chore: clarify cache_ttl to be key_recheck_period (#2220)

# What does this PR do? The cache_ttl config value is not in fact tied to the lifetime of any of the keys, it represents the time interval between for our key cache refresher. Signed-off-by: Sébastien Han <seb@redhat.com>
2025-05-21 17:30:23 +02:00 · 2025-05-21 17:30:23 +02:00 · 1862de4be5
commit 1862de4be5
parent c25acedbcd
3 changed files with 5 additions and 5 deletions
--- a/docs/source/distributions/configuration.md
+++ b/docs/source/distributions/configuration.md
@ -183,7 +183,7 @@ server:
    config:
      jwks:
        uri: "https://kubernetes.default.svc"
-        cache_ttl: 3600
+        key_recheck_period: 3600
      tls_cafile: "/path/to/ca.crt"
      issuer: "https://kubernetes.default.svc"
      audience: "https://kubernetes.default.svc"
--- a/llama_stack/distribution/server/auth_providers.py
+++ b/llama_stack/distribution/server/auth_providers.py
@ -110,7 +110,7 @@ def get_attributes_from_claims(claims: dict[str, str], mapping: dict[str, str])
 class OAuth2JWKSConfig(BaseModel):
    # The JWKS URI for collecting public keys
    uri: str
-    cache_ttl: int = 3600
+    key_recheck_period: int = Field(default=3600, description="The period to recheck the JWKS URI for key updates")


 class OAuth2IntrospectionConfig(BaseModel):
@ -263,7 +263,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
        """
        Refresh the JWKS cache.

-        This is a simple cache that expires after a certain amount of time (defined by `cache_ttl`).
+        This is a simple cache that expires after a certain amount of time (defined by `key_recheck_period`).
        If the cache is expired, we refresh the JWKS from the JWKS URI.

        Notes: for Kubernetes which doesn't fully implement the OIDC protocol:
@ -273,7 +273,7 @@ class OAuth2TokenAuthProvider(AuthProvider):
        async with self._jwks_lock:
            if self.config.jwks is None:
                raise ValueError("JWKS is not configured")
-            if time.time() - self._jwks_at > self.config.jwks.cache_ttl:
+            if time.time() - self._jwks_at > self.config.jwks.key_recheck_period:
                verify = self.config.tls_cafile.as_posix() if self.config.tls_cafile else self.config.verify_tls
                async with httpx.AsyncClient(verify=verify) as client:
                    res = await client.get(self.config.jwks.uri, timeout=5)
--- a/tests/unit/server/test_auth.py
+++ b/tests/unit/server/test_auth.py
@ -293,7 +293,7 @@ def oauth2_app():
        config={
            "jwks": {
                "uri": "http://mock-authz-service/token/introspect",
-                "cache_ttl": "3600",
+                "key_recheck_period": "3600",
            },
            "audience": "llama-stack",
        },