zamzterz / Flask-pyoidc

Flask extension for using pyoidc as authentication for Flask apps.
Apache License 2.0
80 stars 38 forks source link

Added caching for token introspection request #138

Closed infohash closed 1 year ago

infohash commented 2 years ago

It is recommended to use caching for token introspection request as there can be many requests fired by the same user. The cached requests must be short lived and time aware. The default size that I have set to expire cache is 5 minutes (300 seconds) and the max cache size is 1024. This can be changed by the user from ProviderConfiguration.

The trade off with this is even if the token is revoked for some user, the user will still be able to access the resource for another 5 minutes. It is possible to turn off the caching entirely by setting time to live to zero.

infohash commented 2 years ago

@zamzterz What do you think? This idea is taken from google documentation on verifying the token. They recommend short lived caching of introspection response.

zamzterz commented 2 years ago

Thanks for the PR! 🙇

I think it falls slightly outside the scope of flask-pyoidc - as you say it impacts the authorisation (the user may have access even after their access token has expired), which I think is best left to the users of this SDK. It should be easy to the apply caching decorator if needed by the users of this SDK. But a note in the documentation could possibly added, recommending to do this.

infohash commented 2 years ago

Caching can be turned off entirely by setting ProviderConfiguration.DEFAULT_CACHE_TTL to 0. By default, we can set it to 0 and let the user to decide if he wants to enable it.

It should be easy to apply the caching decorator if needed by the users

Like how?

zamzterz commented 2 years ago

Like how?

I misread the API, it's not easily doable right now, so let's go with your implementation instead. I've added some review comments to address security concerns.

infohash commented 1 year ago

Closing this as caching can be provided by the framework and is out of scope of OIDC. Also, Cachetools only provides in-memory caching which is not suitable for large-scale services.