Caching of Introspection Data

Overview

In the case of an Access Token of type opaque, the token is not directly used for authorization of the resources and cannot readily be parsed by the client, unlike JWT (JSON Web Tokens) token, where all the data is self-contained.

To authorize the resource using Opaque Access Token, NSX Advanced Load Balancer exchanges the Access Token with Authorization server/IDP (using the introspection endpoint) to receive introspection data.

Prior to the NSX Advanced Load Balancer version 22.1.3, resource server sends an introspect message for each resource operation to retrieve the Access Token payload (introspection data) and check it against the resource for authorization. It impacts the performance due to an extra round trip for every resource access.

To improve the performance issue, NSX Advanced Load Balancer version 22.1.3 introduced caching of introspection data for a configured interval. During this interval, no introspection message is sent to the introspection endpoint, but the cached introspection data will be used for authorizing a resource.

The introspection data will not be cached by default. When the interval (introspection_data_timeout) is configured, NSX Advanced Load Balancer will use the minimum of the configured and expiry values present in the introspection data.

For more information, see Introspection Endpoint (Sections 2.1 and 2.2).

Note: In the NSX Advanced Load Balancer version 22.1.3, the configuration of caching of introspection data is supported only through the CLI.

Configuring Introspection Data Timeout

Configure introspection_data_timeout. The introspection_data_timeout field under OAuthResourceServer defines the time for which introspection data is cached. The default value for the timeout is zero, which means no caching.


[admin: controller] configure virtualservice okta-test
[admin: controller]:virtualservice> oauth_vs_config
[admin: controller]:virtualservice:oauth_vs_config> oauth_settings index 1
[admin: controller]:virtualservice:oauth_vs_config:oauth_settings> resource_server
[admin: controller]:virtualservice:oauth_vs_config:oauth_settings:resource_server> introspection_data_timeout 10
[admin: controller]:virtualservice:oauth_vs_config:oauth_settings:resource_server> save
[admin: controller]:virtualservice:oauth_vs_config:oauth_settings> save
[admin: controller]:virtualservice:oauth_vs_config> save
[admin: controller]:virtualservice> save
[admin: controller]:>

Related Article

Client and Resource Server for OAuth/OIDC