-
Notifications
You must be signed in to change notification settings - Fork 327
Caching
mod_auth_openidc implements server-side caching across different Apache processes through one of the following options:
-
shared memory (default)
shared across a single logical Apache server running as multiple Apache processes (using mpm_prefork) on the same machine -
memcache
shared across multiple Apache processes and/or servers, possibly across different memcache servers living on different machines -
Redis
shared across multiple Apache processes and/or servers, possibly across different Redis servers living on different machines, with an option for persistency across reboots and upgrades -
file storage
in a temp directory - possibly a shared file system across multiple Apache processes and/or servers
The following information is cached:
- authenticated user session state
- nonce values from authorization requests (to prevent replay attacks)
- validated OAuth 2.0 access tokens
- JWK sets that have been retrieved from jwk_uri's (to validate ID tokens)
- resolved OP metadata when using
OIDCProviderMetadataUrl - JWT ID claims (jti) when using OP-init-SSO draft-bradley-oauth-jwt-encoded-state
For shared memory caching you can configure the number of fixed size slots that are available for caching. As you'll note from the previous section, these slots are used for caching 6 different pieces of information, they're not just for user sessions. The default setting for the maximum number of elements that can be cached simultaneously is 500. The cache will use a Least Recently Used (LRU) strategy for re-using slots if all slots are occupied.
OIDCCacheType shm
OIDCCacheShmMax <number-of-slots>
The size of the cache key is a compiled in setting of 255 bytes. The cache value slot size is 16384 bytes by default and can be configured (with a minimum of 8192 bytes) with the following setting:
OIDCCacheShmEntrySizeMax <bytes>
For memcache based caching you'll need to point the module to the memcache servers that you want to use, as in:
OIDCCacheType memcache
OIDCMemCacheServers (<hostname>[:<port>])+
If no port is specified, the default port 11211 will be used. Notice that if you want to configure multiple servers, you'll need to enclose the whole value in double quotes as in:
OIDCMemCacheServers "memcache-server1 memcache-server2 memcache-server3"
For Redis based caching you'll need to point the module to the Redis server that you want to use, as in:
OIDCCacheType redis
OIDCRedisCacheServer <hostname>[:<port>]
When the port is not specified, the Redis default port 6379 will be used.
For file based caching you'll need to specify the path where the (temporary) files are stored. If it is not specified, the default /tmp will be used. You can also specify the cache clean interval, which defines the minimum interval between cache writes that will be used to go through the cache directory and clean expired cache entries. The default for the cache clean interval is 60 seconds.
OIDCCacheType file
OIDCCacheDir <directory>
OIDCCacheFileCleanInterval <seconds>
For session caching (and only for session caching) there's an option to use client side caching where all session state is encoded in a browser cookie as opposed to the server side caching mechanisms listed above where state is stored server side, by configuring OIDCSessionType:
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie.
# When not defined the default "server-cache" is used.
#OIDCSessionType [server-cache|client-cookie]