache. For it to work properly, define this instance once and re-use it.
@@ -239,6 +223,23 @@ def get_key(self, key_id):
         raise TokenValidationError(f'RSA Public Key with ID "{key_id}" was not found.')
 
 
+class AsymmetricSignatureVerifier(SignatureVerifier):
+    """Verifier for RSA signatures, which rely on public key certificates.
+
+    Args:
+        jwks_url (str): The url where the JWK set is located.
+        algorithm (str, optional): The expected signing algorithm. Defaults to "RS256".
+        cache_ttl (int, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.
+    """
+
+    def __init__(self, jwks_url, algorithm="RS256", cache_ttl=JwksFetcher.CACHE_TTL):
+        super().__init__(algorithm)
+        self._fetcher = JwksFetcher(jwks_url, cache_ttl)
+
+    def _fetch_key(self, key_id=None):
+        return self._fetcher.get_key(key_id)
+
+
 class TokenVerifier:
     """Class that verifies ID tokens following the steps defined in the OpenID Connect spec.
     An OpenID Connect ID token is not meant to be consumed until it's verified.

diff --git a/auth0/test/authentication/test_token_verifier.py b/auth0/test/authentication/test_token_verifier.py
@@ -69,6 +69,14 @@ def test_asymmetric_verifier_uses_rs256_alg(self):
         verifier = AsymmetricSignatureVerifier("some URL")
         self.assertEqual(verifier._algorithm, "RS256")
 
+    def test_asymmetric_verifier_uses_default_jwks_cache_ttl(self):
+        verifier = AsymmetricSignatureVerifier("some URL")
+        self.assertEqual(verifier._fetcher._cache_ttl, JwksFetcher.CACHE_TTL)
+
+    def test_asymmetric_verifier_uses_provided_jwks_cache_ttl(self):
+        verifier = AsymmetricSignatureVerifier("some URL", cache_ttl=3600)
+        self.assertEqual(verifier._fetcher._cache_ttl, 3600)
+
     def test_symmetric_verifier_fetches_key(self):
         verifier = SymmetricSignatureVerifier("some secret")
         key = verifier._fetch_key()