Add issuer/scheme mapping middleware to improve authentication perf #287
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hvis en bare optimaliserer rekkefølgen på definering av schemes (f.eks. ha Altinn først i options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
if (context.HttpContext.Items.TryGetValue("IsAuthenticated", out var isAuthenticated) && (bool)isAuthenticated!)
{
context.NoResult();
}
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
context.HttpContext.Items["IsAuthenticated"] = true;
return Task.CompletedTask;
},
}; |
MagnusSandgren
approved these changes
Dec 15, 2023
There was a problem hiding this comment.
Dette var en interessant optimaliseringsøvelse. ConfigurationManager<OpenIdConnectConfiguration> 👈 her lærte jeg noe nytt.
Jeg har gitt deg noen tilbakemeldinger, men ikke av en så graverende sort at det ikke blir approved, så du får velge selv hva du gjør med dem 😃
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/ApplicationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/JwtSchemeSelectorMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/ApplicationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/TokenIssuerCache.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/TokenIssuerCache.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/TokenIssuerCache.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/TokenIssuerCache.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/TokenIssuerCache.cs
Outdated
Show resolved
Hide resolved
src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #212
Blir en exceptions i knyttet til autentisering, fordi en løper sekvensielt gjennom de konfigurerte issuerne en etter en.
Denne PR-en introduserer en mellomvare som lagrer i request context hvilken issuer som er brukt. For hver scheme benyttes OnMessageReceived for å sjekke om oppgitt token-issuer matcher, hvis ikke bailes det før man forsøker å dekode token/sjekke signatur/kaste. Det benyttes en singleton for å cache map mellom schema-navn og issuer (alternativt kan dette hardkodes i konfig).
Uklart om dette er verdt det. Antageligvis vil ID-porten-tokens være i kraftig flertall i prod, etterfulgt av Maskinporten, så Altinn. Så med å definere ID-porten først av de schemaene som registreres vil en muligens optimalisere nok (og slippe all koden i denne PR-en)