fixes #262 update openapi-security.yml to add jwtCacheFullSize (#263)

stevehu · web-flow · commit ef22d819e3c0 · 2022-12-08T11:20:47.000-05:00
diff --git a/openapi-security/src/main/resources/config/openapi-security.yml b/openapi-security/src/main/resources/config/openapi-security.yml
@@ -46,9 +46,20 @@ logJwtToken: ${openapi-security.logJwtToken:true}
 logClientUserScope: ${openapi-security.logClientUserScope:false}
 
 # Enable JWT token cache to speed up verification. This will only verify expired time
-# and skip the signature verification as it takes more CPU power and long time.
+# and skip the signature verification as it takes more CPU power and a long time. If
+# each request has a different jwt token, like authorization code flow, this indicator
+# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
+# and the cache can grow bigger if the number of requests is very high. This will cause
+# memory kill in a Kubernetes pod if the memory setting is limited.
 enableJwtCache: ${openapi-security.enableJwtCache:true}
 
+# If enableJwtCache is true, then an error message will be shown up in the log if the
+# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
+# cache problem if many distinct tokens flood the cache in a short period of time. If
+# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
+# or increase the cache full size to a bigger number from the default 100.
+jwtCacheFullSize: ${openapi-security.jwtCacheFullSize:100}
+
 # If you are using light-oauth2, then you don't need to have oauth subfolder for public
 # key certificate to verify JWT token, the key will be retrieved from key endpoint once
 # the first token is arrived. Default to false for dev environment without oauth2 server
diff --git a/openapi-security/src/test/resources/config/openapi-security.yml b/openapi-security/src/test/resources/config/openapi-security.yml
@@ -40,9 +40,20 @@ logJwtToken: ${openapi-security.logJwtToken:true}
 logClientUserScope: ${openapi-security.logClientUserScope:false}
 
 # Enable JWT token cache to speed up verification. This will only verify expired time
-# and skip the signature verification as it takes more CPU power and long time.
+# and skip the signature verification as it takes more CPU power and a long time. If
+# each request has a different jwt token, like authorization code flow, this indicator
+# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
+# and the cache can grow bigger if the number of requests is very high. This will cause
+# memory kill in a Kubernetes pod if the memory setting is limited.
 enableJwtCache: ${openapi-security.enableJwtCache:true}
 
+# If enableJwtCache is true, then an error message will be shown up in the log if the
+# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
+# cache problem if many distinct tokens flood the cache in a short period of time. If
+# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
+# or increase the cache full size to a bigger number from the default 100.
+jwtCacheFullSize: ${openapi-security.jwtCacheFullSize:100}
+
 # If you are using light-oauth2, then you don't need to have oauth subfolder for public
 # key certificate to verify JWT token, the key will be retrieved from key endpoint once
 # the first token is arrived. Default to false for dev environment without oauth2 server
