Closed ciseng closed 4 years ago
ciseng
commented
4 years ago Just want to confirm; when you say storage of tokens restricted to current valid ones. -> do you mean RS stores the valid tokens and does not store introspection/validation result, and hence validate each time.
jimsch
commented
4 years ago No, I mean that if the RS attempts to validate the token and that fails, then there is no need to store the token. This means that a flood of invalid tokens will not cause a memory problem, just a CPU problem.
ciseng
commented
4 years ago Got it. This was the behaviour I expected, I will specify in the text as well.
ciseng
commented
4 years ago Added to this section: "After the RS validates an access token and accepts a connection from a client, it caches the token to authorize a Client's publish and subscribe requests in an ongoing session. RS does not cache any invalid tokens. If a client's permissions get revoked but the access token has not expired the RS may still grant publish/subscribe to revoked topics."
Section 8 - The storage of tokens long term can be restricted to only current valid ones if an immediate validation of the token is done. This means that the RS spends time doing the validation, but does not need to consume memory.