I started using jose4j to validate Azure AD originating jwt tokens against the OpenedId Connect jwks it publishes. All in a restful environment which means no state.
To avoid recreating all the objects from scratch every time a request comes in and consequently jose4j retrieving the jwks again and again, I want to use caching.
The dilemma I have is what to cache:
I was thinking JwtConsumer is the best. Any ideas on this if this is a good choice?
As the cache is shared over all restfull requests which are handled in a mulithreaded way (using cxf blueprint in Karaf) the JwtConsumer should be thread safe. Anybody know whether it is.
I was thinking to cache using ehcache or ConcurrentHashmap using the tid as the key.
JwtConsumer is thread safe (as long as any custom Validators or Customizers used are also thread safe). However, cacheing and reusing the HttpsJwks object(s) is where you'll realize the vast majority of benefit because it internally caches the keys retrieved from the jwks endpoint. Holding on to HttpsJwks is what will prevent jose4j from retrieving the content of jwks endpoint again and again.