Cache Remote JWKS Fetch

[danielduan]

In the Ruby SDK, WorkOS::UserManagement.load_sealed_session seems to fetch the remote JWKS on every load, adding about 100ms to each authenticated request.

We use Rails and for every authenticated request, we call authorize_request which does the following:

session = WorkOS::UserManagement.load_sealed_session
result = session.authenticate
@user = result[:user]

After implementing WorkOS, we realized all of our authenticated endpoints now take 100ms longer on the backend. It took some digging through our Sentry profiles to find that create_remote_jwk_set was called repeatedly:

workos-ruby/lib/workos/session.rb

Line 26 in 8c401c2

@jwks = create_remote_jwk_set(URI(@user_management.get_jwks_url(client_id)))

We host our services on Render.com on GCP's oregon-1 region.

Please advise if there is a better way to authenticate the token or if improvements can be made to the SDK. Thanks!

[PaulAsjes]

I see the problem, I think we should able to move that to when you initialize the SDK instead of on every session load. Will look into fixing this soon.

[danielduan]

I see the problem, I think we should able to move that to when you initialize the SDK instead of on every session load. Will look into fixing this soon.

thanks for looking into this! would appreciate if you can prioritize this for us.

[adam-h]

We ran into this when we noticed the JWKS call was taking up 30-45% of our request processing time.

For now we've worked around it by adding the following to our initializer (config/initializers/workos.rb):

  # We load and authenticate the sealed session each request.
  # Just loading the JWKS to verify the token was taking up 30% of our server request time!
  #
  # Cache this for 5 minutes to stop having to do that on every request.
  # Ideally we'd cache longer and just update it if we triggered a validation error
  module CacheJWKSet
    private

    def create_remote_jwk_set(uri)
      Rails.cache.fetch("workos-jwk-set", expires_in: 5.minutes) do
        super
      end
    end
  end

  WorkOS::Session.prepend(CacheJWKSet)

[danielduan]

@PaulAsjes is there a rough estimate of when we can expect a fix?

[PaulAsjes]

Hi @danielduan, planning on having a fix for this shipped by the end of next week.

[nicknisi]

@danielduan This is now shipped in v5.11.1. Thanks!