TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 03:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

perf(oidc): disable push of user token meta-event (#8691)

Browse Source 
# Which Problems Are Solved

When executing many concurrent authentication requests on a single
machine user, there were performance issues. As the same aggregate is
being searched and written to concurrently, we traced it down to a
locking issue on the used index.
We already optimized the token endpoint by creating a separate OIDC
aggregate.

At the time we decided to push a single event to the user aggregate, for
the user audit log. See [technical advisory
10010](https://zitadel.com/docs/support/advisory/a10010) for more
details.

However, a recent security fix introduced an additional search query on
the user aggregate, causing the locking issue we found.

# How the Problems Are Solved

Add a feature flag which disables pushing of the `user.token.v2.added`.
The event has no importance and was only added for informational
purposes on the user objects. The `oidc_session.access_token.added` is
the actual payload event and is pushed on the OIDC session aggregate and
can still be used for audit trail.

# Additional Changes

- Fix an event mapper type for
`SystemOIDCSingleV1SessionTerminationEventType`

# Additional Context

- Reported by support request
- https://github.com/zitadel/zitadel/pull/7822 changed the token
aggregate
- https://github.com/zitadel/zitadel/pull/8631 introduced user state
check

Load test trace graph with `user.token.v2.added` **enabled**. Query
times are steadily increasing:


![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909)

Load test trace graph with `user.token.v2.added` **disabled**. Query
times constant:


![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann
2024-09-26 15:55:41 +02:00
committed by GitHub
parent 7247f62006
commit 63d733b3a2
20 changed files with 334 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
proto/zitadel/feature/v2/instance.proto
View File

@@ -79,6 +79,13 @@ message SetInstanceFeaturesRequest{
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
}
];
optional bool disable_user_token_event = 11 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
}
];
}
message SetInstanceFeaturesResponse {
@@ -171,4 +178,11 @@ message GetInstanceFeaturesResponse {
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
}
];
FeatureFlag disable_user_token_event = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
}
];
}

14
proto/zitadel/feature/v2/system.proto
View File

@@ -68,6 +68,13 @@ message SetSystemFeaturesRequest{
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
}
];
optional bool disable_user_token_event = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
}
];
}
message SetSystemFeaturesResponse {
@@ -139,4 +146,11 @@ message GetSystemFeaturesResponse {
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
}
];
FeatureFlag disable_user_token_event = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
}
];
}