feat: flush inactive/expired login and consent requests #2381
Conversation
|
Can you add the charts you had? Just the discussion here, not in git |
Can do, I do have one |
There was a problem hiding this comment.
Thank you, I think this is going in the right direction! I actually have another proposal - we currently have the oauth2 flush endpoint, but I think that's actually a bad pattern. We should probably have a subcommand hydra janitor (or hydra clean) which does what the flush endpoint does today. It would be similar to hydra migrate sql and connect directly to the database. We could then have flags (e.g. --keep-if-younger 30d) which would configure this stuff.
Its a bit of refactoring but since we tackle this anyways in this PR I think it makes sense. If you need some guidance I am happy to help with pointers!
# Conflicts: # oauth2/handler.go
|
@Benehiko good for another 👀 ? |
@aeneasr And when handler removes login/consent requests Other than that most of the small fixes have been done and 2/3 dockertests have been implemented alongside the 3/3 sqlite tests for the cli. |
|
@aeneasr I have refactored the janitor cli. |
Related issue
This is related to the
hydra_oauth2_authentication_requesttable growth #1574 caused by expired/inactive login and consent flows never being purged from the database.Proposed changes
Delete records from
hydra_oauth2_authentication_requestandhydra_oauth2_consent_requesttable which are of no use anymore causing the database growth to occur. This would then still follow thenotAftersafe-guard approach to ensure we don't delete records the user does not want deleted.Add this feature to theoauth2/flushendpoint https://github.com/Benehiko/hydra/blob/7f64e1a503646a3947af5aef9428dbc1b2792a3a/oauth2/handler.go#L520This could also possibly be added to its own endpoint under the login/consent flowsoauth2/auth/flushsince this has to do specifically with login and consent flows rather than oauth2 tokens.https://github.com/Benehiko/hydra/blob/7f64e1a503646a3947af5aef9428dbc1b2792a3a/consent/handler.go#L797
Add this to a
janitorcommand in the CLI which will be a replacement for the currentoauth2/flushendpoint.Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further comments
Related test run to verify the growth of tables on Hydra:
Before change
This graph shows the growth over time after 200 000 clients have been created and each have tried the login / consent flows.
The failure-rate (number of clients that fail to log in) were set to be 97% which did not make a significant change in the growth over time against a test of successful client logins. The growth in clients created can be ignored as the tests were creating a singular client per login (
hydra_clienttable - yellow). Thehydra_oauth2_authentication_requesttable (purple) has been identified as being a problem table that would grow over time as clients perform the login and consent flows.After change
This graph shows the growth over time after 20 000 clients have been created and each have tried the login / consent flows.
The failure-rate (number of clients that fail to log in) were set to be 97% which did not make a significant change in the growth over time against a test of successful client logins. The growth in clients created can be ignored as the tests were creating a singular client per login (
hydra_clienttable - red). Thehydra_oauth2_authentication_requesttable (light-blue) has been identified as being a problem table that would grow over time as clients perform the login and consent flows.