cloudfoundry/uaa

Fix performance issue with external identity provider lookup [OIDC]

strehle opened this issue · 2 comments

What version of UAA are you running?

Develop, latest UAA

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

How are you deploying the UAA?

I am deploying the UAA

  • locally only using gradlew
  • using a bosh release I downloaded from bosh.io
  • using cf-release
  • using cf-deployment

What did you do?

  1. Add many external SAML or OIDC to an identity zone ( > 10.000)
  2. Perform a SAML / OIDC login
  3. Check login times / DB metrics

What did you expect to see? What goal are you trying to achieve with the UAA?

Login < 1s , without memory and/or DB issues

What did you see instead?

With SAML there are memory issues, with OIDC mainly DB issues.
Why:

This readALL pattern should be prevented and identy_provider DB should have a field like external_key (type string) with an index on it. This should solve the lookup from external token to UAA IdP.
External_key should contain entityID in case of SAML and issuer in case of OIDC/OAUTH

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187412158

The labels on this github issue will be updated when the story is started.

@hsinn0 see #2825 (comment)
I will start on a fix soon, plan is
a) add externalKey as new column into identity_provider
b) add index for externalKey and zone_id to allow a lookup from a token to the IDP.

-> externalKey is issue in case of OIDC and should be entityID in case of SAML