Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: encode flow in cookie + URL params #3515

Merged
merged 106 commits into from
Jun 12, 2023
Merged

feat: encode flow in cookie + URL params #3515

merged 106 commits into from
Jun 12, 2023

Conversation

hperl
Copy link
Contributor

@hperl hperl commented May 12, 2023
edited
Loading

This PR optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.

Breaking changes

  • The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were stared.
  • Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata).

hperl and others added 19 commits May 3, 2023 12:55
@hperl
add benchmarking for auth code flows
e46ad49
@hperl
add benchmark for the auth code flow
f1f0800
@hperl
benchmark just the flow
8a53697
@hperl
add benchmarks
fbbf68c
@alnr
feat: write CPU profile from auth code benchmark
0476224
@alnr
feat: auth code benchmark improvements
739ee7e
@alnr
feat: configurable concurrency in auth code benchmark
e886d0c
@alnr
feat: use ES256 in auth code benchmark
479931e
@hperl
* Caching of JWKs
6f1466a 
* JOIN flows with client
@hperl
fix tests
39196e4
@hperl
* Caching of JWKs
4b1caa7 
* JOIN flows with client
@hperl
add flow cache
fd44c19
@alnr
feat: jaeger tracing in BechmarkAuthCode
9f00fc9
@alnr
Merge remote-tracking branch 'origin/hperl/bench-hydra-auth-code-flow…
bab8e78 
…' into hperl/bench-hydra-auth-code-flow

# Conflicts:
#	internal/testhelpers/oauth2.go
#	oauth2/oauth2_auth_code_bench_test.go
@hperl
update baseline
101e7d9
@hperl
Merge branch 'hperl/bench-hydra-auth-code-flow' of github.com:ory/hyd…
0ae740b 
…ra into hperl/bench-hydra-auth-code-flow
@alnr
fix: calculation of ms/op in BenchmarkAuthCode
d6f1392
@hperl
Merge branch 'hperl/bench-hydra-auth-code-flow' of github.com:ory/hyd…
0c067d5 
…ra into hperl/bench-hydra-auth-code-flow
@hperl
WIP: flow cookie
483f705
@hperl hperl self-assigned this May 12, 2023
@hperl hperl requested a review from aeneasr as a code owner May 12, 2023 14:44
@hperl hperl marked this pull request as draft May 12, 2023 14:46
aeneasr
aeneasr reviewed Jun 7, 2023
View reviewed changes
oauth2/flowctx/flowctx.go Outdated Show resolved Hide resolved
oauth2/flowctx/encoding.go Outdated Show resolved Hide resolved
aead/xchacha20.go Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
persistence/sql/migratest/fixtures/hydra_oauth2_flow/challenge-0005.json Outdated Show resolved Hide resolved
persistence/sql/migrations/20230606112801000001_remove_flow_indices.up.sql Outdated Show resolved Hide resolved
persistence/sql/migrations/20230606112801000001_remove_flow_indices.up.sql Outdated Show resolved Hide resolved
persistence/sql/persister_consent.go Outdated Show resolved Hide resolved
aeneasr
aeneasr reviewed Jun 9, 2023
View reviewed changes
consent/sdk_test.go Outdated Show resolved Hide resolved
consent/sdk_test.go Outdated Show resolved Hide resolved
persistence/sql/migrations/20230606112801000001_remove_flow_indices.mysql.up.sql Outdated Show resolved Hide resolved
persistence/sql/persister_consent.go Outdated Show resolved Hide resolved
persistence/sql/persister_consent.go Show resolved Hide resolved
persistence/sql/persister_consent.go Show resolved Hide resolved
persistence/sql/persister_consent.go Show resolved Hide resolved
persistence/sql/persister_consent.go Show resolved Hide resolved
oauth2/flowctx/encoding.go Show resolved Hide resolved
persistence/sql/persister_oauth2.go Show resolved Hide resolved
@aeneasr
Copy link
Member

aeneasr commented Jun 9, 2023

@hperl two failing tests atm

@aeneasr
Copy link
Member

aeneasr commented Jun 9, 2023

Since we'll squash merge this anyways, I'll merge master into this branch.

@aeneasr aeneasr merged commit f29fe3a into master Jun 12, 2023
@aeneasr aeneasr deleted the hperl/exp-flow-cookie branch June 12, 2023 18:27
hperl added a commit to ory/kratos that referenced this pull request Jun 14, 2023
@hperl
fix: don't assume the login challenge to be a UUID
d89583d 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 14, 2023
@hperl
fix: don't assume the login challenge to be a UUID
97cb7f2 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 14, 2023
@hperl
fix: don't assume the login challenge to be a UUID
84d14ed 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 14, 2023
@hperl
fix: don't assume the login challenge to be a UUID
388f91a 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 15, 2023
@hperl
fix: don't assume the login challenge to be a UUID
a412d48 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 15, 2023
@hperl
fix: don't assume the login challenge to be a UUID
d716e20 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 15, 2023
@hperl
fix: don't assume the login challenge to be a UUID
028f64e 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 16, 2023
@hperl
fix: don't assume the login challenge to be a UUID
d9efc0a 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 16, 2023
@hperl
fix: don't assume the login challenge to be a UUID
635f50c 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 16, 2023
@hperl
fix: don't assume the login challenge to be a UUID
a7eb0f9 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 16, 2023
@hperl
fix: don't assume the login challenge to be a UUID
ac1bbde 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
hperl added a commit to ory/kratos that referenced this pull request Jun 16, 2023
@hperl
fix: don't assume the login challenge to be a UUID
794ac6a 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
aeneasr pushed a commit to ory/kratos that referenced this pull request Jun 19, 2023
@hperl
fix: don't assume the login challenge to be a UUID (#3317)
3172862 
For compatibility with ory/hydra#3515, which
now encodes the whole flow in the login challenge, we cannot further
assume that the challenge is a UUID.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees

@hperl hperl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hperl @aeneasr @alnr