Project

General

Profile

Actions

Feature #18347

open

Cache negative token lookups in federation/OIDC

Added by Peter Amstutz about 3 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
Story points:
-
Release:
Release relationship:
Auto

Description

For client-provided federated tokens, or token that are validated using OIDC:

If the token is ultimately explicitly rejected by the remote, or the remote responds with an unacceptable response (eg claiming the token belongs to a user the cluster doesn't own) or it rejected by OIDC and every other check, it should cache the result for a certain amount of time as a known-bad token. This enables future requests using that token to be rejected quickly avoiding more expensive federated or OIDC lookups. This is a mitigation strategy for badly behaved clients that retry a failed request using the same bad token.

It is important that it does not record negative results when the lookup failed due to communications failures such as 500 errors or timeouts.

Actions #1

Updated by Peter Amstutz about 3 years ago

  • Description updated (diff)
  • Subject changed from Cache negative token lookups to Cache negative token lookups in federation/OIDC
Actions #2

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-11-24 sprint to 2021-12-08 sprint
Actions #3

Updated by Peter Amstutz almost 3 years ago

  • Target version deleted (2021-12-08 sprint)
Actions #4

Updated by Peter Amstutz almost 2 years ago

  • Release set to 60
Actions #5

Updated by Peter Amstutz 9 months ago

  • Target version set to Future
Actions

Also available in: Atom PDF