Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14838

Trusted JWT issuer cache is refreshed inefficiently affecting other lookups

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:
    • Target Version/s:

      Description

      Bug description

      The identity cache in IdentityUtils utilizes:

                      .refreshAfterWrite(Duration.ofMinutes(10))
      

      which in JavaDoc quite clearly states:

      <p>As the default implementation of

      Unknown macro: {@link CacheLoader#reload}

      is synchronous, it is

      • recommended that users of this method override

      with an asynchronous

      • implementation; otherwise refreshes will be performed during unrelated cache read and write
      • operations.

      The #reload method is not implemented in AMIdentitySearchCacheLoader, which means that unrelated read write operations can take significantly longer (especially because of OPENAM-14834).

      How to reproduce the issue

      No exact steps for this one, probably just run a performance test with JWT bearer grant using many trusted JWT issuers in a single realm.

      Expected behaviour

      Either #reload is implemented, or we don't use refreshAfterWrite

      Current behaviour

      refreshAfterWrite is used (unclear why it was needed), without asynchronous reload implementation.

      We should investigate whether this cache is really helpful, and if we could implement performant lookups differently.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              peter.major Peter Major [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: