arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 66 forks source link

Add caching mechanism in AuthService #87

Closed athamark closed 2 years ago

athamark commented 2 years ago

Add Caching Mechanism in AuthService

Introduce a caching mechanism for AuthService. When enabled, AuthService will store freshly authenticated Bearer Token in its cache for a configurable amount of time. Contrary to the existing implementation when a client makes a request with a bearer token in its Authorization header, then AuthService will examine if this bearer token is cached:

Authenticating over and over again the same bearer token can be time-consuming. In many cases, AuthService has to make a request to the Identity Provider to verify that the examined token is valid.

With our mechanism AuthService only needs to authenticate this bearer token once via contacting the Identity Provider. Security-wise the admin should set both the expiration and cleanup interval times to values not greater that the life-expectancy of the token.

Description of your changes: To provide the aforementioned functionality we introduce the following envvars: Setting Default Value Description
CACHE_ENABLED false Set CACHE_ENABLED to true to enable caching.
CACHE_EXPIRATION 5 (minutes) Set the CACHE_EXPIRATION value to define how many minutes it takes for every cache entry to expire.
CACHE_CLEANUP_INTERVAL 10 (minutes) Set the CACHE_CLEANUP_INTERVAL value to define how many minutes it takes for every cache entry to be purged from the cache.

We have tested our implementation for Dex as the integrated Identity Provider.

athamark commented 2 years ago

After discussing with @johnbuluba who is performing the review I have performed a series of changes. All the respective changes can be found in the branch feature-athamark-cache-tokens-review. Here is the updated cover letter for my PR.

Add Caching Mechanism in AuthService

Introduce a caching mechanism for AuthService. When enabled, AuthService will store freshly authenticated Bearer Token in its cache for a configurable amount of time. Contrary to the existing implementation when a client makes a request with a bearer token in its Authorization header, then AuthService will examine if this bearer token is cached:

Making a request to the Identity Provider to authenticate over and over again the same bearer token can be time-consuming. In many cases, AuthService has to make a request to the Identity Provider to verify that the examined token is valid.

With our mechanism AuthService only needs to authenticate this bearer token once via contacting the Identity Provider. Security-wise the admin should set the expiration time to values not greater tha5 minutes.

Description of your changes: To provide the aforementioned functionality we introduce the following envvars: Setting Default Value Description
CACHE_ENABLED false Set CACHE_ENABLED to true to enable caching.
CACHE_EXPIRATION_MINUTES 5 (minutes) Set the CACHE_EXPIRATION_MINUTES value to define how many minutes it takes for every cache entry to expire.

We have tested our implementation for Dex as the integrated Identity Provider.