Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16840

High volume of client credential grants causes issues for CTS grant sets

    XMLWordPrintable

    Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.0, 6.5.1, 6.5.2
    • None
    • CTS, oauth2
    • Rank:
      1|hzjsia:400000004
    • 65

      Description

      When enabling grant-set storage scheme in AM (Configure>Global Services>OAuth2 Provider>CTS Storage Scheme), this can cause CTS performance issues when there are high volumes of tokens issued via client credential grant.

      With client credential grant, all tokens for a single OAuth2 client will be added to a single grant set entry in CTS, because the subject and client are the same entity. E.g. the multiple coreTokenMultiString03 entries in the following grantset

       

      dn: coreTokenId=61wPG4n2acz9erZQjHFPHGvgPTQ,ou=famrecords,ou=openam-session,ou=tokens
      objectClass: frCoreToken
      objectClass: top
      coreTokenExpirationDate: 20200924100041.454Z
      coreTokenId: 61wPG4n2acz9erZQjHFPHGvgPTQ
      coreTokenMultiString03:

      {"g":"61wPG4n2acz9erZQjHFPHGvgPTQ.5LNonEibOWuXHAH3lOi2vrQLBfo","gx":1600941558525,"_s":["accounts"],"gt":[]}

      coreTokenMultiString03:

      {"g":"61wPG4n2acz9erZQjHFPHGvgPTQ.wa3Hn3Lz_wKZGhD8XzpfejyG_1I","gx":1600941578533,"_s":["accounts"],"gt":[]}

      coreTokenMultiString03:

      {"g":"61wPG4n2acz9erZQjHFPHGvgPTQ.LMn-T_w5c6dFJR9NETRudg4gvzs","gx":1600941579590,"_s":["accounts"],"gt":[]}

      coreTokenString03: testclient
      coreTokenString08: /test
      coreTokenString09: testclient
      coreTokenType: OAUTH2_GRANT_SET

       

      The coreTokenExpirationDate is updated for each token added: when there is a steady flow of tokens, this means that the grantset will keep growing without being reaped. This in turn causes performance issues and replication delays in CTS.

       

       

        Attachments

          Activity

            People

            Unassigned Unassigned
            christian.brindley@forgerock.com Christian Brindley
            Votes:
            3 Vote for this issue
            Watchers:
            18 Start watching this issue

              Dates

              Created:
              Updated: