Support non-blocking keylocators

[mihe-inf]

Is your feature request related to a problem? Please describe.
We had an issue in one of our applications where a lot of concurrent requests lead to thread starvation every time the cached signature JWK was updated (we get the signature JWK from an OAuth2 JWKS endpoint and cache it in-memory for $$x$$ amount of time)

There's things we can do on our end to address this issue, as our code is also somewhat at fault here. But it leads me to think that the jjwt API is also somewhat preventing a clean solution due to its blocking implementation, especially when it comes to the KeyLocator, which by definition might need to do blocking I/O (like getting the JWK from a remote service)

Describe the solution you'd like
It should be possible to provide some form of KeyLocator that implements fetching the key in a non-blocking manner., something like this:

public interface AsyncLocator<T> {

    CompletionStage<T> locate(Header header);

}

Describe alternatives you've considered
We can currently live with the parser being blocking, we try to limit blocking code as much as possible in the KeyLocator by heavily relying on caching and revisiting our dispatcher configurations. But since most of our code in this project is leveraging non-blocking APIs, the blocking JWT parsing via jjwt is standing out a bit.

[lhazlewood]

Hi @mihe-inf , thanks for the issue.

With the new proposed interface, the JwtParser implementation would need to be updated to support CompletionStage semantics and any other related non-blocking related behavior, and would I assume take some judicious thought into how best to do this without going down a rabbit hole of challenges/code changes. I do think it's an interesting request, so I'll keep this in the backlog for sure, but in the spirit of transparency, I've no idea when we'd be able to work on this. But I like the concept!

If you've taken a look at the DefaultJwtParser implementation and have thoughts on how best to do this without making things crazy complicated, I'd definitely appreciate any ideas!

[mihe-inf]

Hi @lhazlewood, I understand that, when a project isn't really made to prevent blocking code from the get-go, adapting it after the fact requires quite some effort, I went through this struggle before 😄

No worries, as I've said, we'll be able to work around it. I expected this to get into the backlog as it would require using completion stages in many more places, which would likely be breaking, or require you to add a separate AsyncJwtParser.

I currently lack the time to further look into it, but feel free to ping me anytime if you need more information.

[mihe-inf]

Btw. we ran into this issue in a project running on jdk8 (using Play Framework 2.8). AFAICT, the issue can't really be reproduced on newer installations on jdk21 (Play Framework 3.0)... I am assuming the Java Virtual Threads feature of JDK21 alleviates the problem, which might mean the feature request is even less urgent for projects on newer JVMs.