Closed infohash closed 1 year ago
@zamzterz What do you think? This idea is taken from google documentation on verifying the token. They recommend short lived caching of introspection response.
Thanks for the PR! 🙇
I think it falls slightly outside the scope of flask-pyoidc - as you say it impacts the authorisation (the user may have access even after their access token has expired), which I think is best left to the users of this SDK. It should be easy to the apply caching decorator if needed by the users of this SDK. But a note in the documentation could possibly added, recommending to do this.
Caching can be turned off entirely by setting ProviderConfiguration.DEFAULT_CACHE_TTL
to 0. By default, we can set it to 0 and let the user to decide if he wants to enable it.
It should be easy to apply the caching decorator if needed by the users
Like how?
Like how?
I misread the API, it's not easily doable right now, so let's go with your implementation instead. I've added some review comments to address security concerns.
Closing this as caching can be provided by the framework and is out of scope of OIDC. Also, Cachetools only provides in-memory caching which is not suitable for large-scale services.
It is recommended to use caching for token introspection request as there can be many requests fired by the same user. The cached requests must be short lived and time aware. The default size that I have set to expire cache is 5 minutes (300 seconds) and the max cache size is 1024. This can be changed by the user from
ProviderConfiguration
.The trade off with this is even if the token is revoked for some user, the user will still be able to access the resource for another 5 minutes. It is possible to turn off the caching entirely by setting time to live to zero.