Edge Microgateway Oauth plugin

My understanding of the Oauth micro gateway plugin is that it will call out to edge gateway to validate on first hit but then cache so that subsequent calls will be validated on micro gateway and not have overhead of going to edge gateway each time. I'm noticing however that if I trace the edgemicro-auth proxy on the edge-gateway it gets hit on every call to mylocal micro gateway. Can you help me understand the Oauth behavior with edge micro gateway?

Thanks

Solved Solved
1 5 1,226
1 ACCEPTED SOLUTION

Former Community Member
Not applicable

Hey Steve, I'm assuming you're talking about API Key verification in the OAuth plugin (OAuth + API keys).

It is true that the API Key is cached in MG after the first call to Edge. But, there are a few factors to be aware of:

When does it cache?

Versions prior to and including v2.5.7, this is controlled by the cache-control header. If present with a value not set to 'no-cache', caching will be done.

What about later versions?

We've published v2.5.8-beta today. With this version, you can set caching on the server side (MG) instead of expecting the consumer to send the header. The header method is still preserved for backward compatibility.

How long does it cache?

When an API Key is sent to MG for the first time, it send a request to Edge. The response from Edge is a JWT token (with an expiry) and the claims within the token are the entitlements the API key has (i.e., which products and proxies it has access to). MG will cache the token for 1 second less than the expiry of the JWT. You can configure the expiry of the JWT in the edgemicro-auth proxy.

But keys are not cached after the first API call

Yes, this is expected behavior. MG spawns as many work processes are there are CPUs/Cores. Each worker process maintains a separate cache. On a 4 core/CPU machine, you will need at least 5 requests before MG uses the API Key cache.

View solution in original post

5 REPLIES 5

Former Community Member
Not applicable

Hey Steve, I'm assuming you're talking about API Key verification in the OAuth plugin (OAuth + API keys).

It is true that the API Key is cached in MG after the first call to Edge. But, there are a few factors to be aware of:

When does it cache?

Versions prior to and including v2.5.7, this is controlled by the cache-control header. If present with a value not set to 'no-cache', caching will be done.

What about later versions?

We've published v2.5.8-beta today. With this version, you can set caching on the server side (MG) instead of expecting the consumer to send the header. The header method is still preserved for backward compatibility.

How long does it cache?

When an API Key is sent to MG for the first time, it send a request to Edge. The response from Edge is a JWT token (with an expiry) and the claims within the token are the entitlements the API key has (i.e., which products and proxies it has access to). MG will cache the token for 1 second less than the expiry of the JWT. You can configure the expiry of the JWT in the edgemicro-auth proxy.

But keys are not cached after the first API call

Yes, this is expected behavior. MG spawns as many work processes are there are CPUs/Cores. Each worker process maintains a separate cache. On a 4 core/CPU machine, you will need at least 5 requests before MG uses the API Key cache.

Thanks very much for this detail. I noticed in our lab environment 8 calls before caching.

Not applicable

Hi Srinandan!

Is the jwt cache enabled by default or is there a property we need to set? I looked in the release notes and the documentation for Edge Microgateway but couldn't find anything about jwt caching.


Best regards

Johan Hammar

Former Community Member
Not applicable

Hey Johan

They should be enabled in 2.5.8. Yes, we’ve not yet updated the docs. In the OAuth stanza, set “cacheKey: true”

FYI If the property (cacheKey: true) is set and the header (Cache-control: no-cache) is present = header is taken precedence.