Limetime management for OIDC JWKS · Issue #10620 · pypi/warehouse (original) (raw)

Skip to content

Navigation Menu

• • GitHub Copilot Write better code with AI
  • GitHub Advanced Security Find and fix vulnerabilities
  • Actions Automate any workflow
  • Codespaces Instant dev environments
  • Issues Plan and track work
  • Code Review Manage code changes
  • Discussions Collaborate outside of code
  • Code Search Find more, search less
• Explore
  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights
• • GitHub Sponsors Fund open source developers
  • The ReadME Project GitHub community articles
• • Enterprise platform AI-powered developer platform
• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Description

The first step in verifying the OIDC JWTs is verifying their signatures, which means checking them against the OIDC provider's signing key set.

There are a few approaches we could take to acquiring and maintaining the updatedness of those keys:

1. Bake them into the Warehouse codebase. We could pull the current JWKS blob from the URI referenced in the provider's openid-configuration.

• Pros: Simple.
• Cons: More tedious to update in the event of key updates/rotations; requires a PR each time any provider does so. Gaps between the rotation and updates means that Warehouse would probably reject authentic JWTs.

1. Fetch the JWKS for each provider on Warehouse startup/initialization. Restarts always re-fetch the JWKS.

• Pros: Simple.
• Cons: Most of the same cons as (1).

1. All of (2), but we also include a periodic job that checks each OIDC provider's JWKS on a schedule.

• Pros: No rotation downtime.
• Cons: Requires the most code.