Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unnecessary retrieval of SessionContextData due to improper cache handling #23149

Open
mifrazmurthaja opened this issue Feb 19, 2025 · 0 comments · May be fixed by wso2-extensions/identity-inbound-auth-oauth#2734
Open

Unnecessary retrieval of SessionContextData due to improper cache handling #23149

mifrazmurthaja opened this issue Feb 19, 2025 · 0 comments · May be fixed by wso2-extensions/identity-inbound-auth-oauth#2734
Labels
Type/Bug

Comments

@mifrazmurthaja
Copy link

Description

Currently, the cacheEntry is not added to the cache after retrieval from the DB in multiple places, such as [1][2][3] (there are several other places). Due to this, specifically [1] and [2], the following issues are observed.

  1. Subsequent calls to this method trigger another DB retrieval, before adding it to the cache, at [4].

  2. The entry is added to the cache regardless of whether a cache entry already exists at [4]. This results in updating the cache even when a valid entry is present, triggering a Hazelcast cluster invalidation message. Consequently, the cache is removed from other nodes, leading to a high number of DB retrievals in a clustered environment. You can observe this by performing OIDC flows on a 2-node cluster as follows.

    • Complete OIDC flow on Node 1 (cache created).
    • Complete OIDC flow on Node 2 (cache created).
    • Complete OIDC flow on Node 1 (cache updated → triggers cache invalidation message to Node 2).
    • Complete OIDC flow on Node 2 (cache is invalidated → DB retrieval occurs again).

Alternatively, you can perform the full OIDC flow on a single node but switch only the Token call between nodes to observe the same behaviour for authorization grant cache against the token.

This causes a high number of executions for the following query, which also retrieves a BLOB object. Hence, we need to minimize the execution of this query as much as possible.
SELECT * FROM (SELECT OPERATION, SESSION_OBJECT, TIME_CREATED FROM IDN_AUTH_SESSION_STORE WHERE SESSION_ID =:1 AND SESSION_TYPE=:2 ORDER BY TIME_CREATED DESC) WHERE ROWNUM < 2

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/AuthorizationGrantCache.java#L124
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/AuthorizationGrantCache.java#L180
[3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v7.0.26/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/device/cache/DeviceAuthorizationGrantCache.java#L89
[4] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v7.0.26/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L563

Steps to Reproduce

Explained above

Version

6.1.0

Environment Details (with versions)

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type/Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Token issuer cache improvement mpmadhavig/identity-inbound-auth-oauth
1 participant
@mifrazmurthaja