Skip to content

V2: Expand IRI with AmSC Token, Keep Globus and Facility still in place (Beta, do not merge)#92

Open
juztas wants to merge 9 commits into
doe-iri:mainfrom
juztas:glbtooidc
Open

V2: Expand IRI with AmSC Token, Keep Globus and Facility still in place (Beta, do not merge)#92
juztas wants to merge 9 commits into
doe-iri:mainfrom
juztas:glbtooidc

Conversation

@juztas
Copy link
Copy Markdown
Contributor

@juztas juztas commented May 14, 2026

No description provided.

gabor-lbl
gabor-lbl reviewed May 14, 2026
View reviewed changes
Comment thread pyproject.toml Outdated
"opentelemetry-instrumentation-fastapi>=0.60b1,<0.61b0",
"opentelemetry-exporter-otlp>=1.39.1,<1.40.0",
"globus-sdk>=4.3.1",
"PyJWT>=2.10.1",
Copy link
Copy Markdown
Contributor

@gabor-lbl gabor-lbl May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered a higher level library like authlib? It might take care of some of the validation code in _decode_oidc_jwt. Take a look here: https://docs.authlib.org/en/stable/oauth2/resource-server/flask.html

Copy link
Copy Markdown
Contributor Author

@juztas juztas May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not until now. I think that would be a bigger lift for the codebase. Current IRI needs are basically to validate a signed JWT, check the issuer/aud/exp. I think Authlib provides a full set of server/client tooling. Do we need that?

Copy link
Copy Markdown
Contributor

@gabor-lbl gabor-lbl May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think minimizing boilerplate is usually a good idea. Here are two options:

  1. don't know much about this one: https://fastapi-oidc.readthedocs.io/en/latest/
  2. the "standard": joserfc with:
    1. import keyset (jwks): https://jose.authlib.org/en/recipes/cheatsheet/#key-sets-jwks
    2. decode/validate the jwt: https://jose.authlib.org/en/recipes/cheatsheet/#decode-verify-token (where the 'key' param is the jwks from the prev. step)

@juztas juztas changed the title Replace Globus with OIDC (Beta, do not merge) Expand IRI with AmSC Token, Keep Globus and Facility still in place (Beta, do not merge) May 21, 2026
@juztas juztas changed the title Expand IRI with AmSC Token, Keep Globus and Facility still in place (Beta, do not merge) V2: Expand IRI with AmSC Token, Keep Globus and Facility still in place (Beta, do not merge) May 21, 2026
gabor-lbl
gabor-lbl reviewed May 21, 2026
View reviewed changes
Comment thread app/routers/iri_router.py Outdated

def _fetch_oidc_remote_state(discovery_uri: str) -> tuple[dict[str, Any], KeySet]:
"""Fetch the OIDC discovery."""
with httpx.Client(timeout=_DISCOVERY_TIMEOUT_SECONDS) as client:
Copy link
Copy Markdown
Contributor

@gabor-lbl gabor-lbl May 21, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be async? I like the aiohttp library.

Update: httpx also supports async access

gabor-lbl
gabor-lbl reviewed May 21, 2026
View reviewed changes
Comment thread app/routers/iri_router.py Outdated
return metadata, JsonWebKey.import_key_set(jwks_resp.json())


def _load_oidc_remote_state(discovery_uri: str) -> tuple[dict[str, Any], KeySet]:
Copy link
Copy Markdown
Contributor

@gabor-lbl gabor-lbl May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about instead using caching on _fetch_oidc_remote_state, via:

from cachetools import cached, TTLCache

@cached(cache=TTLCache(maxsize=128, ttl=60))

@gabor-lbl
Copy link
Copy Markdown
Contributor

gabor-lbl commented May 21, 2026

Looks good thanks! I left some minor comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabor-lbl gabor-lbl gabor-lbl left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juztas @gabor-lbl