Authentication - scalable auth

[mdutoo]

To be scalable, Datacore should not call Kernel for HTTP each request (ex. introspection endpoint to validate Bearer / access token header and get groups). Expiry time for this behaviour should be ex. 1h like Atol access tokens.

20141110 update : the difference in latency between mock auth and OAuth2 Kernel token check has become very visible in the new playground UI auth. The simplest solution is to put a constrained FIFO map cache when checking token in RemoteTokenServices (and possibly when playground gets one in PlaygroundAuthenticationResource).

OBSOLETED on 20141110 :

• NO Do it using existing Spring Security mechanisms if possible.
  • session management. Can be used if it stores an authentified OAuth2 Authentication in session, and reuses it in another request if its own Bearer / access token header match, if not expired. However, using session for this is maybe too much, since there is no need for a session besides that (no business model to keep in memory between requests), which is itself a good thing for scalability.
  • NOT USEFUL auth kept across session through cookie, by Remember-Me Authentication using InMemoryTokenRepositoryImpl. That's not what we want, and we don't want (non test ex. browser) Datacore clients to use cookies. In addition, it makes browser-based testing harder, so it may as well be disabled if possible (check it by putting breakpoints in InMemoryTokenRepositoryImpl or the filter).
• So probably rather : develop a CachedIntrospectionEndpointClient using a HashMap (or even an EHCache ?!) of cached recently validated token and user information, on top of the regular JAXRS client that checks the access token expiry time.
  • note that expired tokens are not to be renewed with in Datacore but in client apps ex. https://github.com/pole-numerique/oasis-citizenkin/issues/33
  • however when shown a token, if it's getting old (expiration time has gone, or its age is more than a configured prop ex. 10 min), the cache should call the Introspection endpoint again (to validate it and get user information) and re-cache it
  • OPT make it expire on user logout, by listening to logout events (see Kernel EventBus API) if any (ex. emitted by Portal)

[mdutoo]

spring-conf'd EHCache of access_token

• see conf in commit log above
• still TODO evict on logout