Google SSO with passport-google very slow on production server

[louischatriot]

Hello,

I'm using passport-google tu manage single sign on with Google. Upon clicking the SSO link, it takes about 1 second when I'm on my development machine but about 5 in production. I checked that it's not my database queries that are slow. The 5 seconds are spent before the callback in passport.use(new GoogleStrategy) is called.

Is this expected ?

Cheers, Louis

[jaredhanson]

No. There are some OpenID HTTP requests being made during that time, I'd see if there's any infrastructure in your production environment that would be throttling those. It doesn't seem like this is an issue with Passport code (since Passport doesn't switch based on environments), so I'm closing this. If you get some metrics and can pinpoint otherwise, reopen this issue.

[louischatriot]

Ok thanks for answering. I'll start investing whether this difference comes from inffrastructure and let you know.

[louischatriot]

I just tested by disabling requests throttling but it didn't have any impact. Specifically, the two steps that are being slow are the two times passport.authenticate('google') are called, especially the first time when the assertion verification occurs. I didn't go deep in the code since it is a bit hard to follow with all the nested strategies, I only went as far as openid.authenticate which makes the assertion check. I could go deeper if you have an idea where I should look at.

Also, SSO is much faster on my local machine but still slow compared to SSO on other websites (900ms vs 400ms).

[louischatriot]

To be clearer, here are the two places that take a lot of time. Both are in file passport-google/node_modules/passport-openid/lib/passport-openid/trategy.js, in the function defined by Strategy.prototype.authenticate (in my version its line 123). Here is what happens:

1) This function is called immediately upon click on the login button, and executes the else of the big if clause. It immediately arrives at this._relyingParty.authenticate (line 195 for me) which takes about 3s to call its callback 2) The call back calls my return url which in turns calls this function again, immediately. This time we are the big if condition is satisfied. 3) this._relyingParty.verifyAssertion is immediately called (line 144 for me) but takes a further 1.2s to call its callback. 4) Once the callback is called, the rest of the process is instantaneous (~10ms).

So I am interested in understanding what this._relyingParty.authenticate and this._relyingParty.verifyAssertion do that can take so much time.

Thanks again, Louis

[frozonfreak]

+1 . Same issue here