Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable caching of negative introspection responses #523

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,19 @@ from the cache. In order to avoid cache confusion it is recommended to
set `opts.cache_segment` to unique strings for each set of related
locations.

## Caching of negative Introspection responses

By default `introspection` cache will not store negative responses.
This means that bad actor can potentialy try to exhaust introspection
endpoint by flooding service with a lot of calls with inproper token.
To prevent this situation `opts.introspection_enable_negative_cache`
can be set to `true`. This will enable `introspection` cache to store
negative responses for time defined in `exp` field.
Caching negative introspection responses will offload traffic from
introspection endpoint but also will expose NGINX for resource exhaustion
attacks as storing negative introspection responses will use extra
cache storage.

## Revoke tokens

The `revoke_tokens(opts, session)` function revokes the current refresh and access token. In contrast to a full logout, the session cookie will not be destroyed and the endsession endpoint will not be called. The function returns `true` if both tokens were revoked successfully. This function might be helpful in scenarios where you want to destroy/remove a session from the server side.
Expand Down
15 changes: 13 additions & 2 deletions lib/resty/openidc.lua
Original file line number Diff line number Diff line change
Expand Up @@ -1780,6 +1780,11 @@ function openidc.introspect(opts)

if v then
json = cjson.decode(v)

if not json or not json.active then
err = "invalid cached token"
end

return json, err
end

Expand Down Expand Up @@ -1810,12 +1815,13 @@ function openidc.introspect(opts)
end
json, err = openidc.call_token_endpoint(opts, introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")


if not json then
return json, err
end

if not json.active then
-- check if negative cache should be in use
local introspection_enable_negative_cache = opts.introspection_enable_negative_cache or false
if not json.active and not introspection_enable_negative_cache then
err = "invalid token"
return json, err
end
Expand All @@ -1824,6 +1830,7 @@ function openidc.introspect(opts)
local introspection_cache_ignore = opts.introspection_cache_ignore or false
local expiry_claim = opts.introspection_expiry_claim or "exp"


if not introspection_cache_ignore and json[expiry_claim] then
local introspection_interval = opts.introspection_interval or 0
local ttl = json[expiry_claim]
Expand All @@ -1839,6 +1846,10 @@ function openidc.introspect(opts)
set_cached_introspection(opts, access_token, cjson.encode(json), ttl)
end

if not json.active then
err = "invalid token"
end

return json, err

end
Expand Down