Network Call on every request for public key jwt?

[MarvinHofmann]

Hello everyone,

when I use python-keycloak, I validate the token with the public-key. For this I load the public-key with the public_key() method. This performs a netwerk request with every call. If this is unavoidable and you would rather only load it again if it could not be validated, otherwise you use the current public key for so long. Otherwise you can also use the token endpoint or not, this also leads to a call on every call we get?

[ryshoooo]

Hi @MarvinHofmann

This is intentional. The main purpose of this library is to provide a simple client to Keycloak's REST API both for OIDC-flow and Administration. If the user uses this library to get the client's public key, the safest and most guaranteed way of returning it is via an API call to Keycloak. Therefore I'm really reluctant to add caching mechanisms.

However, I have myself run into this issue in my applications. It's pretty easy to solve with f.e. cachetools or just storing the public key in memory in your application directly.

I'd rather leave caching logic on the user as there can be many usages of this library where caching would be detrimental and lead to unexpected behavior.