Skip to content

Fix #1051: Replace lru_cache with TTL-based key caching #1070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix #1051: Replace lru_cache with TTL-based key caching #1070

wants to merge 2 commits into from

Conversation

ArvinAlizadehGitHub
Copy link

Summary

This PR fixes issue #1051 where PyJWKClient with cache_keys=True serves potentially revoked keys indefinitely.

Problem

When cache_keys=True is enabled, PyJWKClient applies @lru_cache to the get_signing_key method. This caches keys permanently until LRU eviction or process restart. If an identity provider removes a key from their JWKS, applications continue accepting tokens signed with that key.

Solution

  • Replace lru_cache with TTL-aware caching
  • Keys now expire after the configured lifespan (default 300 seconds)
  • Maintains full backward compatibility with existing API
  • Uses same expiration logic as existing JWKSetCache

Changes

  • jwt/jwks_client.py: Replace lru_cache with TTL cache implementation
  • tests/test_jwks_client.py: Add test demonstrating the fix works

Testing

All existing tests pass. New test verifies that:

  • Old implementation serves cached keys indefinitely
  • New implementation properly rejects expired keys

Backward Compatibility

No breaking changes. All existing parameters work identically:

  • cache_keys=True still enables individual key caching
  • max_cached_keys still limits cache size
  • Performance characteristics maintained

Fixes #1051

@ArvinAlizadehGitHub
Fix issue jpadilla#1051: Replace lru_cache with TTL-based key caching
11b357a 
Replace functools.lru_cache with TTL-aware cache to prevent
indefinite caching of potentially revoked signing keys.

- Remove lru_cache which cached keys forever
- Implement TTL-based individual key caching
- Keys now expire after configured lifespan
- Maintains backward compatibility with existing API
- Add test demonstrating fix works

Fixes jpadilla#1051
@ArvinAlizadehGitHub ArvinAlizadehGitHub force-pushed the fix-lru-cache-security-vulnerability branch from 4eaa549 to 11b357a Compare June 23, 2025 09:32
@ArvinAlizadehGitHub ArvinAlizadehGitHub mentioned this pull request Jun 23, 2025
Open
@auvipy auvipy requested review from Copilot and auvipy and removed request for Copilot June 23, 2025 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auvipy auvipy Awaiting requested review from auvipy

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PyJWKClient with cache_keys=True serves potentially revoked keys
1 participant
@ArvinAlizadehGitHub