mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 20:57:31 +00:00
perf(oidc): optimize the introspection endpoint (#6909)
* get key by id and cache them
* userinfo from events for v2 tokens
* improve keyset caching
* concurrent token and client checks
* client and project in single query
* logging and otel
* drop owner_removed column on apps and authN tables
* userinfo and project roles in go routines
* get oidc user info from projections and add actions
* add avatar URL
* some cleanup
* pull oidc work branch
* remove storage from server
* add config flag for experimental introspection
* legacy introspection flag
* drop owner_removed column on user projections
* drop owner_removed column on useer_metadata
* query userinfo unit test
* query introspection client test
* add user_grants to the userinfo query
* handle PAT scopes
* bring triggers back
* test instance keys query
* add userinfo unit tests
* unit test keys
* go mod tidy
* solve some bugs
* fix missing preferred login name
* do not run triggers in go routines, they seem to deadlock
* initialize the trigger handlers late with a sync.OnceValue
* Revert "do not run triggers in go routines, they seem to deadlock"
This reverts commit 2a03da2127.
* add missing translations
* chore: update go version for linting
* pin oidc version
* parse a global time location for query test
* fix linter complains
* upgrade go lint
* fix more linting issues
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
This commit is contained in:
Tim Möhlmann
@@ -15,98 +15,98 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
expectedAppQuery = regexp.QuoteMeta(`SELECT projections.apps5.id,` +
|
||||
` projections.apps5.name,` +
|
||||
` projections.apps5.project_id,` +
|
||||
` projections.apps5.creation_date,` +
|
||||
` projections.apps5.change_date,` +
|
||||
` projections.apps5.resource_owner,` +
|
||||
` projections.apps5.state,` +
|
||||
` projections.apps5.sequence,` +
|
||||
expectedAppQuery = regexp.QuoteMeta(`SELECT projections.apps6.id,` +
|
||||
` projections.apps6.name,` +
|
||||
` projections.apps6.project_id,` +
|
||||
` projections.apps6.creation_date,` +
|
||||
` projections.apps6.change_date,` +
|
||||
` projections.apps6.resource_owner,` +
|
||||
` projections.apps6.state,` +
|
||||
` projections.apps6.sequence,` +
|
||||
// api config
|
||||
` projections.apps5_api_configs.app_id,` +
|
||||
` projections.apps5_api_configs.client_id,` +
|
||||
` projections.apps5_api_configs.auth_method,` +
|
||||
` projections.apps6_api_configs.app_id,` +
|
||||
` projections.apps6_api_configs.client_id,` +
|
||||
` projections.apps6_api_configs.auth_method,` +
|
||||
// oidc config
|
||||
` projections.apps5_oidc_configs.app_id,` +
|
||||
` projections.apps5_oidc_configs.version,` +
|
||||
` projections.apps5_oidc_configs.client_id,` +
|
||||
` projections.apps5_oidc_configs.redirect_uris,` +
|
||||
` projections.apps5_oidc_configs.response_types,` +
|
||||
` projections.apps5_oidc_configs.grant_types,` +
|
||||
` projections.apps5_oidc_configs.application_type,` +
|
||||
` projections.apps5_oidc_configs.auth_method_type,` +
|
||||
` projections.apps5_oidc_configs.post_logout_redirect_uris,` +
|
||||
` projections.apps5_oidc_configs.is_dev_mode,` +
|
||||
` projections.apps5_oidc_configs.access_token_type,` +
|
||||
` projections.apps5_oidc_configs.access_token_role_assertion,` +
|
||||
` projections.apps5_oidc_configs.id_token_role_assertion,` +
|
||||
` projections.apps5_oidc_configs.id_token_userinfo_assertion,` +
|
||||
` projections.apps5_oidc_configs.clock_skew,` +
|
||||
` projections.apps5_oidc_configs.additional_origins,` +
|
||||
` projections.apps5_oidc_configs.skip_native_app_success_page,` +
|
||||
` projections.apps6_oidc_configs.app_id,` +
|
||||
` projections.apps6_oidc_configs.version,` +
|
||||
` projections.apps6_oidc_configs.client_id,` +
|
||||
` projections.apps6_oidc_configs.redirect_uris,` +
|
||||
` projections.apps6_oidc_configs.response_types,` +
|
||||
` projections.apps6_oidc_configs.grant_types,` +
|
||||
` projections.apps6_oidc_configs.application_type,` +
|
||||
` projections.apps6_oidc_configs.auth_method_type,` +
|
||||
` projections.apps6_oidc_configs.post_logout_redirect_uris,` +
|
||||
` projections.apps6_oidc_configs.is_dev_mode,` +
|
||||
` projections.apps6_oidc_configs.access_token_type,` +
|
||||
` projections.apps6_oidc_configs.access_token_role_assertion,` +
|
||||
` projections.apps6_oidc_configs.id_token_role_assertion,` +
|
||||
` projections.apps6_oidc_configs.id_token_userinfo_assertion,` +
|
||||
` projections.apps6_oidc_configs.clock_skew,` +
|
||||
` projections.apps6_oidc_configs.additional_origins,` +
|
||||
` projections.apps6_oidc_configs.skip_native_app_success_page,` +
|
||||
//saml config
|
||||
` projections.apps5_saml_configs.app_id,` +
|
||||
` projections.apps5_saml_configs.entity_id,` +
|
||||
` projections.apps5_saml_configs.metadata,` +
|
||||
` projections.apps5_saml_configs.metadata_url` +
|
||||
` FROM projections.apps5` +
|
||||
` LEFT JOIN projections.apps5_api_configs ON projections.apps5.id = projections.apps5_api_configs.app_id AND projections.apps5.instance_id = projections.apps5_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_oidc_configs ON projections.apps5.id = projections.apps5_oidc_configs.app_id AND projections.apps5.instance_id = projections.apps5_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_saml_configs ON projections.apps5.id = projections.apps5_saml_configs.app_id AND projections.apps5.instance_id = projections.apps5_saml_configs.instance_id` +
|
||||
` projections.apps6_saml_configs.app_id,` +
|
||||
` projections.apps6_saml_configs.entity_id,` +
|
||||
` projections.apps6_saml_configs.metadata,` +
|
||||
` projections.apps6_saml_configs.metadata_url` +
|
||||
` FROM projections.apps6` +
|
||||
` LEFT JOIN projections.apps6_api_configs ON projections.apps6.id = projections.apps6_api_configs.app_id AND projections.apps6.instance_id = projections.apps6_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_oidc_configs ON projections.apps6.id = projections.apps6_oidc_configs.app_id AND projections.apps6.instance_id = projections.apps6_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_saml_configs ON projections.apps6.id = projections.apps6_saml_configs.app_id AND projections.apps6.instance_id = projections.apps6_saml_configs.instance_id` +
|
||||
` AS OF SYSTEM TIME '-1 ms'`)
|
||||
expectedAppsQuery = regexp.QuoteMeta(`SELECT projections.apps5.id,` +
|
||||
` projections.apps5.name,` +
|
||||
` projections.apps5.project_id,` +
|
||||
` projections.apps5.creation_date,` +
|
||||
` projections.apps5.change_date,` +
|
||||
` projections.apps5.resource_owner,` +
|
||||
` projections.apps5.state,` +
|
||||
` projections.apps5.sequence,` +
|
||||
expectedAppsQuery = regexp.QuoteMeta(`SELECT projections.apps6.id,` +
|
||||
` projections.apps6.name,` +
|
||||
` projections.apps6.project_id,` +
|
||||
` projections.apps6.creation_date,` +
|
||||
` projections.apps6.change_date,` +
|
||||
` projections.apps6.resource_owner,` +
|
||||
` projections.apps6.state,` +
|
||||
` projections.apps6.sequence,` +
|
||||
// api config
|
||||
` projections.apps5_api_configs.app_id,` +
|
||||
` projections.apps5_api_configs.client_id,` +
|
||||
` projections.apps5_api_configs.auth_method,` +
|
||||
` projections.apps6_api_configs.app_id,` +
|
||||
` projections.apps6_api_configs.client_id,` +
|
||||
` projections.apps6_api_configs.auth_method,` +
|
||||
// oidc config
|
||||
` projections.apps5_oidc_configs.app_id,` +
|
||||
` projections.apps5_oidc_configs.version,` +
|
||||
` projections.apps5_oidc_configs.client_id,` +
|
||||
` projections.apps5_oidc_configs.redirect_uris,` +
|
||||
` projections.apps5_oidc_configs.response_types,` +
|
||||
` projections.apps5_oidc_configs.grant_types,` +
|
||||
` projections.apps5_oidc_configs.application_type,` +
|
||||
` projections.apps5_oidc_configs.auth_method_type,` +
|
||||
` projections.apps5_oidc_configs.post_logout_redirect_uris,` +
|
||||
` projections.apps5_oidc_configs.is_dev_mode,` +
|
||||
` projections.apps5_oidc_configs.access_token_type,` +
|
||||
` projections.apps5_oidc_configs.access_token_role_assertion,` +
|
||||
` projections.apps5_oidc_configs.id_token_role_assertion,` +
|
||||
` projections.apps5_oidc_configs.id_token_userinfo_assertion,` +
|
||||
` projections.apps5_oidc_configs.clock_skew,` +
|
||||
` projections.apps5_oidc_configs.additional_origins,` +
|
||||
` projections.apps5_oidc_configs.skip_native_app_success_page,` +
|
||||
` projections.apps6_oidc_configs.app_id,` +
|
||||
` projections.apps6_oidc_configs.version,` +
|
||||
` projections.apps6_oidc_configs.client_id,` +
|
||||
` projections.apps6_oidc_configs.redirect_uris,` +
|
||||
` projections.apps6_oidc_configs.response_types,` +
|
||||
` projections.apps6_oidc_configs.grant_types,` +
|
||||
` projections.apps6_oidc_configs.application_type,` +
|
||||
` projections.apps6_oidc_configs.auth_method_type,` +
|
||||
` projections.apps6_oidc_configs.post_logout_redirect_uris,` +
|
||||
` projections.apps6_oidc_configs.is_dev_mode,` +
|
||||
` projections.apps6_oidc_configs.access_token_type,` +
|
||||
` projections.apps6_oidc_configs.access_token_role_assertion,` +
|
||||
` projections.apps6_oidc_configs.id_token_role_assertion,` +
|
||||
` projections.apps6_oidc_configs.id_token_userinfo_assertion,` +
|
||||
` projections.apps6_oidc_configs.clock_skew,` +
|
||||
` projections.apps6_oidc_configs.additional_origins,` +
|
||||
` projections.apps6_oidc_configs.skip_native_app_success_page,` +
|
||||
//saml config
|
||||
` projections.apps5_saml_configs.app_id,` +
|
||||
` projections.apps5_saml_configs.entity_id,` +
|
||||
` projections.apps5_saml_configs.metadata,` +
|
||||
` projections.apps5_saml_configs.metadata_url,` +
|
||||
` projections.apps6_saml_configs.app_id,` +
|
||||
` projections.apps6_saml_configs.entity_id,` +
|
||||
` projections.apps6_saml_configs.metadata,` +
|
||||
` projections.apps6_saml_configs.metadata_url,` +
|
||||
` COUNT(*) OVER ()` +
|
||||
` FROM projections.apps5` +
|
||||
` LEFT JOIN projections.apps5_api_configs ON projections.apps5.id = projections.apps5_api_configs.app_id AND projections.apps5.instance_id = projections.apps5_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_oidc_configs ON projections.apps5.id = projections.apps5_oidc_configs.app_id AND projections.apps5.instance_id = projections.apps5_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_saml_configs ON projections.apps5.id = projections.apps5_saml_configs.app_id AND projections.apps5.instance_id = projections.apps5_saml_configs.instance_id` +
|
||||
` FROM projections.apps6` +
|
||||
` LEFT JOIN projections.apps6_api_configs ON projections.apps6.id = projections.apps6_api_configs.app_id AND projections.apps6.instance_id = projections.apps6_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_oidc_configs ON projections.apps6.id = projections.apps6_oidc_configs.app_id AND projections.apps6.instance_id = projections.apps6_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_saml_configs ON projections.apps6.id = projections.apps6_saml_configs.app_id AND projections.apps6.instance_id = projections.apps6_saml_configs.instance_id` +
|
||||
` AS OF SYSTEM TIME '-1 ms'`)
|
||||
expectedAppIDsQuery = regexp.QuoteMeta(`SELECT projections.apps5_api_configs.client_id,` +
|
||||
` projections.apps5_oidc_configs.client_id` +
|
||||
` FROM projections.apps5` +
|
||||
` LEFT JOIN projections.apps5_api_configs ON projections.apps5.id = projections.apps5_api_configs.app_id AND projections.apps5.instance_id = projections.apps5_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_oidc_configs ON projections.apps5.id = projections.apps5_oidc_configs.app_id AND projections.apps5.instance_id = projections.apps5_oidc_configs.instance_id` +
|
||||
expectedAppIDsQuery = regexp.QuoteMeta(`SELECT projections.apps6_api_configs.client_id,` +
|
||||
` projections.apps6_oidc_configs.client_id` +
|
||||
` FROM projections.apps6` +
|
||||
` LEFT JOIN projections.apps6_api_configs ON projections.apps6.id = projections.apps6_api_configs.app_id AND projections.apps6.instance_id = projections.apps6_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_oidc_configs ON projections.apps6.id = projections.apps6_oidc_configs.app_id AND projections.apps6.instance_id = projections.apps6_oidc_configs.instance_id` +
|
||||
` AS OF SYSTEM TIME '-1 ms'`)
|
||||
expectedProjectIDByAppQuery = regexp.QuoteMeta(`SELECT projections.apps5.project_id` +
|
||||
` FROM projections.apps5` +
|
||||
` LEFT JOIN projections.apps5_api_configs ON projections.apps5.id = projections.apps5_api_configs.app_id AND projections.apps5.instance_id = projections.apps5_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_oidc_configs ON projections.apps5.id = projections.apps5_oidc_configs.app_id AND projections.apps5.instance_id = projections.apps5_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_saml_configs ON projections.apps5.id = projections.apps5_saml_configs.app_id AND projections.apps5.instance_id = projections.apps5_saml_configs.instance_id` +
|
||||
expectedProjectIDByAppQuery = regexp.QuoteMeta(`SELECT projections.apps6.project_id` +
|
||||
` FROM projections.apps6` +
|
||||
` LEFT JOIN projections.apps6_api_configs ON projections.apps6.id = projections.apps6_api_configs.app_id AND projections.apps6.instance_id = projections.apps6_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_oidc_configs ON projections.apps6.id = projections.apps6_oidc_configs.app_id AND projections.apps6.instance_id = projections.apps6_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_saml_configs ON projections.apps6.id = projections.apps6_saml_configs.app_id AND projections.apps6.instance_id = projections.apps6_saml_configs.instance_id` +
|
||||
` AS OF SYSTEM TIME '-1 ms'`)
|
||||
expectedProjectByAppQuery = regexp.QuoteMeta(`SELECT projections.projects4.id,` +
|
||||
` projections.projects4.creation_date,` +
|
||||
@@ -120,10 +120,10 @@ var (
|
||||
` projections.projects4.has_project_check,` +
|
||||
` projections.projects4.private_labeling_setting` +
|
||||
` FROM projections.projects4` +
|
||||
` JOIN projections.apps5 ON projections.projects4.id = projections.apps5.project_id AND projections.projects4.instance_id = projections.apps5.instance_id` +
|
||||
` LEFT JOIN projections.apps5_api_configs ON projections.apps5.id = projections.apps5_api_configs.app_id AND projections.apps5.instance_id = projections.apps5_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_oidc_configs ON projections.apps5.id = projections.apps5_oidc_configs.app_id AND projections.apps5.instance_id = projections.apps5_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps5_saml_configs ON projections.apps5.id = projections.apps5_saml_configs.app_id AND projections.apps5.instance_id = projections.apps5_saml_configs.instance_id` +
|
||||
` JOIN projections.apps6 ON projections.projects4.id = projections.apps6.project_id AND projections.projects4.instance_id = projections.apps6.instance_id` +
|
||||
` LEFT JOIN projections.apps6_api_configs ON projections.apps6.id = projections.apps6_api_configs.app_id AND projections.apps6.instance_id = projections.apps6_api_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_oidc_configs ON projections.apps6.id = projections.apps6_oidc_configs.app_id AND projections.apps6.instance_id = projections.apps6_oidc_configs.instance_id` +
|
||||
` LEFT JOIN projections.apps6_saml_configs ON projections.apps6.id = projections.apps6_saml_configs.app_id AND projections.apps6.instance_id = projections.apps6_saml_configs.instance_id` +
|
||||
` AS OF SYSTEM TIME '-1 ms'`)
|
||||
|
||||
appCols = database.TextArray[string]{
|
||||
|
||||
Reference in New Issue
Block a user