phoenix-oss/llama-stack
1
0
Fork 0
forked from phoenix-oss/llama-stack-mirror
Code Pull requests Releases Packages 2 Activity Actions

chore: clarify cache_ttl to be key_recheck_period (#2220)

Browse source 
# What does this PR do?

The cache_ttl config value is not in fact tied to the lifetime of any of
the keys, it represents the time interval between for our key cache
refresher.

Signed-off-by: Sébastien Han <seb@redhat.com>
This commit is contained in:
Sébastien Han 2025-05-21 17:30:23 +02:00 committed by GitHub
parent c25acedbcd
commit 1862de4be5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/source/distributions/configuration.md
View file

@ -183,7 +183,7 @@ server:
config: config:
jwks: jwks:
uri: "https://kubernetes.default.svc" uri: "https://kubernetes.default.svc"
cache_ttl: 3600 key_recheck_period: 3600
tls_cafile: "/path/to/ca.crt" tls_cafile: "/path/to/ca.crt"
issuer: "https://kubernetes.default.svc" issuer: "https://kubernetes.default.svc"
audience: "https://kubernetes.default.svc" audience: "https://kubernetes.default.svc"

6
llama_stack/distribution/server/auth_providers.py
View file

@ -110,7 +110,7 @@ def get_attributes_from_claims(claims: dict[str, str], mapping: dict[str, str])
class OAuth2JWKSConfig(BaseModel): class OAuth2JWKSConfig(BaseModel):
# The JWKS URI for collecting public keys # The JWKS URI for collecting public keys
uri: str uri: str
cache_ttl: int = 3600 key_recheck_period: int = Field(default=3600, description="The period to recheck the JWKS URI for key updates")
class OAuth2IntrospectionConfig(BaseModel): class OAuth2IntrospectionConfig(BaseModel):
@ -263,7 +263,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
""" """
Refresh the JWKS cache. Refresh the JWKS cache.
This is a simple cache that expires after a certain amount of time (defined by `cache_ttl`). This is a simple cache that expires after a certain amount of time (defined by `key_recheck_period`).
If the cache is expired, we refresh the JWKS from the JWKS URI. If the cache is expired, we refresh the JWKS from the JWKS URI.
Notes: for Kubernetes which doesn't fully implement the OIDC protocol: Notes: for Kubernetes which doesn't fully implement the OIDC protocol:
@ -273,7 +273,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
async with self._jwks_lock: async with self._jwks_lock:
if self.config.jwks is None: if self.config.jwks is None:
raise ValueError("JWKS is not configured") raise ValueError("JWKS is not configured")
if time.time() - self._jwks_at > self.config.jwks.cache_ttl: if time.time() - self._jwks_at > self.config.jwks.key_recheck_period:
verify = self.config.tls_cafile.as_posix() if self.config.tls_cafile else self.config.verify_tls verify = self.config.tls_cafile.as_posix() if self.config.tls_cafile else self.config.verify_tls
async with httpx.AsyncClient(verify=verify) as client: async with httpx.AsyncClient(verify=verify) as client:
res = await client.get(self.config.jwks.uri, timeout=5) res = await client.get(self.config.jwks.uri, timeout=5)

2
tests/unit/server/test_auth.py
View file

@ -293,7 +293,7 @@ def oauth2_app():
config={ config={
"jwks": { "jwks": {
"uri": "http://mock-authz-service/token/introspect", "uri": "http://mock-authz-service/token/introspect",
"cache_ttl": "3600", "key_recheck_period": "3600",
}, },
"audience": "llama-stack", "audience": "llama-stack",
}, },