To reduce performance issues, caching of introspection data for a configured interval is introduced in NSX Advanced Load Balancer 22.1.3. During this interval, no introspection message is sent to the introspection endpoint. The cached introspection data will be used for authorizing a resource.
In the case of an Access Token of type opaque, the token is not directly used for authorization of the resources and cannot readily be parsed by the client, unlike the JWT (JSON Web Tokens) token, which is a self-contained structure of all data.
To authorize the resource using Opaque Access Token, the exchanges the Access Token with Authorization server/IDP (using the introspection endpoint) to receive introspection data.
Prior to the 22.1.3 of NSX Advanced Load Balancer, the resource server sends an introspect message for each resource operation, to retrieve the Access Token payload (introspection data) and check it against the resource for authorization. In this method, performance is impacted due to an extra round trip for every resource access.
In NSX Advanced Load Balancer 22.1.3, the introspection data will not be cached by default. When the interval (introspection_data_timeout) is configured, the NSX Advanced Load Balancer will use the minimum of the configured and expiry values present in the introspection data. For more information, see Introspection Endpoint (Sections 2.1 and 2.2).
In NSX Advanced Load Balancer 22.1.3, the configuration for caching of introspection data is supported only through the CLI.
Configuring Introspection Data Timeout
Configure introspection_data_timeout. The introspection_data_timeout field under OAuthResourceServer defines the time for which introspection data is cached. The default value for timeout is 0
, which means no caching.
[admin: controller] configure virtualservice okta-test [admin: controller]:virtualservice> oauth_vs_config [admin: controller]:virtualservice:oauth_vs_config> oauth_settings index 1 [admin: controller]:virtualservice:oauth_vs_config:oauth_settings> resource_server [admin: controller]:virtualservice:oauth_vs_config:oauth_settings:resource_server> introspection_data_timeout 10 [admin: controller]:virtualservice:oauth_vs_config:oauth_settings:resource_server> save [admin: controller]:virtualservice:oauth_vs_config:oauth_settings> save [admin: controller]:virtualservice:oauth_vs_config> save [admin: controller]:virtualservice> save [admin: controller]:>