Skip to content

feat: store jwks keysets based on issuer_url #18862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 14, 2025
Merged

feat: store jwks keysets based on issuer_url #18862

merged 2 commits into from
Oct 14, 2025

Conversation

@miketheman
Copy link
Member

@miketheman miketheman commented Oct 14, 2025
edited
Loading

Currently, any custom issuer keys would be stored alongside the "parent" keys for the service, intermingling and making it less clear which keys belong to which service.

Store with the issuer_url instead, as redis is fine with keys using special characters, and thus allow storage and lookups for a given issuer.

No migration path necessary, as an empty cache will trigger a fresh lookup and storage the first time.

Resolves #18845

@miketheman
feat: store jwks keysets based on issuer_url
f7efedb 
Currently, any custom issuer keys would be stored alongside the "parent"
keys for the service, intermingling and making it less clear which keys
belong to which service.

Store with the `issuer_url` instead, as redis is fine with keys using
special characters, and thus allow storage and lookups for a given
issuer.

No migration path necessary, as an empty cache will trigger a fresh
lookup and storage the first time.

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman requested a review from a team as a code owner October 14, 2025 15:03
ewdurbin
ewdurbin approved these changes Oct 14, 2025
View reviewed changes
Copy link
Member

@ewdurbin ewdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no test code change reeks of relentless mocking and stubbing.

   assert service.store_jwt_identifier(pretend.stub(), pretend.stub()) is None

😂

@miketheman miketheman merged commit 310954b into pypi:main Oct 14, 2025
21 checks passed
@miketheman miketheman deleted the miketheman/18845-change-oidc-cache-key branch October 14, 2025 15:26
@miketheman miketheman mentioned this pull request Oct 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees

No one assigned

Labels

trusted-publishing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Store JWKS keys based on Issuer URL instead of publisher name

2 participants

@miketheman @ewdurbin