This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Details about token purging process

Posted on 01-23-2017 04:09 PM
Not applicable
Reply posted on --/--/---- --:-- AM

The OAuthV2 Policy documentation describes a configuration setting which can be used to configure when to purge old expired access tokens.

  • How often does this purge run? Daily? Hourly?
  • Does this purge apply to old expired tokens that existed prior to changing the setting?
  • Are there any logs for it?
  • Does it have any sort of throttling mechanism so that the DB isn't overloaded with deletes?
    • For example, if I have a lot of old tokens to delete, can I safely enable this or will it kill cassandra because it's trying to delete millions of records at once?
  • Does it purge expired client_credentials tokens (which have no refresh token)? (The purge.sh script does not do this)

I've been testing this on a fresh install of OPDK 4.16.09.02. I've generated ~1M tokens which now have expired access/refresh tokens. I've set 

oauth.access.token.purge.after.seconds=5

then restarted the MP according to the directions... and nothing seems to be happening. The record count is unchanged, there's no log activity that I've seen.

0 3 769
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I think I've managed to reverse engineer this. I'm fairly confident in the answers, but if anyone has more experience or if anyone from Apigee wants to jump in, please do so.

It's using Cassandra's "USING TTL" clause on inserts which has some implications:

How often does this purge run? Daily? Hourly?

It's always going on in the background as part of the standard Cassandra TTL process.

Does this purge apply to old expired tokens that existed prior to changing the setting?

No - those tokens will still have large TTL values. The purge.sh script may be able to help here.

Are there any logs for it?

No.

Does it have any sort of throttling mechanism so that the DB isn't overloaded with deletes?

For example, if I have a lot of old tokens to delete, can I safely enable this or will it kill cassandra because it's trying to delete millions of records at once?

No, it's an automatic process. If there's more data being expired than the tombstone limit, things may break.

Does it purge expired client_credentials tokens (which have no refresh token)? (The purge.sh script does not do this)

Yes, the records are being cleaned up. It lacks the logic bug that the manual purge script has.

0 Likes

Posted on --/--/---- --:-- AM
billzabaronick
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

With regard to the purge settings for https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#purge

"Only tokens generated after these settings are applied are affected; the settings do not apply to tokens that were generated earlier."

Is there a sanctioned cql script to purge tokens that have expired beyond your updated settings? We've got a lot of expired tokens that we'd like to purge, but we're unsure if just deleting them will have adverse side effects.

0 Likes

Posted on --/--/---- --:-- AM
billzabaronick
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Where can I find the purge.sh script?

0 Likes
Top Solution Authors
View all