pires
commented
6 years ago After looking once more into the code, I realized my assumption is wrong - this is what happens when you context-switch too much, you forget the little details. Anyway, the tokens do not need to be stored server-side because they are self-contained proof the user was authenticated once. Instead of validating this proof on every request, and thinking about preventing DoS on a busy Nexus setup, we optimize the procedure by verifying an in-memory cache. If the proof is not there, then nexus-proxy will try and prove it.
@arochaf this means nexus-proxy can be restarted without problems other than maybe each user first request will need to be proved, and since this happens against Cloud IAM, there will be increased latency - but nothing we should be concerned about.
This issue is a feature request.
Right now, the authentication tokens are stored in-memory only, meaning that every time the nexus-proxy is started, an empty cache is initialized and any previously assigned authentication tokens are revoked and users need to authenticate again, get new tokens and reconfigure their tools.
We should add persistent backend for mitigating this issue.
One suggestion is to create a pluggable mechanism that will allow for anyone to implement their own storage backends. By default, it would be in-memory only.