From 6d19025548d649c7ab89378522384f6ac2cbb164 Mon Sep 17 00:00:00 2001
From: Raphael Frank <04.raphael.frank@gmail.com>
Date: Mon, 22 Jun 2026 22:55:53 +0200
Subject: [PATCH] fixed python token validation loop bug

---
 services/py-genai-helper/auth.py | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/services/py-genai-helper/auth.py b/services/py-genai-helper/auth.py
index 5de884b..136b89e 100644
--- a/services/py-genai-helper/auth.py
+++ b/services/py-genai-helper/auth.py
@@ -2,11 +2,8 @@
 from functools import wraps
 
 import jwt
-import requests
 from flask import request
 
-_jwks_cache: dict | None = None
-
 KEYCLOAK_ISSUER_URL = os.environ.get(
     "KEYCLOAK_ISSUER_URL",
     "http://keycloak:8080/auth/realms/devops",
@@ -18,23 +15,12 @@
     f"{KEYCLOAK_ISSUER_URL}/protocol/openid-connect/certs",
 )
 
-
-def _fetch_jwks() -> dict:
-    response = requests.get(_JWKS_URL, timeout=5)
-    response.raise_for_status()
-    return response.json()
+# PyJWKClient handles caching internally (cache_jwk_set=True, lifespan=300s).
+_jwks_client = jwt.PyJWKClient(_JWKS_URL, cache_jwk_set=True, lifespan=300)
 
 
 def _get_signing_key(token: str) -> jwt.PyJWK:
-    global _jwks_cache
-    if _jwks_cache is None:
-        _jwks_cache = _fetch_jwks()
-    try:
-        return jwt.PyJWKClient(_JWKS_URL, jwks_data=_jwks_cache).get_signing_key_from_jwt(token)
-    except jwt.exceptions.PyJWKClientError:
-        # Key not found in cache — Keycloak may have rotated keys; refresh once.
-        _jwks_cache = _fetch_jwks()
-        return jwt.PyJWKClient(_JWKS_URL, jwks_data=_jwks_cache).get_signing_key_from_jwt(token)
+    return _jwks_client.get_signing_key_from_jwt(token)
 
 
 def require_auth(f):