Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removal of Token Persistence #1664

Closed
chamilaadhi opened this issue Mar 28, 2023 · 26 comments
Closed

Removal of Token Persistence #1664

chamilaadhi opened this issue Mar 28, 2023 · 26 comments
Assignees
@dushaniw
Labels
4.3.0-alpha 4.3.0 Affected/APIM-4.2.0 Component/APIM Docs/Has Impact Type/NewFeature
Milestone
4.3.0-Alpha

Comments

@chamilaadhi
Copy link

chamilaadhi commented Mar 28, 2023
edited
Loading

Problem

Current API-M deployments utilize JWT access tokens since the required number of queries for the validation is much lesser than the opaque tokens. But due to the following use cases, a reference called the JTI is persisted at the token table for each generated access token.

  • To revocate an access token before the actual expiry time.
  • To use refresh token in refresh-grant flow

In large-scale deployments of WSO2 API Manager, this can cause a bottleneck in the persistence layer and result in reduced TPS for token generation. This can negatively impact the overall performance of the deployment. A solution is needed to improve TPS for token generation in these high-load scenarios.

Solution

The proposed solution aims to improve token management by removing the persistence of tokens in the database.
@chamilaadhi chamilaadhi self-assigned this Mar 28, 2023
@chamilaadhi
Copy link
Author

chamilaadhi commented Mar 28, 2023
edited by dushaniw
Loading

Initial POC was done by Dushani and it is documented in https://docs.google.com/document/d/1Owp_Ams5Y_xLX0xFk2t50rFCeNxL0T6CxIs4ITHTMc4/edit#

Following areas need to be handled

  • Access Token Generation
  • Refresh Token Generation
  • Refresh Token Grant Type related changes
  • Handling Revocation Token Endpoint
  • Token Validation
  • Revocations due to internal events

This was referenced Mar 30, 2023
Closed
Closed
Closed
Closed
@chamilaadhi
Copy link
Author

Following are the PRs for Identitiy repo containing newly introduced interfaces

Access Token Generation wso2-extensions/identity-inbound-auth-oauth#2041
Refresh Token Generation wso2-extensions/identity-inbound-auth-oauth#2042
Refresh Token Grant Type related changes wso2-extensions/identity-inbound-auth-oauth#2043

@chamilaadhi chamilaadhi mentioned this issue Apr 3, 2023
Closed
19 tasks
@chamilaadhi
Copy link
Author

Interface and code refactor for revoke flow wso2-extensions/identity-inbound-auth-oauth#2044

@chamilaadhi
Copy link
Author

Add new component for keymanager extension to add new code repo wso2-extensions/apim-km-wso2is#96

@chamilaadhi
Copy link
Author

New DB is introduced to store persistence related data

  CREATE TABLE IF NOT EXISTS AM_INVALID_TOKENS (
     UUID VARCHAR(255) NOT NULL,
     SIGNATURE VARCHAR(2048) NOT NULL,
     CONSUMER_KEY VARCHAR(255) NOT NULL,
     TOKEN_TYPE VARCHAR(15) NOT NULL,
     TIME_CREATED TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
     EXPIRY_TIMESTAMP BIGINT NOT NULL,
     PRIMARY KEY (UUID)
  ) ENGINE=InnoDB;

Need to add the following datasource in deployment.toml to point to this

  [[datasource]]
  id = "WSO2_PERSISTENCE_DB"
  url = "jdbc:mysql://localhost:3306/invalid_token_db?useSSL=false"
  username = "root"
  password = "Admin123"
  driver = "com.mysql.jdbc.Driver"
  validationQuery = "SELECT 1"
  pool_options.validationInterval = "30000"
  pool_options.defaultAutoCommit = "true"
  pool_options.maxActive = "50"
  pool_options.maxWait = "60000"
  pool_options.testOnBorrow = "true"

Add db util to access new db wso2-extensions/apim-km-wso2is#97

This was referenced Apr 11, 2023
Closed
Closed
Closed
@chamilaadhi
Copy link
Author

identity-inbound-auth-oauth repo prs for master branch with new interfaces
wso2-extensions/identity-inbound-auth-oauth#2054
wso2-extensions/identity-inbound-auth-oauth#2055
wso2-extensions/identity-inbound-auth-oauth#2056

@chamilaadhi
Copy link
Author

initial implementation for apim keymanager connectors wso2-extensions/apim-km-wso2is#100

@chamilaadhi
Copy link
Author

Add mechanism to handle existing opaque refresh tokens during refresh token grant flow. New refresh token will be generated as JWT token. PR related wso2-extensions/apim-km-wso2is#101

@chamilaadhi
Copy link
Author

In APIM, portals work with opaque tokens. This needs to be changed to JWT tokens. Currently, JWT tokens are not supported when invoking product APIs. JWT based implementation is introduced to Choreo but is not working with APIM. Currently working on getting this to work with APIM

@chamilaadhi
Copy link
Author

chamilaadhi commented Apr 20, 2023
edited
Loading

Set the product apis to work with JWT tokens wso2/carbon-apimgt#11976

With the above change, we need to increase the maxHttpHeaderSize in the catalina-server.xml. We need to increase this because the refresh token is sent as a JWT and without this, following error is thrown when login in to the publisher

    [2023-04-20 13:11:50,731] ERROR - Http11Processor Error processing request
    org.apache.coyote.http11.HeadersTooLargeException: An attempt was made to write more data to the response headers than there was room available in the buffer. Increase maxHttpHeaderSize on the connector or write less data into the response headers.
        at org.apache.coyote.http11.Http11OutputBuffer.checkLengthBeforeWrite(Http11OutputBuffer.java:473) ~[tomcat_9.0.70.wso2v1.jar:?]
        at org.apache.coyote.http11.Http11OutputBuffer.write(Http11OutputBuffer.java:426) ~[tomcat_9.0.70.wso2v1.jar:?]

Increase the maxHttpHeaderSize using following

    [transport.https.properties]
    maxHttpHeaderSize = "12288"

@chamilaadhi
Copy link
Author

Add cleanup mechanism to remove expired tokens wso2-extensions/apim-km-wso2is@386ee33

Created a doc with instruction on setting up https://docs.google.com/document/d/16uISJGhspJfQ31iYaAflwdoNNSRbJABbEdsBpt7EaII/edit

@dushaniw dushaniw mentioned this issue May 4, 2023
Closed
17 tasks
@dushaniw dushaniw mentioned this issue Jun 8, 2023
Merged
@dushaniw dushaniw assigned dushaniw and unassigned chamilaadhi Jun 8, 2023
@dushaniw
Copy link
Contributor

dushaniw commented Sep 6, 2023

2023.11.06
Fixed the PR review comments in wso2-extensions/identity-inbound-auth-oauth#2091

@Lakith-Rambukkanage Lakith-Rambukkanage mentioned this issue Sep 11, 2023
Closed
@dushaniw
Copy link
Contributor

dushaniw commented Sep 18, 2023
edited
Loading

Following are the remaining tasks of the feature.

  • Fix PR comments
  • Create design outline doc
  • Handle token introspection
  • Handle userinfo endpoint
  • Handle indirect revocations in refresh grant and token revocation
  • Refactor connector code
  • Analyze impact of oauth2 tokens | Competitor analysis
  • Handle oauth tokens parallely with a config
  • Refactor gateway validation code
  • Move connector code to IS connector
  • Smoke test
  • Performance tests

@Lakith-Rambukkanage Lakith-Rambukkanage mentioned this issue Oct 3, 2023
Merged
@dushaniw
Copy link
Contributor

dushaniw commented Nov 4, 2023
edited
Loading

Task List Updated as of 2023.11.04

✅ Check whether app updates, delete are revoking tokens in default IS case and non persistence case
🕐 Test scenarios in the Testing CheckList

  • Add java doc comments
  • Refactor lakith’s APIM code
  • Connect with APIM code
  • Test IS-KM scenario + backend JWT
  • Refactor APIM code changes
  • Define unit test cases
  • Define integration test cases
  • Prepare doc for IS discussion
  • Prepare doc for code review
  • Write unit test cases
  • Write integration test cases
  • Prepare and test db scripts for all databases

To be discussed

  • Handle tenant delete events for token revocation

Testing Checklist

Tested scenarios
✅ Internal user event for revocation + introspection
✅ Internal consumer app event for revocation + introspection
✅ Access token generation - password + client cred grants
✅ Refresh token generation - password grant
✅ Refresh grant handler basic scenarios
✅ Consented claim in refresh and access token generation + userinfo endpoint
✅ Refresh grant handler - error path for access token
✅ Refresh token (valid, invalid) + introspection endpoint
✅ Refresh grant handler - revoked refresh token
✅ Authorization code grant handler basic scenarios
✅ Token revocation direct access token + introspection + userinfo endpoint
✅ Token revocation direct refresh token + introspection + userinfo endpoint
✅ Internal userevent for revocation + client cred grant token + introspection endpoint
✅ Internal consumer app event for revocation + client cred grant token + introspection endpoint

TODO

  • Refresh grant handler - renew existing token = false
  • Refresh grant handler - opaque refresh token
  • Authorization code grant consented claim + userinfo endpoint
  • Authorization code grant cache behavior
  • Authorization code grant with id token
  • Implicit grant basic scenarios with consented claim + userinfo endpoint
  • Implicit grant basic scenarios with id token
  • Token introspection for opaque refresh tokens
  • Token revocation for opaque refresh tokens
  • Federated user + auth code grant + introspection + userinfo
  • JWT Bearer grant
  • SAML Bearer grant

This was referenced Nov 14, 2023
Merged
Merged
Merged
Merged
Open
@nandika nandika added this to the 4.3.0-M1 milestone Nov 16, 2023
@dushaniw
Copy link
Contributor

dushaniw commented Dec 18, 2023
edited
Loading

The pending and in-progress items of the task are as follows for the current scope :

Once kernel and identity versions are bumped in latest carbon-apimgt following needs to be done :

  • Merge carbon-apimgt related PR from Lakith
  • Test API-M portals with token persistence removal
  • Fix API-M portal client side to maintain the indirect revoked token event map

@npamudika npamudika modified the milestones: 4.3.0-M1, 4.3.0-Alpha Jan 17, 2024
@npamudika npamudika added 4.3.0-alpha and removed 4.3.0-M1 4.3.0 M1 Milestone labels Jan 17, 2024
@dushaniw
Copy link
Contributor

dushaniw commented Jan 26, 2024
edited
Loading

Backporting feature for IS 6.1 related identity branches.

This was referenced Jan 26, 2024
Closed
Merged
Merged
Merged
@dushaniw
Copy link
Contributor

dushaniw commented Feb 26, 2024
edited
Loading

The PRs for the feature has been merged. The bugs found while further testing needs to be fixed. There tracked in TokenPersistenceRemoval bugs for token persistence removal

Will close the issue once the doc PR is merged

@dushaniw dushaniw added Resolution/Done Label to assign when specific task is done when there is no particular fix, but an action to be done Docs/Has Impact and removed Resolution/Done Label to assign when specific task is done when there is no particular fix, but an action to be done labels Feb 26, 2024
@dushaniw dushaniw mentioned this issue Mar 5, 2024
Merged
@tharikaGitHub tharikaGitHub modified the milestone: 4.3.0-Alpha Mar 6, 2024
@tharikaGitHub
Copy link
Member

Closing as the task is completed.

@dushaniw dushaniw mentioned this issue Mar 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dushaniw dushaniw

Labels
4.3.0-alpha 4.3.0 Affected/APIM-4.2.0 Component/APIM Docs/Has Impact Type/NewFeature
Projects
None yet
Milestone
4.3.0-Alpha
Development

No branches or pull requests
6 participants
@nandika @chamilaadhi @npamudika @tharikaGitHub @dushaniw @Lakith-Rambukkanage