JWT Keys Request is made every time a key is decoded

[nikz]

Every time you request a decoded ID token/Access Token from the client or run through the connection process, a request is made to: https://identity.xero.com/.well-known/openid-configuration/jwks

This is the line that makes the request as part of the decode_jwt method.

This endpoint appears to have a different rate limit to the other API endpoints, and if you hit that you are given the following response:

Does Xero have a TTL/expiration policy for these keys? Is there an amount of time that it might be safe to cache the value of this response for? Is the rate limit published anywhere or is there a different way to avoid being rate limited?

Thanks!

[SerKnight]

Hey niks, thanks for reporting this issue. A good idea on the TTL I’ll get that sorted this week witch a cache or something.

Out of curiosity do you know roughly how many tokens you were deciding when this happened?

Also curious on the use case. We’re you deciding the access or if tokens when this happened?

[SerKnight]

So I changed this to only invoke the actual JWT validation on the callback from when tokens are received. You can also use the verify_jwt(validate=false||false) changed method to validate whenever you see fit.

I changed the default of the decoded id access token methods to not make those API calls so don't have to worry about caching or TTL and I think this will fix for 99.9% of use cases and still persist a good security measure.

[nikz]

@SerKnight hitting it due to fanning out a sync job per month - so each job was rematerialising a stored token as part of execution (to be fair it could cache the data pulled out, but I expected decoding a JWT to be a relatively light operation)

I would say maybe 6 tokens? So I don't think I was hitting it particularly hard... it's also only my development machine.

Change looks good, thanks 👍 I would say that's the "principle of least surprise" way to do it.