-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: rework Tokenserver load tests for local OAuth verification #1357
bug: rework Tokenserver load tests for local OAuth verification #1357
Conversation
@@ -1,20 +0,0 @@ | |||
import functions_framework |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need this file anymore now that we don't use a mock OAuth service for load testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
As I'm revisiting JWK caching I had a question -- when you ported over the "hardcoded JWK" feature from the python version, did we confirm that tokenserver stage/prod are using it?
Reason I ask is I noticed PyFxA also does at least some caching of verification requests (bbangert mentioned similar clients typically do some caching). Might this caching be sufficient vs the "hardcoding"?
@pjenvey Yeah, the values are set for both stage and prod. If desktop and mobile clients cache their own tokens, I'm guessing most (or at least many) of the requests Tokenserver receives are for never-before-seen OAuth tokens from FxA, which IMO would make caching the JWK worth it. If you want, I can look into the expiry time for tokens granted by FxA and then query the Tokenserver logs to see how many repeated requests we get from a given UID within the expiry timeframe. That should tell us (very roughly) the number of hits we get in the PyFxA cache (although each container will have its own cache, and there's no guarantee that a given user will be sent to the same container twice) |
Description
Now that we're caching FxA's public OAuth JWK on the Rust Tokenserver, OAuth token verification is happening local to Tokenserver: when a JWK is passed in, the PyFxA library verifies tokens locally using PyJWT instead of making requests to FxA's OAuth server. The load tests were previously written under the assumption that tokens were always verified remotely, so this PR adapts them to "forge" valid tokens.
The idea is that we can generate a set of RSA keys, use the public key to be the primary JWK used by Tokenserver for verification, and use the private key to generate OAuth tokens with valid signatures in the load tests.
Testing
I tested this by following the steps in the load testing README and ensuring that each of the test cases passed successfully.