1
0
mirror of https://github.com/google/nomulus synced 2026-06-09 16:33:02 +00:00

Use a (small) map to cache token verifiers (#3088)

we shouldn't have to rebuild it each time we get a request to a
different service or really ever at all -- we might get a tiny bit of
cache benefit here
This commit is contained in:
gbrodman
2026-06-22 14:26:02 -04:00
committed by GitHub
parent dcfe939c38
commit a85bf5c30a
@@ -43,6 +43,7 @@ import jakarta.inject.Qualifier;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.time.Duration;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;
import javax.annotation.Nullable;
@@ -88,8 +89,8 @@ public class AuthModule {
TokenVerifier provideIapTokenVerifier(
@Config("projectIdNumber") long projectIdNumber,
@Named("backendServiceIdMap") Supplier<ImmutableMap<String, Long>> backendServiceIdMap) {
com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder =
com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL);
ConcurrentHashMap<String, com.google.auth.oauth2.TokenVerifier> tokenVerifiers =
new ConcurrentHashMap<>();
return (String service, String token) -> {
Long backendServiceId = backendServiceIdMap.get().get(service);
checkNotNull(
@@ -98,7 +99,15 @@ public class AuthModule {
service,
backendServiceIdMap);
String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, backendServiceId);
return tokenVerifierBuilder.setAudience(audience).build().verify(token);
com.google.auth.oauth2.TokenVerifier verifier =
tokenVerifiers.computeIfAbsent(
audience,
aud ->
com.google.auth.oauth2.TokenVerifier.newBuilder()
.setIssuer(IAP_ISSUER_URL)
.setAudience(aud)
.build());
return verifier.verify(token);
};
}