[OPENAM-14838] Trusted JWT issuer cache is refreshed inefficiently affecting other lookups Created: 29/Apr/19  Updated: 25/Jun/20

Status: Open
Project: OpenAM
Component/s: oauth2
Affects Version/s: 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: AME
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:

 Description   

Bug description

The identity cache in IdentityUtils utilizes:

                .refreshAfterWrite(Duration.ofMinutes(10))

which in JavaDoc quite clearly states:

<p>As the default implementation of

Unknown macro: {@link CacheLoader#reload}

is synchronous, it is

  • recommended that users of this method override

with an asynchronous

  • implementation; otherwise refreshes will be performed during unrelated cache read and write
  • operations.

The #reload method is not implemented in AMIdentitySearchCacheLoader, which means that unrelated read write operations can take significantly longer (especially because of OPENAM-14834).

How to reproduce the issue

No exact steps for this one, probably just run a performance test with JWT bearer grant using many trusted JWT issuers in a single realm.

Expected behaviour

Either #reload is implemented, or we don't use refreshAfterWrite

Current behaviour

refreshAfterWrite is used (unclear why it was needed), without asynchronous reload implementation.

We should investigate whether this cache is really helpful, and if we could implement performant lookups differently.


Generated at Mon Nov 30 14:16:24 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.