-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oauth2 Middleware scalability limit and resilience issues with code grant flow and token storage #2635
Comments
This should be a blocker to make the components stable (#2621 and #2622) However, I don't think we should persist the tokens anywhere, as that requires a data store and to query the data store on every request. Instead, we should issue our own JWT, which is a bearer token so can be verified by Dapr without querying a database. The JWT will contain the token issued by the OAuth2 server and will be encrypted (JWE) in case the token issued by the server contains confidential information. |
I started to comment here and then saw your link. I will comment on the PR. |
Final one is #2967 as for splitting, we can’t do that because the 4KB limit is per-domain. regarding safety, the tokens are stored in cookies as encrypted JWTs |
Got it. I saw my question/comment were all addressed in the PR. |
Expected Behavior
Oauth2 Middleware should scale to multiple instances without the use of request affinity. It should also be resilient to restarts.
Actual Behavior
Oauth2 Middleware uses in-memory session state to store information during auth code grant flow and to store the client token at the end of authorization. This requires requests to always return to the same instance of the dapr sidecar and offers no resilience in the case of a restart of the daprd instance.
Steps to Reproduce the Problem
For scale:
For resilience:
Proposals
Use cookies instead of session state to store data during auth code grant flow and the client token.
Enable session state to be stored in a cache (Redis, etc).
Release Note
RELEASE NOTE: FIX Oauth2 Middleware resilient storage of client token
The text was updated successfully, but these errors were encountered: