search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.2k stars 2.77k forks source link

Enable setting for minimum request interval for JWK #9005

Open wonkim-dev opened 2 years ago

wonkim-dev commented 2 years ago

Is your proposal related to a problem?

I am using Keycloak as auth provider and Hasura to expose GraphQL queries. I am using jwk_url of HASURA_GRAPHQL_JWT_SECRET variable to provide Keycloak certs endpoint. Since response from Keycloak certs endpoint has no-cache in Cache-Contorl header, Hasura fetches JWK from Keycloak endpoint every second (https://hasura.io/docs/latest/auth/authentication/jwt/#rotating-jwks) which results in too many unnecessary requests from Hasura to Keycloak in the service. Similar issues were already discussed in https://github.com/hasura/graphql-engine/issues/8299. Therefore the following log appears every second.

hasura_1        | {"detail":{"error":null,"message":"refreshing JWK from endpoint: http://.../protocol/openid-connect/certs"},"level":"info","timestamp":"2022-09-26T08:16:24.257+0000","type":"jwk-refresh-log"}

Describe the solution you'd like

Is it possible to make this configurable via environment variables like

With one of these options, Hasura can fetch the JWk from auth provider at a desired interval.

SamirTalwar commented 2 years ago

This seems like a duplicate of #8730. Is it the same issue?

CameronNemo commented 2 years ago

@SamirTalwar that issue refers to the excessive logs, bu this is referring to the excessive requests. Ideally each instance of Hasura would not hammer Keycloak with 1req/s. That is a bit much considering the certs expire maybe every few hours, at most. A default of 30s and a configuration knob to customize would be ideal from my perspective.

Notalifeform commented 2 years ago

Our auth0 setup has a cache header of 15 seconds..

< HTTP/1.1 200 OK
< Date: Wed, 23 Nov 2022 21:11:13 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< CF-Ray: 76ece5675c73b968-AMS
< Access-Control-Allow-Origin: *
< Cache-Control: public, max-age=15, stale-while-revalidate=15, stale-if-error=86400

( I did not find a way to change the cache timeout)

that also feels like a waste of resources, so this feature might come in handy for that

pleclech commented 1 year ago

Hi, Why not given an option to specify the refresh time ? Disabling jwks-refresh-log only work for hasura logs itself, but for example i have a proxy between hasura and the jwks server and hasura is hammering the proxy every second, i can't do nothing on the side of the jwks server.