Envoy: Add JWT cache

Created on 14 Aug 2020  路  7Comments  路  Source: envoyproxy/envoy

Title:
Add token cache for the jwt authentication.

Description
JWT verification adds a significant latency. So it's better to have token cache: to cache the tokens with their verification results. Currently, jwt_authn filter only has jwks cache [1].

[1] https://github.com/envoyproxy/envoy/blob/a42a67773c74dc288c960563f21b6d89eb19fa6e/source/extensions/filters/http/jwt_authn/filter_config.h#L23

arejwt_authn help wanted
Source
picture AmaliMatharaarachchi

Most helpful comment

Hi @AmaliMatharaarachchi, Are you working on this issue? If not then I would like to take up this.

picture mk46 on 6 Oct 2020
👍2

All 7 comments

It is a reasonable request. Thanks

qiwzhang picture qiwzhang on 14 Aug 2020
👍1

Hi @AmaliMatharaarachchi, Are you working on this issue? If not then I would like to take up this.

mk46 picture mk46 on 6 Oct 2020
👍2

@mk46 No, I'm not working on it. Thanks, please take it.

AmaliMatharaarachchi picture AmaliMatharaarachchi on 7 Oct 2020

@qiwzhang Could you please suggest where to start? Similar to jwks_cache.h/cc

mk46 picture mk46 on 3 Dec 2020

The easier way is to add token cache feature into JwksCache class.
The the class name may be confusing, we could rename it to "Cache".

Add two functions:

 void addTokenResult(const string& token, const TokenResult& token_result);
 bool findTokenResult(const string& token,  TokenResult& result);

class TokenResult, may need to store
token payload, payStruct, etc. for successful token, or failure status

qiwzhang picture qiwzhang on 3 Dec 2020

@qiwzhang Thanks!. I've some quick questions.

The easier way is to add token cache feature into JwksCache class.
The the class name may be confusing, we could rename it to "Cache".

Add two functions:

 void addTokenResult(const string& token, const TokenResult& token_result);
 bool findTokenResult(const string& token,  TokenResult& result);

Needs to add in JwksData or in JwksCache class?

class TokenResult, may need to store
token payload, payStruct, etc. for successful token, or failure status

Could we use ::google::jwt_verify::Jwt instead of TokenResult?

mk46 picture mk46 on 7 Dec 2020

1) in JwksData, so it is a per-provider cache. it is fine to separate token cache by provider
2) We could save Jwt struct ( the parsed jwt ) into cache for a good token. For a bad token, we also need to store Status

Thanks

qiwzhang picture qiwzhang on 7 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dstrelau picture dstrelau  路  3Comments
karthequian picture karthequian  路  3Comments
ghost picture ghost  路  3Comments
anatolebeuzon picture anatolebeuzon  路  3Comments
jmillikin-stripe picture jmillikin-stripe  路  3Comments