cache discovered issuers

[travisghansen]

Is your feature request related to a problem? Please describe. No.

Describe the solution you'd like I'm building a relatively unique tool where the issuer/client_id/client_secrets/etc are dynamically consumed. I'd like to cut down on the number of requests going over the wire from executing Issuer.discover(url) over and over.

Describe alternatives you've considered I've considered cache'ing the metadata on first discover and then using those to build up the issuer manually on subsequent invocations using new Issuer({cached metadata}) but I'm unclear what the potential downsides of this may be.

Additional context I'm developing a tool to easily make openid work with reverse proxies that support 'external' or 'forward' authentication. Primarily focused on kubernetes but tool should work generally. As such I want the configuration extremely dynamic so I'm basically embedding all of the client configuration as a GET parameter used in the forward auth URL. The request is made as a sub-request of the reverse proxy to the service I'm working on which then decodes the client details and discovers the issuer all inside a single http request handler (ie: details are thrown away after the request is handled). I'd like to cut down on all the issuer discovery traffic :)

• https://github.com/travisghansen/oauth-external-auth-server
• https://docs.traefik.io/configuration/entrypoints/#forward-authentication

• https://www.getambassador.io/reference/services/auth-service/

  • [X] i have searched the issues tracker on github for similar requests and couldn't find anything related.

[panva]

If you don’t want discovery just instantiate. If you instantiate with the same metadata as would be discovered there’s no downside.

[travisghansen]

@panva thanks for the quick answer! What's the best approach? Pass the full metadata attribute in, or pass in explicitly only the attributes that are shown in the README.md example?

Couple other related questions:

• Are there any ramifications for retrieved client details as well?
• Does building the client (new issuer.Client()) go over the wire?
• How about retrieved public keys? Are those currently cached at all? Any tips for approaching that one?

[panva]

Pass the full metadata attribute in, or pass in explicitly only some attributes

full metadata

Does building the client (new issuer.Client()) go over the wire?

no

How about retrieved public keys? Are those currently cached at all? Any tips for approaching that one?

They are cached after being fetched when they're needed for a new issuer instance, no tips.