zitadel/internal/api/grpc
Tim Möhlmann 63d733b3a2
perf(oidc): disable push of user token meta-event (#8691)
# Which Problems Are Solved

When executing many concurrent authentication requests on a single
machine user, there were performance issues. As the same aggregate is
being searched and written to concurrently, we traced it down to a
locking issue on the used index.
We already optimized the token endpoint by creating a separate OIDC
aggregate.

At the time we decided to push a single event to the user aggregate, for
the user audit log. See [technical advisory
10010](https://zitadel.com/docs/support/advisory/a10010) for more
details.

However, a recent security fix introduced an additional search query on
the user aggregate, causing the locking issue we found.

# How the Problems Are Solved

Add a feature flag which disables pushing of the `user.token.v2.added`.
The event has no importance and was only added for informational
purposes on the user objects. The `oidc_session.access_token.added` is
the actual payload event and is pushed on the OIDC session aggregate and
can still be used for audit trail.

# Additional Changes

- Fix an event mapper type for
`SystemOIDCSingleV1SessionTerminationEventType`

# Additional Context

- Reported by support request
- https://github.com/zitadel/zitadel/pull/7822 changed the token
aggregate
- https://github.com/zitadel/zitadel/pull/8631 introduced user state
check

Load test trace graph with `user.token.v2.added` **enabled**. Query
times are steadily increasing:


![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909)

Load test trace graph with `user.token.v2.added` **disabled**. Query
times constant:


![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-26 13:55:41 +00:00
..
action feat(v3alpha): write actions (#8225) 2024-07-31 14:42:12 +02:00
admin feat: Add Twilio Verification Service (#8678) 2024-09-26 09:14:33 +02:00
auth fix: user grants deactivation (#8634) 2024-09-17 12:18:29 +00:00
authn chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
change refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
client/middleware refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
event refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
feature perf(oidc): disable push of user token meta-event (#8691) 2024-09-26 13:55:41 +00:00
gerrors fix: exclude db connection error details (#7785) 2024-04-23 08:35:25 +00:00
idp chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
instance feat: trusted (instance) domains (#8369) 2024-07-31 18:00:38 +03:00
management feat: invite user link (#8578) 2024-09-11 10:53:55 +00:00
member refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
metadata fix(api): correct mapping of metadata queries (#7609) 2024-03-21 14:56:58 +00:00
object feat: api v2beta to api v2 (#8283) 2024-07-26 22:39:55 +02:00
oidc chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
org chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
policy feat(cnsl): docs link can be customized and custom button is available (#7840) 2024-05-13 16:01:50 +02:00
project feat(oidc): token exchange impersonation (#7516) 2024-03-20 10:18:46 +00:00
resources feat: user v3 contact email and phone (#8644) 2024-09-25 13:31:31 +00:00
server chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
session chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
settings fix: add apple as identity provider type to settings v2 api (#8472) 2024-09-11 14:26:28 +00:00
system feat(storage): generic cache interface (#8628) 2024-09-25 21:40:21 +02:00
text fix: automatically link user without prompt (#8487) 2024-08-28 05:33:20 +00:00
user fix: user grants deactivation (#8634) 2024-09-17 12:18:29 +00:00
config.go remove pointers on configs 2020-03-27 13:57:16 +01:00
fields.go chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
header_test.go remove negated integration tags 2023-04-26 19:55:13 +03:00
header.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
probes_test.go add server reflection to Probes list 2023-05-07 16:47:43 +02:00
probes.go add server reflection to Probes list 2023-05-07 16:47:43 +02:00