Open strehle opened 3 months ago
cf-gitbot
commented
3 months ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/187412158
The labels on this github issue will be updated when the story is started.
strehle
commented
1 month ago @hsinn0 see https://github.com/cloudfoundry/uaa/issues/2825#issuecomment-2160296620 I will start on a fix soon, plan is a) add externalKey as new column into identity_provider b) add index for externalKey and zone_id to allow a lookup from a token to the IDP.
-> externalKey is issue in case of OIDC and should be entityID in case of SAML
What version of UAA are you running?
Develop, latest UAA
What output do you see from
curl <YOUR_UAA>/info -H'Accept: application/json'?How are you deploying the UAA?
I am deploying the UAA
What did you do?
What did you expect to see? What goal are you trying to achieve with the UAA?
Login < 1s , without memory and/or DB issues
What did you see instead?
With SAML there are memory issues, with OIDC mainly DB issues. Why:
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
OIDC similar readAll and filter in code, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthProviderConfigurator.java#L153-L158
This readALL pattern should be prevented and identy_provider DB should have a field like external_key (type string) with an index on it. This should solve the lookup from external token to UAA IdP. External_key should contain entityID in case of SAML and issuer in case of OIDC/OAUTH