From df75510717b8f27d66e1dcefc501ead64affb030 Mon Sep 17 00:00:00 2001 From: Steve Hu Date: Wed, 7 Dec 2022 16:03:10 -0500 Subject: [PATCH] fixes #262 update openapi-security.yml to add jwtCacheFullSize --- .../src/main/resources/config/openapi-security.yml | 13 ++++++++++++- .../src/test/resources/config/openapi-security.yml | 13 ++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/openapi-security/src/main/resources/config/openapi-security.yml b/openapi-security/src/main/resources/config/openapi-security.yml index e7323d37..1df84361 100644 --- a/openapi-security/src/main/resources/config/openapi-security.yml +++ b/openapi-security/src/main/resources/config/openapi-security.yml @@ -46,9 +46,20 @@ logJwtToken: ${openapi-security.logJwtToken:true} logClientUserScope: ${openapi-security.logClientUserScope:false} # Enable JWT token cache to speed up verification. This will only verify expired time -# and skip the signature verification as it takes more CPU power and long time. +# and skip the signature verification as it takes more CPU power and a long time. If +# each request has a different jwt token, like authorization code flow, this indicator +# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes +# and the cache can grow bigger if the number of requests is very high. This will cause +# memory kill in a Kubernetes pod if the memory setting is limited. enableJwtCache: ${openapi-security.enableJwtCache:true} +# If enableJwtCache is true, then an error message will be shown up in the log if the +# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect +# cache problem if many distinct tokens flood the cache in a short period of time. If +# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache +# or increase the cache full size to a bigger number from the default 100. +jwtCacheFullSize: ${openapi-security.jwtCacheFullSize:100} + # If you are using light-oauth2, then you don't need to have oauth subfolder for public # key certificate to verify JWT token, the key will be retrieved from key endpoint once # the first token is arrived. Default to false for dev environment without oauth2 server diff --git a/openapi-security/src/test/resources/config/openapi-security.yml b/openapi-security/src/test/resources/config/openapi-security.yml index 0424eb23..d01d1c8a 100644 --- a/openapi-security/src/test/resources/config/openapi-security.yml +++ b/openapi-security/src/test/resources/config/openapi-security.yml @@ -40,9 +40,20 @@ logJwtToken: ${openapi-security.logJwtToken:true} logClientUserScope: ${openapi-security.logClientUserScope:false} # Enable JWT token cache to speed up verification. This will only verify expired time -# and skip the signature verification as it takes more CPU power and long time. +# and skip the signature verification as it takes more CPU power and a long time. If +# each request has a different jwt token, like authorization code flow, this indicator +# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes +# and the cache can grow bigger if the number of requests is very high. This will cause +# memory kill in a Kubernetes pod if the memory setting is limited. enableJwtCache: ${openapi-security.enableJwtCache:true} +# If enableJwtCache is true, then an error message will be shown up in the log if the +# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect +# cache problem if many distinct tokens flood the cache in a short period of time. If +# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache +# or increase the cache full size to a bigger number from the default 100. +jwtCacheFullSize: ${openapi-security.jwtCacheFullSize:100} + # If you are using light-oauth2, then you don't need to have oauth subfolder for public # key certificate to verify JWT token, the key will be retrieved from key endpoint once # the first token is arrived. Default to false for dev environment without oauth2 server