Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Caching did:web documents, OAuth/OpenID metadata and StatusList2021 #3142

Closed
reinkrul opened this issue May 24, 2024 · 0 comments · Fixed by #3148
Closed

Caching did:web documents, OAuth/OpenID metadata and StatusList2021 #3142

reinkrul opened this issue May 24, 2024 · 0 comments · Fixed by #3148
Milestone

Comments

@reinkrul
Copy link
Member

reinkrul commented May 24, 2024

An OAuth2 authz code flow with 2 OpenID4VP causes AS metadata to be retrieved 4 times and the DID document to be resolved 8 times. Since these are relatively static resources they could be cached quite easily, improving UX (faster flows) and reducing traffic (and access logs).

Relates to:

Suggestion

  • Use HTTP/1.1 Cache Control headers to communicate max-age to the client reading the resource. If parties want to override this, they can do this in their reverse proxy.
  • Don't solve caching in the DID resolver and IAM client, but do this in the HTTP clients used. There are several Go libraries for this (e.g. https://github.com/pquerna/cachecontrol).
    • Since you don't want unbound in-memory caches, you might want a cache per resource type?

Issues:

  • Do we want to prevent clustering issues: e.g. node A having a different version of a resource than node B? Although if the resource server gracefully migrates the endpoint, this shouldn't be an issue?

did:web documents

The did:web method designers somewhat agree that regular HTTP cache control headers are a good direction: w3c-ccg/did-method-web#40

When DID documents are used to store services, long caching times (e.g., a day) could cause unpractical staleness, so caching should be relatively short in that case. That said, parties changing endpoints should always do this by graceful migration: the old endpoint should stay available for a reasonable amount of time. On the other hand, caching DID documents for a minute already reduces the number of resolutions from 8 to 1 for the flow described above.

Suggestion: max-age of 5 minutes by default

OAuth2/OpenID Metadata

The same applies to metadata endpoints.

Suggestion: max-age of 5 minutes by default

StatusList2021

Max. cache time is influenced by the governance, on how fast credentials should be revoked. eIDAS requires CAs to revoke certificates within 4 hours. But as status list is a small resource (since it uses the bit string), it can be refreshed more often than that.

Suggestion: max-age of 5 minutes by default

@reinkrul reinkrul added this to the V6 milestone May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant