Sometimes VerifyGitkitToken response is very slow about identity-toolkit-python-client HOT 8 OPEN

Most of the time VerifyGitkitToken is a local method, and the latency should be far less than 1 seconds. Could you give more details?

• Is your server running in local development, or a cloud service (e.g. Google App Engine), or others?
• Do you observer any pattern when the method is very slow?
• Is possible to run your app under python profiler?

from identity-toolkit-python-client.

The code is on the dedicated server at soyoustart (ovh).
For only purpose testing, I write a simple python code with a simple call to this (rpc)method and the result is this:

server$ python test_gitkit.py eyJhbGci[...]3GIQ
start
VerifyGitkitToken time = 1.359633

server$ python test_gitkit.py eyJhbGci[...]3GIQ
start
VerifyGitkitToken time = 128.519584

from identity-toolkit-python-client.

this is the script

import os
import sys
import datetime

# Import the helper functions
from identitytoolkit import gitkitclient


# Import the configuration file you downloaded from Google Developer Console
server_config_json = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'gitkit-server-config.json')
gitkit_instance = gitkitclient.GitkitClient.FromConfigFile(
    server_config_json)

if __name__ == "__main__":
        idToken = sys.argv[1]
        start = datetime.datetime.now()
        print("start")
        gitkit_user = gitkit_instance.VerifyGitkitToken(idToken)
        end = datetime.datetime.now()
        print("VerifyGitkitToken time = %f"% ((end-start).total_seconds()))

from identity-toolkit-python-client.

Now, the same script with the same input give good result (50 successful execution under 2.5 seconds)!
What worries me is that this method does not have a timeout.
PS: honestly I have not tested the script outside dedicated server (there are no firewall rules inside this my debian dedicated server).

from identity-toolkit-python-client.

VerifyGitkitToken() requires the Gitkit public X509 certs to validate a token string. The GitkitClient object has a build-in cache of current X509 certs, so that most of the time the certs are read from memory and the token signature is verified without any RPC. Only when the cached certs expire (normally in several hours) will the method download a new one from Gitkit server.

Every time when you run $python test_gitkit.py, a new GitkitClient is created and the cache has to be initialized by downloading the certs first. If your test script makes multiple calls to VerifyGitkitToken() using the same GitkitClient, the delay should be greatly decreased. That is the similar scenario for long-running tasks such as web servers.

from identity-toolkit-python-client.

Ok, in my production code I already use this approach, The other day the problem (128seconds) is happened for the first time in production code (an average of 1 long waiting on 4 method calls)

from identity-toolkit-python-client.

Looking at the call to GetPublicCert in VerifyGitkitToken there are potentially two HTTP calls made but only one which is cached. If you don't specify a "Server API key" then, I'm assuming by design, uncached calls are made to fetch the public certs via the service account. This is maybe what you're experiencing in production @alexodus, You can get a key via the credentials page in Google Developer Console, "Add credentials" then "API key" (when writing this).

Wouldn't a better strategy be to cache the result of GetPublicCerts in GitkitClient? And if the signature check fails then refresh the cache and retry?

from identity-toolkit-python-client.

Good point Magnus. We are making a change to the GetPublicCert HTTP API that neither Server API Key nor service account is needed. Caching the public certs in GitkitClient is also a reasonable approach.

from identity-toolkit-python-client.