Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: cpu contention when reading JWKs and suppress generating duplicate JWKs #3883

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

terev
Copy link
Contributor

@terev terev commented Nov 10, 2024

Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set. The read path now doesn't require locking a mutex at all and instead returns valid query results directly. The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.

Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.

Related issue(s)

Fixes #3863

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

This fixes a bug #3876 with the previous attempt to fix this issue .

@terev terev force-pushed the suppress-duplicate-jwk-gen branch 2 times, most recently from 7aa20e9 to 9f23fee Compare November 11, 2024 00:04
@terev terev marked this pull request as ready for review November 11, 2024 00:36
@terev terev requested review from aeneasr, hperl and alnr as code owners November 11, 2024 00:36
…te JWKs

Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set.
The read path now doesn't require locking a mutex at all and instead returns valid query results directly.
The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.
Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.
@terev terev force-pushed the suppress-duplicate-jwk-gen branch from 9f23fee to 4b29aaf Compare November 19, 2024 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GetOrGenerateKeys locking leads to significant service degredation with high request saturation
2 participants