From 1862de4be51fa3697d54525c65aebe9edc6c8514 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Wed, 21 May 2025 17:30:23 +0200
Subject: [PATCH] chore: clarify cache_ttl to be key_recheck_period (#2220)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# What does this PR do?

The cache_ttl config value is not in fact tied to the lifetime of any of
the keys, it represents the time interval between for our key cache
refresher.

Signed-off-by: Sébastien Han <seb@redhat.com>
---
 docs/source/distributions/configuration.md        | 2 +-
 llama_stack/distribution/server/auth_providers.py | 6 +++---
 tests/unit/server/test_auth.py                    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/source/distributions/configuration.md b/docs/source/distributions/configuration.md
index 77b52a621..de99b6576 100644
--- a/docs/source/distributions/configuration.md
+++ b/docs/source/distributions/configuration.md
@@ -183,7 +183,7 @@ server:
     config:
       jwks:
         uri: "https://kubernetes.default.svc"
-        cache_ttl: 3600
+        key_recheck_period: 3600
       tls_cafile: "/path/to/ca.crt"
       issuer: "https://kubernetes.default.svc"
       audience: "https://kubernetes.default.svc"
diff --git a/llama_stack/distribution/server/auth_providers.py b/llama_stack/distribution/server/auth_providers.py
index 39f258c3b..723a65b77 100644
--- a/llama_stack/distribution/server/auth_providers.py
+++ b/llama_stack/distribution/server/auth_providers.py
@@ -110,7 +110,7 @@ def get_attributes_from_claims(claims: dict[str, str], mapping: dict[str, str])
 class OAuth2JWKSConfig(BaseModel):
     # The JWKS URI for collecting public keys
     uri: str
-    cache_ttl: int = 3600
+    key_recheck_period: int = Field(default=3600, description="The period to recheck the JWKS URI for key updates")
 
 
 class OAuth2IntrospectionConfig(BaseModel):
@@ -263,7 +263,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
         """
         Refresh the JWKS cache.
 
-        This is a simple cache that expires after a certain amount of time (defined by `cache_ttl`).
+        This is a simple cache that expires after a certain amount of time (defined by `key_recheck_period`).
         If the cache is expired, we refresh the JWKS from the JWKS URI.
 
         Notes: for Kubernetes which doesn't fully implement the OIDC protocol:
@@ -273,7 +273,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
         async with self._jwks_lock:
             if self.config.jwks is None:
                 raise ValueError("JWKS is not configured")
-            if time.time() - self._jwks_at > self.config.jwks.cache_ttl:
+            if time.time() - self._jwks_at > self.config.jwks.key_recheck_period:
                 verify = self.config.tls_cafile.as_posix() if self.config.tls_cafile else self.config.verify_tls
                 async with httpx.AsyncClient(verify=verify) as client:
                     res = await client.get(self.config.jwks.uri, timeout=5)
diff --git a/tests/unit/server/test_auth.py b/tests/unit/server/test_auth.py
index 94c486f18..408acb88a 100644
--- a/tests/unit/server/test_auth.py
+++ b/tests/unit/server/test_auth.py
@@ -293,7 +293,7 @@ def oauth2_app():
         config={
             "jwks": {
                 "uri": "http://mock-authz-service/token/introspect",
-                "cache_ttl": "3600",
+                "key_recheck_period": "3600",
             },
             "audience": "llama-stack",
         },