Don't attempt to read public keys more than once every 5 minutes

[DrDaveD]

I haven't tested it, but according to the code it appears that if reading of the public keys fail, this library will re-try reading those keys with every validation attempt. Instead, there should be a "negative cache" recorded so the keys are only attempted to be read every 5 minutes. Otherwise it could end up with a much higher load on the server when it is already having problems, plus it could cause unnecessary delays on validation.

(As a side note, reading public keys every 10 minutes after a success seems excessive. 30 minutes sounds more reasonable to me. I would still leave re-tries every 5 minutes though. These numbers are based on my experience with cvmfs and frontier caching. The scitokens python library sets it to 60 minutes, which is also reasonable.)

[jbasney]

Agreed. CILogon will block or rate limit excessive requests to our endpoints, including our public key endpoint.

https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#token-lifetime-guidance sets a minimum lifetime of 1 hour for the public key cache. I think that's why the python library sets it to 60 minutes.