Re: [PR] Cache JWT Algorithm and JWTVerifier per realm in TokenBrokerFactory [polaris]

Tue, 09 Jun 2026 05:13:00 -0700 


adutra commented on code in PR #4620:
URL: https://github.com/apache/polaris/pull/4620#discussion_r3374173899


##########
runtime/service/src/test/java/org/apache/polaris/service/auth/internal/broker/JWTSymmetricKeyGeneratorTest.java:
##########
@@ -70,4 +71,37 @@ public void testJWTSymmetricKeyGenerator() {
     
assertThat(decodedJWT.getClaim("scope").asString()).isEqualTo("PRINCIPAL_ROLE:TEST");
     
assertThat(decodedJWT.getClaim("client_id").asString()).isEqualTo(clientId);
   }
+
+  /** Verify that the same broker instance can verify a token multiple times. 
*/
+  @Test
+  public void testMultipleVerificationsWithSameBroker() {

Review Comment:
   I'm not convinced by this test. It would pass even without your changes, 
wouldn't it?



##########
runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/JwtSigningKey.java:
##########
@@ -19,25 +19,16 @@
 package org.apache.polaris.service.auth.internal.broker;
 
 import com.auth0.jwt.algorithms.Algorithm;
-import java.util.function.Supplier;
-import org.apache.polaris.core.PolarisCallContext;
-import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import com.auth0.jwt.interfaces.JWTVerifier;
 
-/** Generates a JWT using a Symmetric Key. */
-public class SymmetricKeyJWTBroker extends JWTBroker {
-  private final Supplier<String> secretSupplier;
-
-  public SymmetricKeyJWTBroker(
-      PolarisMetaStoreManager metaStoreManager,
-      PolarisCallContext polarisCallContext,
-      int maxTokenGenerationInSeconds,
-      Supplier<String> secretSupplier) {
-    super(metaStoreManager, polarisCallContext, maxTokenGenerationInSeconds);
-    this.secretSupplier = secretSupplier;
-  }
+/**
+ * Holds the JWT {@link Algorithm} and its derived {@link JWTVerifier} for a 
realm. Built once per
+ * realm by a {@link TokenBrokerFactory} and shared across request-scoped 
{@link JWTBroker}
+ * instances so the verifier is not reconstructed on every request.
+ */
+record JwtSigningKey(Algorithm algorithm, JWTVerifier verifier) {

Review Comment:
   nit: this isn't really a JWT signing key, so the name is misleading. Let's 
find another name. I'd be OK with just `AlgorithmAndVerifier`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to