Feature #18347

Cache negative token lookups in federation/OIDC

Added by Peter Amstutz 7 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Description

For client-provided federated tokens, or token that are validated using OIDC:

If the token is ultimately explicitly rejected by the remote, or the remote responds with an unacceptable response (eg claiming the token belongs to a user the cluster doesn't own) or it rejected by OIDC and every other check, it should cache the result for a certain amount of time as a known-bad token. This enables future requests using that token to be rejected quickly avoiding more expensive federated or OIDC lookups. This is a mitigation strategy for badly behaved clients that retry a failed request using the same bad token.

It is important that it does not record negative results when the lookup failed due to communications failures such as 500 errors or timeouts.

History

#1 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)
  • Subject changed from Cache negative token lookups to Cache negative token lookups in federation/OIDC

#2 Updated by Peter Amstutz 7 months ago

  • Target version changed from 2021-11-24 sprint to 2021-12-08 sprint

#3 Updated by Peter Amstutz 6 months ago

  • Target version deleted (2021-12-08 sprint)

Also available in: Atom PDF