Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve introspection cache #567

Merged
merged 8 commits into from
Aug 27, 2024
Merged

Improve introspection cache #567

merged 8 commits into from
Aug 27, 2024

Conversation

sprudel
Copy link
Contributor

@sprudel sprudel commented Aug 25, 2024
edited
Loading

Main goals of this PR:

  • allow to use introspection cache in axum
  • improve caching behavior by using a moka which is optimized for such scenarios
  • introduce a default TTL in minutes as the access token expiry is not desired from a security perspective

To achieve this I had to remove the Role generic type parameter introduced in #550 , as this was incompatible with the type erasure for the IntrospectionCache trait types.
But there are simple ways to achieve the same convenience on library user side.

@buehler
Copy link
Collaborator

buehler commented Aug 26, 2024

Very nice, however: since this will result in a breaking change, I need some kind of description, how users of #550 can work around the removed role feature.

@sprudel
Copy link
Contributor Author

sprudel commented Aug 26, 2024
edited
Loading

@buehler where would you prefer to have such documentation?

it is basically a standard extension trait


enum Role {
  Admin,
  Client
}

trait MyExtIntrospectedUser {
    fn role(&self, role: Role) -> Option<..>;
}

impl MyExtIntrospectedUser for IntrospectedUser {
   fn role(&self, role: Role) -> Option<..> {
     // convenience impl here

  }
}

@buehler
Copy link
Collaborator

buehler commented Aug 26, 2024

It would be nice to have this in the docs of ZitadelExtraTokenFields struct. There were you removed the role generic. As such, I can also include them as the migration path for the breaking change.

@sprudel
feat(introspection_cache): restructure axum to avoid repeated clones …
418e328 
…of state
@sprudel
feat(introspection_cache): remove custom role generic to make compati…
2762bf1 
…ble with caches

Using a role generic was incompatible with the type erasure
of the introspection cache.
Judging from the discussion in smartive#550
the original intention was to introduce a convenience feature, for library users.
However, the same behaviour can be easily achieved by a simple extention trait,
and does not need to be support by this crate itself to achieve the same convenience.
As a result, the generic role type parameter is removed.
@sprudel
feat(introspection_cache): allow to use introspection caches in axum
16585c2
@sprudel
feat(introspection_cache): use cache optimized for concurrent load
8e0f2a6 
* don't lock on every request
* use a ttl expiry for better token security
@sprudel
fix(introspection_cache): fix feature guard import
d22658a
@sprudel
doc: add an example on how to use checks based on IntrospectedUser
c16b470
@sprudel
doc: add example for authorization checks based on introspection resp…
664fc32 
…onse
@sprudel sprudel force-pushed the improve-introspection-cache branch from b9a7879 to 664fc32 Compare August 26, 2024 20:35
@sprudel
Copy link
Contributor Author

sprudel commented Aug 26, 2024

@buehler I added the example both for the IntrospectedUser and ZitadelExtraTokenFields struct

@sprudel sprudel mentioned this pull request Aug 26, 2024
Merged
@buehler buehler merged commit 52fb65a into smartive:main Aug 27, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sprudel @buehler