Closed athamark closed 2 years ago
After discussing with @johnbuluba who is performing the review I have performed a series of changes. All the respective changes can be found in the branch feature-athamark-cache-tokens-review
. Here is the updated cover letter for my PR.
Introduce a caching mechanism for AuthService. When enabled, AuthService will store freshly authenticated Bearer Token in its cache for a configurable amount of time. Contrary to the existing implementation when a client makes a request with a bearer token in its Authorization header, then AuthService will examine if this bearer token is cached:
Making a request to the Identity Provider to authenticate over and over again the same bearer token can be time-consuming. In many cases, AuthService has to make a request to the Identity Provider to verify that the examined token is valid.
With our mechanism AuthService only needs to authenticate this
bearer token once via contacting the Identity Provider. Security-wise
the admin should set the expiration time to values not greater tha5
minutes.
Description of your changes: To provide the aforementioned functionality we introduce the following envvars: | Setting | Default Value | Description |
---|---|---|---|
CACHE_ENABLED |
false |
Set CACHE_ENABLED to true to enable caching. |
|
CACHE_EXPIRATION_MINUTES |
5 (minutes) |
Set the CACHE_EXPIRATION_MINUTES value to define how many minutes it takes for every cache entry to expire. |
We have tested our implementation for Dex as the integrated Identity Provider.
Add Caching Mechanism in AuthService
Introduce a caching mechanism for AuthService. When enabled, AuthService will store freshly authenticated Bearer Token in its cache for a configurable amount of time. Contrary to the existing implementation when a client makes a request with a bearer token in its Authorization header, then AuthService will examine if this bearer token is cached:
Authenticating over and over again the same bearer token can be time-consuming. In many cases, AuthService has to make a request to the Identity Provider to verify that the examined token is valid.
With our mechanism AuthService only needs to authenticate this bearer token once via contacting the Identity Provider. Security-wise the admin should set both the expiration and cleanup interval times to values not greater that the life-expectancy of the token.
CACHE_ENABLED
false
CACHE_ENABLED
totrue
to enable caching.CACHE_EXPIRATION
5
(minutes)CACHE_EXPIRATION
value to define how many minutes it takes for every cache entry to expire.CACHE_CLEANUP_INTERVAL
10
(minutes)CACHE_CLEANUP_INTERVAL
value to define how many minutes it takes for every cache entry to be purged from the cache.We have tested our implementation for Dex as the integrated Identity Provider.