Fix performance issue with external identity provider lookup [OIDC]
strehle opened this issue · 2 comments
What version of UAA are you running?
Develop, latest UAA
What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'
?
How are you deploying the UAA?
I am deploying the UAA
- locally only using gradlew
- using a bosh release I downloaded from bosh.io
- using cf-release
- using cf-deployment
What did you do?
- Add many external SAML or OIDC to an identity zone ( > 10.000)
- Perform a SAML / OIDC login
- Check login times / DB metrics
What did you expect to see? What goal are you trying to achieve with the UAA?
Login < 1s , without memory and/or DB issues
What did you see instead?
With SAML there are memory issues, with OIDC mainly DB issues.
Why:
-
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
-
OIDC similar readAll and filter in code, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthProviderConfigurator.java#L153-L158
This readALL pattern should be prevented and identy_provider DB should have a field like external_key (type string) with an index on it. This should solve the lookup from external token to UAA IdP.
External_key should contain entityID in case of SAML and issuer in case of OIDC/OAUTH
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/187412158
The labels on this github issue will be updated when the story is started.
@hsinn0 see #2825 (comment)
I will start on a fix soon, plan is
a) add externalKey as new column into identity_provider
b) add index for externalKey and zone_id to allow a lookup from a token to the IDP.
-> externalKey is issue in case of OIDC and should be entityID in case of SAML