[Performance] Authentication middleware

[sebastienros]

• [x] Add cert support to http client load client
• [x] Add baseline scenarios for cert/jwt
• [x] Add reporting/charts for cert/jwt
• [x] Add competitive scenarios for cert/jwt for comparison
• [ ] Figure out what the target improvements/goals are
• [ ] Investigate traces and improve performance
• [x] Add scenario using https://github.com/uruk-project/Jwt/ as comparison
• [ ] Add baseline for cookie auth
• [x] Improve JwtSecurityTokenHandler.ValidateToken perf (locking?)
• [ ] Consider adding some form of caching invalid/expired certs

Improve performance characteristics of authentication middleware.

Areas of interest:

• JWT
• Certificate based authentication

[Tratcher]

• Cookie authentication

[HaoK]

@sebastienros what's the best way for me to started on this issue, I'm assuming add some baseline scenario tests to get initial numbers and profiles?

[HaoK]

Adding table for tracking some initial numbers (using existing mvc product crud APIs):

Scenario	request/second	%
Jwt bombadier Baseline (Auth/JwtAuth = false)	97,840	0%
UseAuthN/AuthZ (no app usage)	93,830	-4%
UseAuthN/AuthZ (with allow anon)	88,658	-9.5%
UseAuthN/AuthZ (send jwt + default scheme + no valid audience/issuer)	41,133	-58%
UseAuthN/AuthZ (send jwt + default scheme + valid audience/issuer)	48,447	-50.5%
UseAuthN/AuthZ (custom jwtwebtoken handler send jwt + default scheme + valid audience/issuer)	66,035	-32.5%
UseAuthN/AuthZ (with 6.8.0 handler send jwt + default scheme + valid audience/issuer)	54,189	-44.6%
Cert http client Baseline(Auth/CertAuth = false)	71,668	0%
UseAuthN/AuthZ (with expired cert, https, ssl required, cert cache miss, cert forwarding)	13,085	-81.7%
UseAuthN/AuthZ (with expired cert, https, ssl required, cert cache miss, no cert forwarding)	13,337	-81.4%
UseAuthN/AuthZ (with expired cert, https, ssl required, cert cache hit with removed expiry check, no cert forwarding)	58,960	-17.8%

[HaoK]

Just sending an authorization bearer header with jwtbearer authentication as the default scheme results in a drop to 41,133 requests/second so a -58% hit

[sebastienros]

Status: @HaoK has started looking at traces

[HaoK]

Next steps following sync up:

Jwt

• Focus on micro benchmark of JwtSecurityToken.ValidateToken

Cert

• Look into why cert caching is not working
• Try ARR-Header to avoid ssl

Cookies

• Add baseline scenario for traces

Also remove MVC from the scenarios to reduce clutter

[HaoK]

@brentschmaltz @jmprieur just giving you guys a heads up that I'm going to be playing a bit around and looking at micro benchmarking JwtSecurityToken.ValidateToken since it seems to be a hot path in our current perf benchmarks. If you've done any work in this area already, or if there's any preferred way you'd like us to collaborate on perf improvements here, please let us know

[HaoK]

Starting profile using VS of ValidateToken of our current jwt token in a loop 100x

And starting BenchmarkDotNumber numbers for ValidateToken

Method	Mean	Error	StdDev	Gen 0	Gen 1	Gen 2	Allocated
Validate	25.54 us	34.87 us	1.912 us	4.5776	-	-	18.73 KB

[HaoK]

Updates:

• Jwt: Moving to the 6.8 packages should take Jwt perf from -51%(48k) to -45% by eliminating locking (54k rps)
• Jwt: Using a simple custom auth handler implementation of JsonWebToken 3rd party package for comp (66k rps)
• Cert: Removing the expired cert check in the cache code, shows that cert cache hits go from -81% to -17% compared to baseline (no auth)

[MessyFork]

Is there any chance of using AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1365 ? I remember seeing claims of massive speed improvements from moving to the new class.

[HaoK]

Updated perf view removing MVC with the new 6.8 packages:

JWT

[HaoK]

Cert perf with no mvc and a valid cert and validation cache hit, basically don't see cert auth at all in the profile now