From d9b7d168e2e39689ccbd0f0880f1378f82e7ecb4 Mon Sep 17 00:00:00 2001
From: Gus Brodman <gbrodman@google.com>
Date: Tue, 16 Jun 2026 15:35:12 -0400
Subject: [PATCH] Use a (small) map to cache token verifiers

we shouldn't have to rebuild it each time we get a request to a
different service or really ever at all -- we might get a tiny bit of
cache benefit here
---
 .../google/registry/request/auth/AuthModule.java  | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/google/registry/request/auth/AuthModule.java b/core/src/main/java/google/registry/request/auth/AuthModule.java
index a7443f9cf18..7554acc3b99 100644
--- a/core/src/main/java/google/registry/request/auth/AuthModule.java
+++ b/core/src/main/java/google/registry/request/auth/AuthModule.java
@@ -43,6 +43,7 @@
 import jakarta.inject.Singleton;
 import java.io.IOException;
 import java.time.Duration;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 
@@ -88,8 +89,8 @@ ImmutableList<AuthenticationMechanism> provideApiAuthenticationMechanisms(
   TokenVerifier provideIapTokenVerifier(
       @Config("projectIdNumber") long projectIdNumber,
       @Named("backendServiceIdMap") Supplier<ImmutableMap<String, Long>> backendServiceIdMap) {
-    com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder =
-        com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL);
+    ConcurrentHashMap<String, com.google.auth.oauth2.TokenVerifier> tokenVerifiers =
+        new ConcurrentHashMap<>();
     return (String service, String token) -> {
       Long backendServiceId = backendServiceIdMap.get().get(service);
       checkNotNull(
@@ -98,7 +99,15 @@ TokenVerifier provideIapTokenVerifier(
           service,
           backendServiceIdMap);
       String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, backendServiceId);
-      return tokenVerifierBuilder.setAudience(audience).build().verify(token);
+      com.google.auth.oauth2.TokenVerifier verifier =
+          tokenVerifiers.computeIfAbsent(
+              audience,
+              aud ->
+                  com.google.auth.oauth2.TokenVerifier.newBuilder()
+                      .setIssuer(IAP_ISSUER_URL)
+                      .setAudience(aud)
+                      .build());
+      return verifier.verify(token);
     };
   }