auth0
diff --git a/‎auth0/v3/authentication/async_token_verifier.py‎
Lines changed: 94 additions & 0 deletions b/‎auth0/v3/authentication/async_token_verifier.py‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎auth0/v3/authentication/token_verifier.py‎
Lines changed: 58 additions & 20 deletions b/‎auth0/v3/authentication/token_verifier.py‎
Lines changed: 58 additions & 20 deletions
diff --git a/‎auth0/v3/rest_async.py‎
Lines changed: 1 addition & 4 deletions b/‎auth0/v3/rest_async.py‎
Lines changed: 1 addition & 4 deletions
@@ -0,0 +1,94 @@
+"""Token Verifier module"""
+from .. import TokenValidationError
+from ..rest_async import AsyncRestClient
+from .token_verifier import AsymmetricSignatureVerifier, JwksFetcher
+
+
+class AsyncAsymmetricSignatureVerifier(AsymmetricSignatureVerifier):
+    """Verifier for RSA signatures, which rely on public key certificates.
+
+    Args:
+        jwks_url (str): The url where the JWK set is located.
+        algorithm (str, optional): The expected signing algorithm. Defaults to "RS256".
+    """
+
+    def __init__(self, jwks_url, algorithm="RS256"):
+        super(AsyncAsymmetricSignatureVerifier, self).__init__(jwks_url, algorithm)
+        self._fetcher_async = AsyncJwksFetcher(jwks_url)
+
+    async def _fetch_key_async(self, key_id=None):
+        return await self._fetcher.get_key(key_id)
+
+    def verify_signature_async(self, token):
+        """Verifies the signature of the given JSON web token.
+
+        Args:
+            token (str): The JWT to get its signature verified.
+
+        Raises:
+            TokenValidationError: if the token cannot be decoded, the algorithm is invalid
+            or the token's signature doesn't match the calculated one.
+        """
+        kid = self._get_kid(token)
+        secret_or_certificate = self._fetch_key(key_id=kid)
+
+        return self._decode_jwt(token, secret_or_certificate)
+
+
+class AsyncJwksFetcher(JwksFetcher):
+    """Class that fetches and holds a JSON web key set.
+    This class makes use of an in-memory cache. For it to work properly, define this instance once and re-use it.
+
+    Args:
+        jwks_url (str): The url where the JWK set is located.
+        cache_ttl (str, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super(AsyncJwksFetcher, self).__init__(*args, **kwargs)
+        self._async_client = AsyncRestClient(None)
+
+    async def _fetch_jwks_async(self, force=False):
+        """Attempts to obtain the JWK set from the cache, as long as it's still valid.
+        When not, it will perform a network request to the jwks_url to obtain a fresh result
+        and update the cache value with it.
+
+        Args:
+            force (bool, optional): whether to ignore the cache and force a network request or not. Defaults to False.
+        """
+        if force or self._cache_expired():
+            self._cache_value = {}
+            try:
+                jwks = await self._async_client.get(self._jwks_url)
+                self._cache_jwks(jwks)
+            except:  # noqa: E722
+                return self._cache_value
+            return self._cache_value
+
+        self._cache_is_fresh = False
+        return self._cache_value
+
+    async def get_key_async(self, key_id):
+        """Obtains the JWK associated with the given key id.
+
+        Args:
+            key_id (str): The id of the key to fetch.
+
+        Returns:
+            the JWK associated with the given key id.
+
+        Raises:
+            TokenValidationError: when a key with that id cannot be found
+        """
+        keys = await self._fetch_jwks_async()
+
+        if keys and key_id in keys:
+            return keys[key_id]
+
+        if not self._cache_is_fresh:
+            keys = await self._fetch_jwks_async(force=True)
+            if keys and key_id in keys:
+                return keys[key_id]
+        raise TokenValidationError(
+            'RSA Public Key with ID "{}" was not found.'.format(key_id)
+        )
@@ -45,15 +45,18 @@ def _fetch_key(self, key_id=None):
         """
         raise NotImplementedError
 
-    def verify_signature(self, token):
-        """Verifies the signature of the given JSON web token.
+    def _get_kid(self, token):
+        """Gets the key id from the kid claim of the header of the token
 
         Args:
-            token (str): The JWT to get its signature verified.
+            token (str): The JWT to get the header from.
 
         Raises:
             TokenValidationError: if the token cannot be decoded, the algorithm is invalid
             or the token's signature doesn't match the calculated one.
+
+        Returns:
+            the key id or None
         """
         try:
             header = jwt.get_unverified_header(token)
@@ -67,9 +70,19 @@ def verify_signature(self, token):
                 'to be signed with "{}"'.format(alg, self._algorithm)
             )
 
-        kid = header.get("kid", None)
-        secret_or_certificate = self._fetch_key(key_id=kid)
+        return header.get("kid", None)
+
+    def _decode_jwt(self, token, secret_or_certificate):
+        """Verifies the signature of the given JSON web token.
+
+        Args:
+            token (str): The JWT to get its signature verified.
+            secret_or_certificate (str): The public key or shared secret.
 
+        Raises:
+            TokenValidationError: if the token cannot be decoded, the algorithm is invalid
+            or the token's signature doesn't match the calculated one.
+        """
         try:
             decoded = jwt.decode(
                 jwt=token,
@@ -81,6 +94,21 @@ def verify_signature(self, token):
             raise TokenValidationError("Invalid token signature.")
         return decoded
 
+    def verify_signature(self, token):
+        """Verifies the signature of the given JSON web token.
+
+        Args:
+            token (str): The JWT to get its signature verified.
+
+        Raises:
+            TokenValidationError: if the token cannot be decoded, the algorithm is invalid
+            or the token's signature doesn't match the calculated one.
+        """
+        kid = self._get_kid(token)
+        secret_or_certificate = self._fetch_key(key_id=kid)
+
+        return self._decode_jwt(token, secret_or_certificate)
+
 
 class SymmetricSignatureVerifier(SignatureVerifier):
     """Verifier for HMAC signatures, which rely on shared secrets.
@@ -136,6 +164,24 @@ def _init_cache(self, cache_ttl):
         self._cache_ttl = cache_ttl
         self._cache_is_fresh = False
 
+    def _cache_expired(self):
+        """Checks if the cache is expired
+
+        Returns:
+            True if it should use the cache.
+        """
+        return self._cache_date + self._cache_ttl < time.time()
+
+    def _cache_jwks(self, jwks):
+        """Cache the response of the JWKS request
+
+        Args:
+            jwks (dict): The JWKS
+        """
+        self._cache_value = self._parse_jwks(jwks)
+        self._cache_is_fresh = True
+        self._cache_date = time.time()
+
     def _fetch_jwks(self, force=False):
         """Attempts to obtain the JWK set from the cache, as long as it's still valid.
         When not, it will perform a network request to the jwks_url to obtain a fresh result
@@ -144,23 +190,15 @@ def _fetch_jwks(self, force=False):
         Args:
             force (bool, optional): whether to ignore the cache and force a network request or not. Defaults to False.
         """
-        has_expired = self._cache_date + self._cache_ttl < time.time()
-
-        if not force and not has_expired:
-            # Return from cache
-            self._cache_is_fresh = False
+        if force or self._cache_expired():
+            self._cache_value = {}
+            response = requests.get(self._jwks_url)
+            if response.ok:
+                jwks = response.json()
+                self._cache_jwks(jwks)
             return self._cache_value
 
-        # Invalidate cache and fetch fresh data
-        self._cache_value = {}
-        response = requests.get(self._jwks_url)
-
-        if response.ok:
-            # Update cache
-            jwks = response.json()
-            self._cache_value = self._parse_jwks(jwks)
-            self._cache_is_fresh = True
-            self._cache_date = time.time()
+        self._cache_is_fresh = False
         return self._cache_value
 
     @staticmethod
 
@@ -1,13 +1,10 @@
 import asyncio
-import json
 
 import aiohttp
 
 from auth0.v3.exceptions import RateLimitError
 
-from .rest import EmptyResponse, JsonResponse, PlainResponse
-from .rest import Response as _Response
-from .rest import RestClient
+from .rest import EmptyResponse, JsonResponse, PlainResponse, RestClient
 
 
 def _clean_params(params):