March 15, 2016 at 5:01 pm #8573Miguel FParticipant
I’m using OpenAM and implementing OAuth2 “authorization code” grant type to protect Resource Servers.
As far as I’ve seen, OpenAM provides a “token validation” endpoint (/oauth2/tokeninfo) the Resource Servers can call passing the OAuth2 Access Token to check whether this is a valid token or not.
In summary, we expect a high volume of token validations requests. So I’m wonderingh about performance / throughput of the aforementioned endpoint. (We expect a high volume of request per second as our Resource Servers are basically a massive REST API providing access to services).
1. Is the “token validation” endpoint the only way that OpenAM offers for Resource Servers to validate tokens?
(I have used some implementations that avoid Resource Servers to access the Authorization Provider token validation endpoint for instance using OAuth2 access Bearer tokens encrypted using JWT. Be aware I’m not talking about OpenID Connect, I mean encrypting the OAuth2 access token itself so a Resource Server (having the proper keys) can obtain the token information and validate it without the round trip to the Authorization Provider. At the end of the day the OAuth2 spec does not specify how to build the OAuth2 access token. From my point of view, this is a brilliant implementation that some frameworks such as Spring OAuth2 Security provide because it allows you to use plain OAuth2 specification (without using OpenId Connect) avoiding the round trips to the Authorization Provider to validate tokens.
2. What is the throughput for the OpenAM token validation endpoint?
I know that OpenAM provides high-availability features and clustering so I guess the answer depends on how you scale your OpenAM, but let’s say one node. Just to have an idea.
I would appreciate any help or any experiences you might explain related to this subject.
Thanks so much
- This topic was modified 6 years, 6 months ago by Miguel F.
You must be logged in to reply to this topic.